Access Control Guide

Stackdriver Logging uses Cloud IAM to control access to logging data in projects, organizations, folders, and billing accounts. For details of the effect of Stackdriver account service tiers on logging access, see Service tiers on this page.

Overview

To use Stackdriver Logging with the logging data in a project, you must be a project member and have an IAM role that grants you permission to use Stackdriver Logging. The following IAM roles apply to Stackdriver Logging:

  • roles/logging.viewer (Logs Viewer) gives you read-only access to all features of Stackdriver Logging, except Data Access audit logs.

  • roles/logging.privateLogViewer (Private Logs Viewer) includes roles/logging.viewer, plus the ability to read private logs.

  • roles/logging.logWriter (Logs Writer) can be granted to service accounts to give applications just enough permissions to write logs. This role does not grant access to the Logs Viewer.

  • roles/logging.configWriter (Logs Configuration Writer) gives you permission to create logs-based metrics and export sinks. To use the Logs Viewer, add roles/logging.viewer.

  • roles/logging.admin (Logging Admin) grants all permissions related to Stackdriver Logging.

  • roles/viewer (Project Viewer) is the same as roles/logging.viewer. The role gives you read-only access to all Stackdriver Logging features except private logs.

  • roles/editor (Project Editor) includes the permissions of roles/logging.viewer, plus permissions to write log entries, delete logs, and create logs-based metrics. The role does not let you create export sinks or read private logs.

  • roles/owner (Project Owner) gives you full access to Stackdriver Logging, including private logs.

For more details about Stackdriver Logging roles and permissions, see Permissions and roles on this page.

Service tiers

Stackdriver Logging places additional limits on what you can do based on Stackdriver account service tiers:

  • If your project is not associated with a Stackdriver account, or if your Stackdriver account is in the free, Basic Tier, then you have full access to Stackdriver Logging for GCP logs. You do not have access to AWS logs. Your log entries are retained for 7 days.

  • In the paid, Premium Tier, you have full access to logs from GCP and AWS. You have a larger allotment of free logs, and your logs will be retained for 30 days.

For more details, see Stackdriver Pricing.

Permissions and roles

IAM permissions and roles determine how you can use the Stackdriver Logging API and the Logs Viewer.

Logs reside in projects, organizations, folders, and billing accounts. Each of those resources can have its own set of members with their own sets of Logging roles.

API Permissions

Stackdriver Logging API methods require specific IAM permissions. The following table lists the permissions needed by the API methods.

Logging method (v2) Required permission Resource type
billingAccounts.logs.* logging.logs.* (See projects.logs.*) billing accounts
billingAccounts.sinks.* logging.sinks.* (See projects.sinks.*.) billing accounts
entries.list logging.logEntries.list or
logging.privateLogEntries.list
projects, organizations,
folders, billing accounts
entries.write logging.logEntries.create projects, organizations,
folders, billing accounts
folders.logs.* logging.logs.* (See projects.logs.*) folders
folders.sinks.* logging.sinks.* (See projects.sinks.*) folders
monitoredResourceDescriptors.list (none) (none)
organizations.logs.* logging.logs.* (See projects.logs.*) organizations
organizations.sinks.* logging.sinks.* (See projects.sinks.*) organizations
projects.logs.list logging.logs.list projects
projects.logs.delete logging.logs.delete projects
projects.sinks.list logging.sinks.list projects
projects.sinks.get logging.sinks.get projects
projects.sinks.create logging.sinks.create projects
projects.sinks.update logging.sinks.update projects
projects.sinks.delete logging.sinks.delete projects
projects.metrics.list logging.logMetrics.list projects
projects.metrics.get logging.logMetrics.get projects
projects.metrics.create logging.logMetrics.create projects
projects.metrics.update logging.logMetrics.update projects
projects.metrics.delete logging.logMetrics.delete projects

Console permissions

The following table lists the permissions needed to use the Logs Viewer.

In the table, a.b.{x,y} means a.b.x and a.b.y.

Console activity Required permissions
Minimal read-only access logging.logEntries.list
logging.logs.list
logging.logServiceIndexes.list
logging.logServices.list
resourcemanager.projects.get
Add ability to view logs-based metrics Add logging.logMetrics.{list, get}
Add ability to view exports Add logging.sinks.{list, get}
Add ability to view logs usage Add logging.usage.get
Add ability to delete logs Add logging.logs.delete
Add ability to exclude logs Add logging.exclusions.{list, create, get, update, delete}
Add ability to export logs Add logging.sinks.{list, create, get, update, delete}
Add ability to create logs-based metrics Add logging.logMetrics.{list, create, get, update, delete}

Roles

The following table lists the IAM roles that grant access to Stackdriver Logging. Each role has a specific set of Logging permissions. Roles can be assigned to people and service accounts that are members of the listed resource types.

In the table, a.b.{x,y} means a.b.x and a.b.y.

Role name Role title Logging permissions Resource type
roles/
logging.viewer
Logs Viewer logging.logEntries.list
logging.logMetrics.{list, get}
logging.logs.list
logging.logServiceIndexes.list
logging.logServices.list
logging.sinks.{list, get}
logging.usage.get
resourcemanager.projects.get
project, organization,
folder, billing account
roles/
logging.privateLogViewer
Private Logs Viewer roles/logging.viewer permissions, plus:
logging.privateLogEntries.list
project, organization,
folder, billing account
roles/
logging.logWriter
Logs Writer logging.logEntries.create project, organization,
folder, billing account
roles/
logging.configWriter
Logs Configuration Writer logging.exclusions.{list, create, get, update, delete}
logging.logMetrics.{list, create, get, update, delete}
logging.logs.list
logging.logServiceIndexes.list
logging.logServices.list
logging.sinks.{list, create, get, update, delete}
resourcemanager.projects.get
project, organization,
folder, billing account
roles/
logging.admin
Logging Admin logging.exclusions.{list, create, get, update, delete}
logging.logEntries.create
logging.logEntries.list
logging.logMetrics.{list, create, get, update, delete}
logging.logs.delete
logging.logs.list
logging.logServiceIndexes.list
logging.logServices.list
logging.privateLogEntries.list
logging.sinks.{list, create, get, update, delete}
resourcemanager.projects.get
project, organization,
folder, billing account
roles/viewer Viewer logging.logEntries.list
logging.logMetrics.{list, get}
logging.logs.list
logging.logServiceIndexes.list
logging.logServices.list
logging.sinks.{list, get}
resourcemanager.projects.get
project
roles/editor Editor roles/viewer Logging permissions, plus:
logging.logEntries.create
logging.logMetrics.{create, update, delete}
logging.logs.delete
project
roles/owner Owner roles/editor Logging permissions, plus:
logging.privateLogEntries.list
logging.sinks.{create, update, delete}
project

Custom roles

To create a custom role with Stackdriver Logging permissions, do the following:

  • For a role granting permissions only for the Stackdriver Logging API, choose from the permissions in the preceding section, API permissions.

  • For a role granting permssions to use the Logs Viewer choose from permission groups in the preceding section, Console permissions.

  • To grant the ability to write logging data, include the permission(s) from the role roles/logging.logWriter in the section Roles.

For more information on custom roles, see Understanding IAM Custom Roles.

Access to exported logs

To create a sink, in order to export logs, you must have the permissions of roles/logging.configWriter or roles/logging.admin or roles/owner.

Once a sink begins exporting logs, it has full access to all incoming log entries. Sinks can export private log entries.

Once your log entries have been exported, access to the exported copies is controlled entirely by IAM permissions and roles on the destinations: Cloud Storage, BigQuery, or Cloud Pub/Sub.

Stackdriver Logging access scopes

Access scopes are the legacy method of specifying permissions for your Compute Engine VM instances. The following access scopes apply to the Stackdriver Logging API:

Access scope Permissions granted
https://www.googleapis.com/auth/logging.read role/logging.viewer
https://www.googleapis.com/auth/logging.write roles/logging.logWriter
https://www.googleapis.com/auth/logging.admin Full access to the Stackdriver Logging API.
https://www.googleapis.com/auth/cloud-platform Full access to the Stackdriver Logging API and to all other enabled Google Cloud APIs.

Best practices

Now that IAM roles are available, a reasonable practice is to give all your VM instances the "Full access to all enabled Google Cloud APIs" scope:

https://www.googleapis.com/auth/cloud-platform

You can grant specific IAM roles in your VM instance's service account to restrict access to specific APIs. For details, see Service account permissions.

Send feedback about...

Stackdriver Logging