Access Control Guide

Stackdriver Monitoring controls access to monitoring data in Stackdriver accounts using Cloud IAM roles and permissions. Stackdriver account service tiers impose additional limits on specific monitoring features.

Overview

To use Stackdriver Monitoring with the monitoring data in a Stackdriver account, you must be a project member of the Stackdriver account and have an IAM role that grants you permission to use Stackdriver Monitoring features. The following IAM roles apply Stackdriver Monitoring:

  • roles/viewer (Project Viewer) gives you read-only access to Stackdriver Monitoring.

  • roles/editor (Project Editor) gives you full access to Stackdriver Monitoring.

  • roles/owner (Project Owner) gives you full access to Stackdriver Monitoring.

  • roles/monitoring.viewer (Monitoring Viewer) gives you read-only access to Stackdriver Monitoring. Compared with roles/viewer, this role has the advantage of granting only Stackdriver Monitoring permissions.

  • roles/monitoring.metricWriter (Monitoring Metric Writer) can be granted to service accounts to give an application just enough permissions to write metric data to the Stackdriver account.

For more details about roles and permissions, see Permissions and roles on this page.

Service tiers

Stackdriver Monitoring places additional limits on what you can do based on your Stackdriver account's service tier:

  • In the free Basic Tier, you can use metrics from GCP services, use groups and dashboards, and use alerting policies with some limitations. You can use custom metrics if you opt-in for additional charges.

  • In the paid Premium Tier, you gain access to metrics from AWS resources and services; access to metrics delivered by the Stackdriver Monitoring agent; and access to all alerting policy features. You have an allotment for custom metrics without a separate charge.

For more details, see Stackdriver Pricing.

Permissions and roles

This section lists the Cloud IAM permissions and roles that apply to Stackdriver Monitoring.

Required permissions

Each Stackdriver Monitoring API method requires a specific IAM permission, as listed in the following table. Each feature of the Stackdriver Monitoring Console requires permissions for the API methods used to implement the feature. For example, the ability to browse groups requires permissions for the list and get methods applicable to groups and group members.

Stackdriver Monitoring API method Permission Resource type
projects.groups.create monitoring.groups.create project1
projects.groups.delete monitoring.groups.delete project1
projects.groups.get monitoring.groups.get project1
projects.groups.list monitoring.groups.list project1
projects.groups.update monitoring.groups.update project1
projects.groups.members.list monitoring.groups.members.list project1
projects.metricDescriptors.create monitoring.metricDescriptors.create project
projects.metricDescriptors.delete monitoring.metricDescriptors.delete project
projects.metricDescriptors.get monitoring.metricDescriptors.get project
projects.metricDescriptors.list monitoring.metricDescriptors.list project
projects.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.get project
projects.monitoredResourceDescriptors.list monitoring.monitoredResourceDescriptors.list project
projects.timeSeries.create monitoring.timeSeries.create project
projects.timeSeries.list monitoring.timeSeries.list project

1 The project must be a Stackdriver account.

Role permissions

The following table lists the IAM roles that grant access to Stackdriver Monitoring. Each role has a specific set of permissions. Roles can be assigned at the project level only, and the projects must be Stackdriver accounts.

Role name Role title Includes permissions
roles/
monitoring.viewer
Monitoring Viewer monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.incidentAnnotations.list
monitoring.incidentViolations.list
monitoring.incidents.get
monitoring.incidents.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.metrics.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.monitoredResources.list
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.timeSeries.list
roles/
monitoring.metricWriter
Monitoring Metric Writer monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.create
roles/viewer Project Viewer The Monitoring permissions are the same as those in roles/monitoring.viewer.
roles/editor Project Editor The Monitoring permissions include those in roles/monitoring.viewer, plus the following:
monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.update
monitoring.configServerModules.regenerate
monitoring.dashboards.create
monitoring.dashboards.delete
monitoring.dashboards.update
monitoring.groups.create
monitoring.groups.delete
monitoring.groups.update
monitoring.incidentAnnotations.create
monitoring.incidentViolations.create
monitoring.incidents.update
monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.update
monitoring.timeSeries.create
roles/owner Project Owner The Monitoring permissions are the same as those in roles/editor.

Compute Engine access scopes

Access scopes are the legacy method of specifying permissions for your Compute Engine VM instances. The following access scopes apply to the Stackdriver Monitoring API:

Access scope Permissions granted
https://www.googleapis.com/auth/monitoring.read The same permissions as in roles/monitoring.viewer.
https://www.googleapis.com/auth/monitoring.write The same permissions as in roles/monitoring.metricWriter.
https://www.googleapis.com/auth/monitoring Full access to Stackdriver Monitoring.
https://www.googleapis.com/auth/cloud-platform Full access to all enabled Google Cloud APIs.

Best practices

Now that IAM roles are available, a reasonable practice is to give all your VM instances the "Full access to all enabled Google Cloud APIs" scope:

https://www.googleapis.com/auth/cloud-platform

You can grant specific IAM roles in your VM instance's service account to restrict access to specific APIs. For details, see Service account permissions.

Send feedback about...

Stackdriver Monitoring