This page describes how Cloud Logging uses Identity and Access Management (IAM) to control access to logging data in Google Cloud resources.
Overview
IAM permissions and roles determine how you can use the
Logging API, the
Logs Explorer, and the
gcloud command-line tool.
Logs reside in log buckets within Google Cloud projects, organizations, folders, and billing accounts. Each of these Google Cloud resources can have its own set of members with their own sets of Cloud Logging roles and permissions.
To use Logging with the logging data in a Google Cloud project, you must be a member and have an IAM role that grants you permission to use Logging. The following IAM roles apply to Logging:
roles/logging.viewer (Logs Viewer) gives you read-only access to all features of Logging, except Access Transparency logs and Data Access audit logs.
roles/logging.privateLogViewer (Private Logs Viewer) includes roles/logging.viewer, plus the ability to read Access Transparency logs and Data Access audit logs. This role applies only to the
_Requiredand_Defaultbuckets.roles/logging.logWriter (Logs Writer) can be granted to service accounts to give applications just enough permissions to write logs. This role does not grant viewing permissions.
roles/logging.bucketWriter (Logs Buckets Writer) can be granted to service accounts to give Cloud Logging just enough permissions to write logs to a log bucket. To restrict this role to a specific bucket, use an IAM condition; see Routing logs from one project to another bucket in a different project for an example.
roles/logging.configWriter (Logs Configuration Writer) gives you the permissions to create logs-based metrics, exclusions, buckets, and views, and to export sinks. To use the Logs Explorer (console) for these actions, add roles/logging.viewer.
roles/logging.admin (Logging Admin) grants you all permissions related to Logging.
roles/logging.viewAccessor (Logs View Accessor) gives you permission to read logs in a view. To restrict this role to a view in a specific bucket, use an IAM condition; see Reading logs from a bucket for an example.
roles/viewer (Project Viewer) is the same as roles/logging.viewer. The role gives you read-only access to all Logging features except for Access Transparency logs and Data Access audit logs. This role applies only to the
_Requiredand_Defaultbuckets.roles/editor (Project Editor) includes the permissions of roles/logging.viewer, plus permissions to write log entries, delete logs, and create logs-based metrics. The role does not let you create export sinks or read Access Transparency logs or Data Access audit logs.
roles/owner (Project Owner) gives you full access to Logging, including Access Transparency logs and Data Access audit logs.
For more details about Logging roles and permissions, see Permissions and roles on this page.
Granting roles
To grant a role to a member, you must have the set of permissions found in roles/owner (Project Owner). To learn how to grant roles, see Granting, changing, and revoking access.
If you are trying to access a Google Cloud resource and lack the necessary permissions, contact the member who is listed as the Owner for the resource.
Permissions and roles
The following table lists the IAM roles that grant access to Cloud Logging. Each role has a specific set of logging permissions. Roles can be assigned to members of the listed resource types.
In the table, a.b.{x,y} means a.b.x and a.b.y.
| Role name | Role title | Logging permissions | Resource type |
|---|---|---|---|
roles/logging.viewer |
Logs Viewer | logging.logEntries.listlogging.logMetrics.{list,
get}logging.logs.listlogging.logServiceIndexes.listlogging.logServices.listlogging.sinks.{list,
get}logging.buckets.{list,
get}logging.usage.getresourcemanager.projects.getlogging.queries.{get,
list,
update,
create,
delete}
|
project, organization, folder, billing account |
roles/logging.privateLogViewer |
Private Logs Viewer | roles/logging.viewer permissions, plus:logging.privateLogEntries.list |
project, organization, folder, billing account |
roles/logging.logWriter
|
Logs Writer | logging.logEntries.create |
project, organization, folder, billing account |
roles/logging.configWriter |
Logs Configuration Writer | logging.buckets.{list,
create,
get,
update,
delete,
undelete}logging.cmekSettings.{get,
update}logging.exclusions.{list,
create,
get,
update,
delete}logging.locations.{list,
get}logging.logMetrics.{list,
create,
get,
update,
delete}logging.logs.listlogging.logServiceIndexes.listlogging.logServices.listlogging.sinks.{list,
create,
get,
update,
delete}logging.views.{list,
create,
get,
update,
delete}resourcemanager.projects.{get,
list}
|
project, organization, folder, billing account |
roles/logging.bucketWriter |
Logs Bucket Writer | logging.buckets.write |
project |
roles/logging.viewAccessor |
Logs View Accessor | logging.views.{access,
listLogs,
listResourceKeys,
listResourceValues} |
project, organization folder, billing account |
roles/logging.admin |
Logging Admin | logging.exclusions.{list,
create,
get,
update,
delete}logging.locations.{list,
get}logging.logEntries.{create,
list}logging.logMetrics.{list,
create,
get,
update,
delete}logging.logs.{delete,
list} logging.logServiceIndexes.listlogging.logServices.listlogging.privateLogEntries.listlogging.sinks.{list,
create,
get,
update,
delete}logging.buckets.{list,
get,
update,
create,
delete,
undelete}logging.views.{list,
access,
create,
get,
update,
delete,
listLogs,
listResourceKeys,
listResourceValues}logging.cmekSettings.{get,
update}logging.usage.getresourcemanager.projects.{get,
list}logging.queries.{get,
list,
update,
create,
delete} |
project, organization, folder, billing account |
roles/viewer |
Viewer | logging.logEntries.listlogging.logMetrics.{list,
get}logging.logs.listlogging.logServiceIndexes.listlogging.logServices.listlogging.sinks.{list,
get}resourcemanager.projects.get logging.queries.{get,
list,
update,
create,
delete}
|
project, organization, folder |
roles/editor |
Editor | roles/viewer Logging permissions, plus:logging.logEntries.createlogging.logMetrics.{create,
update,
delete}logging.logs.deletelogging.queries.{get,
list,
update,
create,
delete}
|
project, organization, folder |
roles/owner |
Owner | roles/editor Logging permissions, plus:logging.privateLogEntries.listlogging.sinks.{create,
update,
delete}logging.queries.{get,
list,
update,
create,
delete}
|
project, organization, folder |
Custom roles
To create a custom role with Logging permissions, do the following:
For a role granting permissions for the Logging API, choose from the permissions in API permissions.
For a role granting permissions to use the Logs Explorer, choose from permission groups in Console permissions.
For a role granting permissions to use
gcloud logging, go to the overview of thegcloudtool.
For more information on custom roles, see Understanding IAM custom roles.
API permissions
Logging API methods require specific IAM permissions. The following table lists the permissions needed by the API methods.
| Logging method | Required permission | Resource type |
|---|---|---|
billingAccounts.logs.* |
logging.logs.* (See projects.logs.*) |
billing accounts |
billingAccounts.sinks.* |
logging.sinks.* (See projects.sinks.*.) |
billing accounts |
billingAccounts.locations.buckets.* |
logging.buckets.* (See projects.locations.buckets.*.) |
billing accounts |
entries.list |
logging.logEntries.list orlogging.privateLogEntries.list |
projects, organizations, folders, billing accounts |
entries.write |
logging.logEntries.create |
projects, organizations, folders, billing accounts |
folders.logs.* |
logging.logs.* (See projects.logs.*) |
folders |
folders.sinks.* |
logging.sinks.* (See projects.sinks.*) |
folders |
folders.locations.buckets.* |
logging.buckets.* (See projects.locations.buckets.*) |
folders |
monitoredResourceDescriptors.list |
(none) | (none) |
organizations.logs.* |
logging.logs.* (See projects.logs.*) |
organizations |
organizations.sinks.* |
logging.sinks.* (See projects.sinks.*) |
organizations |
organizations.locations.buckets.* |
logging.buckets.* (See projects.locations.buckets.*) |
organizations |
projects.exclusions.create |
logging.exclusions.create |
projects |
projects.exclusions.delete |
logging.exclusions.delete |
projects |
projects.exclusions.get |
logging.exclusions.get |
projects |
projects.exclusions.list |
logging.exclusions.list |
projects |
projects.exclusions.patch |
logging.exclusions.update |
projects |
projects.logs.list |
logging.logs.list |
projects |
projects.logs.delete |
logging.logs.delete |
projects |
projects.sinks.list |
logging.sinks.list |
projects |
projects.sinks.get |
logging.sinks.get |
projects |
projects.sinks.create |
logging.sinks.create |
projects |
projects.sinks.update |
logging.sinks.update |
projects |
projects.sinks.delete |
logging.sinks.delete |
projects |
projects.locations.buckets.list |
logging.buckets.list |
projects |
projects.locations.buckets.get |
logging.buckets.get |
projects |
projects.locations.buckets.patch |
logging.buckets.update |
projects |
projects.locations.buckets.create |
logging.buckets.create |
projects |
projects.locations.buckets.delete |
logging.buckets.delete |
projects |
projects.locations.buckets.undelete |
logging.buckets.undelete |
projects |
projects.metrics.list |
logging.logMetrics.list |
projects |
projects.metrics.get |
logging.logMetrics.get |
projects |
projects.metrics.create |
logging.logMetrics.create |
projects |
projects.metrics.update |
logging.logMetrics.update |
projects |
projects.metrics.delete |
logging.logMetrics.delete |
projects |
Console permissions
The following table lists the permissions needed to use the Logs Explorer.
In the table, a.b.{x,y} means a.b.x and a.b.y.
| Console activity | Required permissions |
|---|---|
| Minimal read-only access | logging.logEntries.listlogging.logs.listlogging.logServiceIndexes.listlogging.logServices.listresourcemanager.projects.get |
| Add ability to view Data Access audit logs | Add logging.privateLogEntries.list |
| Add ability to view Access Transparency logs | Add logging.privateLogEntries.list |
| Add ability to view logs-based metrics | Add logging.logMetrics.{list, get} |
| Add ability to view exports | Add logging.sinks.{list, get} |
| Add ability to view logs usage | Add logging.usage.get |
| Add ability to exclude logs | Add logging.exclusions.{list, create, get, update, delete} |
| Add ability to export logs | Add logging.sinks.{list, create, get, update, delete} |
| Add ability to create logs-based metrics | Add logging.logMetrics.{list, create, get, update, delete} |
Command-line permissions
gcloud logging commands are
controlled by IAM permissions.
To use any of the gcloud logging commands, you must have the
serviceusage.services.use permission.
You must also have the IAM role that corresponds to the log's location, and to your use case. For details, go to command-line interface permissions.
Access to exported logs
To create a sink, in order to export logs,
you must have the permissions
of roles/logging.configWriter or roles/logging.admin or roles/owner.
Once a sink begins exporting logs, it has full access to all incoming log entries. Sinks can export private log entries, including Access Transparency logs and Data Access audit logs.
Once your log entries have been exported, access to the exported copies is controlled entirely by IAM permissions and roles on the destinations: Cloud Storage, BigQuery, or Pub/Sub.
Logging access scopes
Access scopes are the legacy method of specifying permissions for your Compute Engine VM instances. The following access scopes apply to the Logging API:
| Access scope | Permissions granted |
|---|---|
| https://www.googleapis.com/auth/logging.read | roles/logging.viewer |
| https://www.googleapis.com/auth/logging.write | roles/logging.logWriter |
| https://www.googleapis.com/auth/logging.admin | Full access to the Logging API. |
| https://www.googleapis.com/auth/cloud-platform | Full access to the Logging API and to all other enabled Google Cloud APIs. |
Best practices
Now that IAM roles are available, a reasonable practice is to give all your VM instances the "Full access to all enabled Google Cloud APIs" scope:
https://www.googleapis.com/auth/cloud-platform
You can grant specific IAM roles in your VM instance's service account to restrict access to specific APIs. For details, see Service account permissions.
When creating a custom role that includes permissions to manage exclusions, you are encouraged to grant the
logging.sinks.*permissions to the role instead of granting thelogging.exclusions.*permissions.Managing exclusions is part of log sinks, so all permissions related to managing sinks, including exclusions, are included in the
logging.sinks.*permissions.