Access Control Guide

This page describes how Stackdriver Monitoring controls access to monitoring data held in Stackdriver accounts using Google Cloud Identity and Access Management (IAM). The following topics are discussed in this guide:

  • IAM permissions that control access to specific Stackdriver Monitoring API methods.
  • IAM roles that allow users, groups, and service accounts to use collections of API methods on a Stackdriver account.
  • Google Compute Engine's use of access scopes to authorize access to APIs in VM instances.

Stackdriver Monitoring also uses IAM roles and permissions to control access to the Stackdriver Monitoring Console. For example, the permission to call the project.groups.create API method also allows creation of groups in the Stackdriver Monitoring Console.

Summary

To give a user or group read-only access to a Stackdriver account, add them to the Stackdriver account project with the role Monitoring/Viewer. This allows them to use both the Stackdriver Monitoring Console and the Stackdriver Monitoring API.

To restrict an application to only write metric data to Stackdriver Monitoring, use a service account in the Stackdriver account project with the role Monitoring/Metric Writer.

To give a user or group full access to a Stackdriver account, add them to the Stackdriver account project with the role Project/Editor. That role also gives the user or group the ability to view, create, and modify GCP project resources and services beyond Stackdriver.

Permissions and roles

Permissions and roles determine how you can use the Stackdriver Monitoring API and the Stackdriver Monitoring Console which depends on the API.

Required Permissions

Each Stackdriver Monitoring API method requires a specific IAM permission, as listed in the following table:

Stackdriver Monitoring API method Required permission(s) For resource type
projects.groups.create monitoring.groups.create project
projects.groups.delete monitoring.groups.delete project
projects.groups.get monitoring.groups.get project
projects.groups.list monitoring.groups.list project
projects.groups.update monitoring.groups.update project
projects.groups.members.list monitoring.groups.members.list project
projects.metricDescriptors.create monitoring.metricDescriptors.create project
projects.metricDescriptors.delete monitoring.metricDescriptors.delete project
projects.metricDescriptors.get monitoring.metricDescriptors.get project
projects.metricDescriptors.list monitoring.metricDescriptors.list project
projects.monitoredResourceDescriptors.list monitoring.monitoredResourceDescriptors.list project
projects.timeSeries.create monitoring.timeSeries.create project
projects.timeSeries.list monitoring.timeSeries.list project

Roles

IAM roles are collections of permissions. Roles are assigned to users, groups, and service accounts within a Stackdriver account to grant access to the Stackdriver account:

  • The Monitoring/Viewer role provides read-only access to a Stackdriver account, allowing a user or group to view information about monitored resources, metrics, and groups.

  • The Monitoring/Metric Writer role provides write-only access for the Stackdriver Monitoring agent and other applications that send metric data to a Stackdriver account.

  • The Project/Editor role provides read-write access to a Stackdriver account.

The following table shows all the roles related to Stackdriver Monitoring.

IAM role name Includes permissions
Monitoring/Viewer monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.incidentAnnotations.list
monitoring.incidentViolations.list
monitoring.incidents.get
monitoring.incidents.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.metrics.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.monitoredResources.list
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.timeSeries.list
Monitoring/Metric Writer monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.create
Project/Viewer The Monitoring permissions are the same as those in the Monitoring/Viewer role.
Project/Editor The Monitoring permissions include those in the Project/Viewer role, as well as:
monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.update
monitoring.configServerModules.regenerate
monitoring.dashboards.create
monitoring.dashboards.delete
monitoring.dashboards.update
monitoring.groups.create
monitoring.groups.delete
monitoring.groups.update
monitoring.incidentAnnotations.create
monitoring.incidentViolations.create
monitoring.incidents.update
monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.update
monitoring.timeSeries.create
Project/Owner The Monitoring permissions are the same as those in the Project/Editor role.

More information

For more information about IAM roles and permissions, including how to assign them to users, groups, or service accounts, see the Cloud IAM Quickstart.

Compute Engine access scopes

The following access scopes apply to the Stackdriver Monitoring API:

Access scope Permissions granted
https://www.googleapis.com/auth/monitoring.read The same permissions as the Monitoring/Viewer IAM role.
https://www.googleapis.com/auth/monitoring.write The same permissions as the Monitoring/Metric Writer role.
https://www.googleapis.com/auth/monitoring All Stackdriver Monitoring permissions.
https://www.googleapis.com/auth/cloud-platform Full access to all enabled Google Cloud APIs.

Google Compute Engine uses access scopes to authorize access to APIs on VM instances. You assign access scopes when you create a VM instance. The default access scopes for new VM instances already allow access to Stackdriver Monitoring. For more information, see Service account permissions

To use Stackdriver Monitoring on a Compute Engine VM instance, you must have suitable access scopes on the instance and suitable IAM roles in your service account. Some people find it easiest to use a generous access scope, such as cloud-platform, and rely on the service account's IAM roles to restrict applications to the APIs that they need.

Send feedback about...

Stackdriver Monitoring