Access Control Guide

Stackdriver Monitoring controls access to monitoring data in Stackdriver accounts using Cloud IAM roles and permissions. Stackdriver account service tiers impose additional limits on specific monitoring features.

Overview

To use Stackdriver Monitoring with the monitoring data in a Stackdriver account, you must have an IAM role in the Stackdriver account that grants you permission to use Stackdriver Monitoring.

The following IAM roles are predefined by Stackdriver Monitoring. They only grant permissions for Stackdriver Monitoring:

  • roles/monitoring.viewer (Monitoring Viewer) gives you read-only access to the Stackdriver Monitoring Console and API.

  • roles/monitoring.metricWriter (Monitoring Metric Writer) is for service accounts. It permits writing monitoring data to a Stackdriver account, but it does not permit access to the Stackdriver Monitoring Console.

  • roles/monitoring.editor (Monitoring Editor) gives you read-write access to the Stackdriver Monitoring Console and API, and lets you write monitoring data to a Stackdriver account.

  • roles/monitoring.admin (Monitoring Admin) gives you full access to all Stackdriver Monitoring features.

The following roles grant permissions for many services and resources in GCP, including Stackdriver Monitoring:

  • roles/viewer (Project Viewer) gives you read-only access to the Stackdriver Monitoring Console and the API.

  • roles/editor (Project Editor) gives you read-write access to the Stackdriver Monitoring Console and the API.

  • roles/owner (Project Owner) gives you full access to the Stackdriver Monitoring Console and the API.

You can also create your own custom roles that contain specific lists of permissions. For more details about roles and permissions, see Permissions and roles and Custom roles on this page.

Service tiers

Stackdriver Monitoring places additional limits on what you can do based on your Stackdriver account's service tier:

  • In the free Basic Tier, you can use metrics from GCP services, use groups and dashboards, and use alerting policies with some limitations. You can use custom metrics and logs-based metrics if you opt-in for additional charges.

  • In the paid Premium Tier, you gain access to metrics from AWS resources and services; access to metrics delivered by the Stackdriver Monitoring agent; and access to all alerting policy features. You have an allotment for custom metrics and logs-based metrics without a separate charge.

For more details, see Stackdriver Pricing.

Permissions and roles

This section lists the Cloud IAM permissions and roles that apply to Stackdriver Monitoring.

API permissions

Each Stackdriver Monitoring API method requires a specific IAM permission, as listed in the following table. Each feature of the Stackdriver Monitoring Console requires permissions for the API methods used to implement the feature. For example, the ability to browse groups requires permissions for the list and get methods applicable to groups and group members.

Stackdriver Monitoring API method Permission Resource type
projects.collectdTimeSeries.create monitoring.timeSeries.create project
projects.groups.create monitoring.groups.create project1
projects.groups.delete monitoring.groups.delete project1
projects.groups.get monitoring.groups.get project1
projects.groups.list monitoring.groups.list project1
projects.groups.update monitoring.groups.update project1
projects.groups.members.list monitoring.groups.get project1
projects.metricDescriptors.create monitoring.metricDescriptors.create project
projects.metricDescriptors.delete monitoring.metricDescriptors.delete project
projects.metricDescriptors.get monitoring.metricDescriptors.get project
projects.metricDescriptors.list monitoring.metricDescriptors.list project
projects.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.get project
projects.monitoredResourceDescriptors.list monitoring.monitoredResourceDescriptors.list project
projects.timeSeries.create monitoring.timeSeries.create project
projects.timeSeries.list monitoring.timeSeries.list project

1 The project must be a Stackdriver account.

Console permissions

The following table lists the permissions required to use the Stackdriver Monitoring Console:

Console activity Required permissions For resource type
Full read-only access The permissions in roles/monitoring.viewer project1
Read-write access console The permissions in roles/monitoring.editor project1
Full access to the console The permissions in roles/monitoring.admin project1

1 The project must be a Stackdriver account.

Roles

The following table lists the IAM roles that grant access to Stackdriver Monitoring. Each role has a specific set of permissions. Roles can be assigned at the project level only, and the projects must be Stackdriver accounts.

Role name Includes permissions
roles/monitoring.viewer
Monitoring Viewer
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.analyzedMetrics.get
monitoring.analyzedMetrics.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.metrics.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.monitoredResources.list
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.timeSeries.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/monitoring.metricWriter
Monitoring Metric Writer
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.create
roles/monitoring.editor
Monitoring Editor
The permissions in roles/monitoring.viewer, plus the following:
monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.update
monitoring.analyzedMetrics.create
monitoring.analyzedMetrics.delete
monitoring.dashboards.create
monitoring.dashboards.delete
monitoring.dashboards.update
monitoring.groups.create
monitoring.groups.delete
monitoring.groups.update
monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.update
monitoring.timeSeries.create
roles/monitoring.admin
Monitoring Admin
The permissions are the same as those in roles/monitoring.editor.
roles/viewer
Project Viewer
The Monitoring permissions are exactly the permissions in roles/monitoring.viewer.
roles/editor
Project Editor
The Monitoring permissions are the same as those in roles/monitoring.editor.
roles/owner
Project Owner
The Monitoring permissions are the same as those in roles/editor.

Custom roles

To create a custom role with Stackdriver Monitoring permissions, do the following:

  • For a role granting permissions only for the Stackdriver Monitoring API, choose from the permissions in the preceding section, API permissions.

  • For a role granting permssions for the Stackdriver Monitoring Console, choose from permission groups in the preceding section, Console permissions.

  • To grant the ability to write monitoring data, include the permission(s) from the role roles/monitoring.metricWriter in the section Roles.

For more information on custom roles, see Understanding IAM Custom Roles.

Compute Engine access scopes

Access scopes are the legacy method of specifying permissions for your Compute Engine VM instances. The following access scopes apply to Stackdriver Monitoring:

Access scope Permissions granted
https://www.googleapis.com/auth/monitoring.read The same permissions as in roles/monitoring.viewer.
https://www.googleapis.com/auth/monitoring.write The same permissions as in roles/monitoring.metricWriter.
https://www.googleapis.com/auth/monitoring Full access to Stackdriver Monitoring.
https://www.googleapis.com/auth/cloud-platform Full access to all enabled Google Cloud APIs.

For more details, see Access scopes.

Best practice. Since service account IAM roles are easy to configure and change, a good practice is to give your VM instances the most powerful access scope (cloud-platform) and then use IAM roles to restrict access to specific APIs and operations. For details, see Service account permissions.

Send feedback about...

Stackdriver Monitoring