This document describes Identity and Access Management (IAM) roles and permissions used by Cloud Monitoring. It is intended for administrators who configure and grant roles and permissions.
Best practice
We recommend that you create Google groups to manage access to Cloud projects:
- For more information, see Managing groups in the Google Cloud console.
- For information about setting limits on roles, see Set limits on granting roles.
VPC Service Controls
For further control access to monitoring data, use VPC Service Controls in addition to IAM.
VPC Service Controls provides additional security for Cloud Monitoring to help mitigate the risk of data exfiltration. Using VPC Service Controls, you can add a metrics scope to a Service Perimeter that protects Cloud Monitoring resources and services from requests originating outside the perimeter.
To learn more about Service Perimeters, see the VPC Service Controls Service Perimeter configuration documentation.
For information about Monitoring's support for VPC Service Controls, including known limitations, see the Monitoring VPC Service Controls documentation.
Grant access to Cloud Monitoring
To manage IAM roles for principals you can use the Identity and Access Management page in the Google Cloud console. However, Cloud Monitoring provides a simplified interface that lets you manage your Monitoring-specific roles, project-level roles, and the common roles for Cloud Logging and Cloud Trace.
To grant principals access to Monitoring, Cloud Logging, or Cloud Trace, or to grant a project-level role, do the following:
- In the Google Cloud console, select Monitoring
or click the following button:
Go to Monitoring In the navigation panel, select Permissions.
The Permissions page doesn't display all principals. It only lists those principals that have a project-level role, or a role that is specific to Monitoring, Logging, or Trace.
The options on this page let you view all principals whose roles include any Monitoring permission.
Click Grant access.
Click New principals and enter the username for the principal. You can add several principals.
Expand arrow_drop_down Select a role, select a value from the By product or service menu, and then select a role from the Roles menu:
By product or service selection Roles selection Description Monitoring Monitoring Viewer View Monitoring data and configuration information. For example, principals with this role can view custom dashboards and alerting policies. Monitoring Monitoring Editor View Monitoring data, and create and edit configurations. For example, principals with this role can create custom dashboards and alerting policies. Monitoring Monitoring Admin View Monitoring data, create and edit configurations, and modify the metrics scope. Cloud Trace Cloud Trace User Full access to the Trace console, read access to traces, and read-write access to sinks. For more information, see Trace roles. Cloud Trace Cloud Trace Admin Full access to the Trace console, read-write access to traces, and read-write access to sinks. For more information, see Trace roles. Logging Logs Viewer View access to logs. For more information, see Logging roles. Logging Logging Admin Full access to all features of Cloud Logging. For more information, see Logging roles. Project Viewer View access to most Google Cloud resources. Project Editor View, create, update, and delete most Google Cloud resources. Project Owner Full access to most Google Cloud resources. Optional: To grant the same principals another role, click Add another role and repeat the previous step.
Click Save.
The previous steps describe how to grant a principal certain roles by using Monitoring pages in the Google Cloud console. For these roles, this page also supports edit and delete options:
To remove roles for a principal, select the box next to the principal and then click Remove access.
To edit the roles for a principal, click edit Edit. After you update the settings, click Save.
Monitoring IAM Overview
To use Monitoring, you must have the appropriate IAM permissions.
In general, each REST method in an API has an associated permission, and you must have the permission to use the corresponding method. Permissions aren't granted directly to users; permissions are instead granted indirectly through roles, which group multiple permissions to make managing them easier. For more information on these concepts, see Concepts related to access management.
Roles for common combinations of permissions are predefined for you, but it's also possible to create your own combinations of permissions by creating IAM custom roles.
Predefined roles
The following IAM roles are predefined by Cloud Monitoring. They grant permissions only for Monitoring.
Monitoring
The following roles grant general permissions for Monitoring:
| Name Title |
Includes permissions |
|---|---|
roles/monitoring.viewerMonitoring Viewer |
Grants read-only access to Monitoring in the Google Cloud console and API. |
roles/monitoring.editorMonitoring Editor |
Grants read-write access to Monitoring in the Google Cloud console and API, and grants read-write access to a metrics scope when using the Google Cloud console. Write access to a metrics scope grants permission to add (or remove) monitored Google Cloud projects to that metrics scope. |
roles/monitoring.adminMonitoring Admin |
Grants full access to Monitoring in the Google Cloud console and API, and grants read-write access to a metrics scope. Write access to a metrics scope grants permission to add (or remove) monitored Google Cloud projects to that metrics scope. |
The following role is used by service accounts for write-only access:
| Name Title |
Description |
|---|---|
roles/monitoring.metricWriterMonitoring Metric Writer |
Permits writing monitoring data to a metrics scope; doesn't permit access to Monitoring in the Google Cloud console. This role is for service accounts and agents. |
Alert policies
The following roles grant permissions for alert policies:
| Name Title |
Description |
|---|---|
roles/monitoring.alertPolicyViewerMonitoring AlertPolicy Viewer |
Grants read-only access to alert policies. |
roles/monitoring.alertPolicyEditorMonitoring AlertPolicy Editor |
Grants read-write access to alert policies. |
Dashboards
The following roles grant permissions only for dashboards:
| Name Title |
Description |
|---|---|
roles/monitoring.dashboardViewerMonitoring Dashboard Configuration Viewer |
Grants read-only access to dashboard configurations. |
roles/monitoring.dashboardEditorMonitoring Dashboard Configuration Editor |
Grants read-write access to dashboard configurations. |
Incidents
The following roles grant general permissions to view incidents:
| Name Title |
Description |
|---|---|
roles/monitoring.viewerMonitoring Viewer |
Grants access to view incidents. |
roles/monitoring.editorMonitoring Editor |
Grants access to view, acknowledge, and close incidents. |
roles/monitoring.adminMonitoring Admin |
Grants access to view, acknowledge, and close incidents. |
To view the details of an incident, you must have, at a minimum,
the Identity and Access Management role of roles/monitoring.viewer.
For more information, see
Unable to view incident details due to a permission error.
Notification channels
The following roles grant permissions only for notification channels:
| Name Title |
Description |
|---|---|
roles/monitoring.notificationChannelViewerMonitoring NotificationChannel Viewer |
Grants read-only access to notification channels. |
roles/monitoring.notificationChannelEditorMonitoring NotificationChannel Editor |
Grants read-write access to notification channels. |
Snooze notifications
The following roles grant permissions to snooze notifications:
| Name Title |
Description |
|---|---|
roles/monitoring.snoozeViewerMonitoring Snooze Viewer |
Grants read-only access to snoozes. |
roles/monitoring.snoozeEditorMonitoring Snooze Editor |
Grants read-write access to snoozes. |
Service monitoring
The following roles grant permissions for managing services:
| Name Title |
Description |
|---|---|
roles/monitoring.servicesViewerMonitoring Services Viewer |
Grants read-only access to services. |
roles/monitoring.servicesEditorMonitoring Services Editor |
Grants read-write access to services. |
For more information on service monitoring, see SLO monitoring.
Uptime-check configurations
The following roles grant permissions only for uptime-check configurations:
| Name Title |
Description |
|---|---|
roles/monitoring.uptimeCheckConfigViewerMonitoring Uptime Check Configurations Viewer |
Grants read-only access to uptime-check configurations. |
roles/monitoring.uptimeCheckConfigEditorMonitoring Uptime Check Configurations Editor |
Grants read-write access to uptime-check configurations. |
Metrics scope configurations
The following roles grant general permissions for metrics scopes:
| Name Title |
Description |
|---|---|
roles/monitoring.metricsScopesViewerMonitoring metrics scopes Viewer |
Grants read-only access to metrics scopes. |
roles/monitoring.metricsScopesAdminMonitoring metrics scopes Admin |
Grants read-write access to metrics scopes. |
Google Cloud
The following roles grant permissions for many services and resources in Google Cloud, including Monitoring:
| Name Title |
Includes permissions |
|---|---|
roles/viewerViewer |
The Monitoring permissions are exactly the permissions
in roles/monitoring.viewer.
|
roles/editorEditor |
The Monitoring permissions are the same as those in
This role doesn't grant permission to modify a metrics scope.
To modify a metrics scope when using the API, your role must include the
permission |
roles/ownerOwner |
The Monitoring permissions are the same as those in
roles/monitoring.admin.
|
Custom roles
You can also create your own custom roles that contain lists of permissions. For more details about roles and permissions, go to Permissions and roles and Custom roles on this page.
Permissions and roles
This section lists the IAM permissions and roles that apply to Monitoring.
API permissions
Each Monitoring API method requires a specific IAM permission, as listed in the following table.
| Monitoring API method | Permission | Resource type |
|---|---|---|
projects.alertPolicies.create |
monitoring.alertPolicies.create |
project |
projects.alertPolicies.delete |
monitoring.alertPolicies.delete |
AlertPolicy |
projects.alertPolicies.get |
monitoring.alertPolicies.get |
AlertPolicy |
projects.alertPolicies.list |
monitoring.alertPolicies.list |
project |
projects.alertPolicies.patch |
monitoring.alertPolicies.update |
AlertPolicy |
projects.dashboards.create |
monitoring.dashboards.create |
project |
projects.dashboards.delete |
monitoring.dashboards.delete |
project |
projects.dashboards.get |
monitoring.dashboards.get |
project |
projects.dashboards.list |
monitoring.dashboards.list |
project |
projects.dashboards.patch |
monitoring.dashboards.update |
project |
projects.groups.create |
monitoring.groups.create |
project |
projects.groups.delete |
monitoring.groups.delete |
Group |
projects.groups.get |
monitoring.groups.get |
Group |
projects.groups.list |
monitoring.groups.list |
project |
projects.groups.update |
monitoring.groups.update |
Group |
projects.groups.members.list |
monitoring.groups.get |
Group |
projects.metricDescriptors.create |
monitoring.metricDescriptors.create |
project |
projects.metricDescriptors.delete |
monitoring.metricDescriptors.delete |
MetricDescriptor |
projects.metricDescriptors.get |
monitoring.metricDescriptors.get |
MetricDescriptor |
projects.metricDescriptors.list |
monitoring.metricDescriptors.list |
project |
projects.monitoredResourceDescriptors.get |
monitoring.monitoredResourceDescriptors.get |
MonitoredResourceDescriptor |
projects.monitoredResourceDescriptors.list |
monitoring.monitoredResourceDescriptors.list |
project |
projects.notificationChannelDescriptors.get |
monitoring.notificationChannelDescriptors.get |
NotificationChannelDescriptor |
projects.notificationChannelDescriptors.list |
monitoring.notificationChannelDescriptors.list |
project |
projects.notificationChannels.create |
monitoring.notificationChannels.create |
project |
projects.notificationChannels.delete |
monitoring.notificationChannels.delete |
NotificationChannel |
projects.notificationChannels.get |
monitoring.notificationChannels.get |
NotificationChannel |
projects.notificationChannels.getVerificationCode |
monitoring.notificationChannels.getVerificationCode |
NotificationChannel |
projects.notificationChannels.list |
monitoring.notificationChannels.list |
project |
projects.notificationChannels.patch |
monitoring.notificationChannels.update |
NotificationChannel |
projects.notificationChannels.sendVerificationCode |
monitoring.notificationChannels.sendVerificationCode |
NotificationChannel |
projects.notificationChannels.verify |
monitoring.notificationChannels.verify |
NotificationChannel |
projects.services.create |
monitoring.services.create |
project |
projects.services.delete |
monitoring.services.delete |
Service |
projects.services.get |
monitoring.services.get |
Service |
projects.services.list |
monitoring.services.list |
project |
projects.services.patch |
monitoring.services.update |
Service |
projects.services.serviceLevelObjectives.create |
monitoring.slos.create |
project |
projects.services.serviceLevelObjectives.delete |
monitoring.slos.delete |
ServiceLevelObjective |
projects.services.serviceLevelObjectives.get |
monitoring.slos.get |
ServiceLevelObjective |
projects.services.serviceLevelObjectives.list |
monitoring.slos.list |
project |
projects.services.serviceLevelObjectives.patch |
monitoring.slos.update |
ServiceLevelObjective |
projects.timeSeries.create |
monitoring.timeSeries.create |
project |
projects.timeSeries.list |
monitoring.timeSeries.list |
project, folder, organization |
projects.timeSeries.query |
monitoring.timeSeries.list |
project |
projects.uptimeCheckConfigs.create |
monitoring.uptimeCheckConfigs.create |
UptimeCheckConfig |
projects.uptimeCheckConfigs.delete |
monitoring.uptimeCheckConfigs.delete |
UptimeCheckConfig |
projects.uptimeCheckConfigs.get |
monitoring.uptimeCheckConfigs.get |
UptimeCheckConfig |
projects.uptimeCheckConfigs.list |
monitoring.uptimeCheckConfigs.list |
UptimeCheckConfig |
projects.uptimeCheckConfigs.patch |
monitoring.uptimeCheckConfigs.update |
UptimeCheckConfig |
locations.global.metricsScopes.get |
resourcemanager.projects.get |
project |
locations.global.metricsScopes/listMetricScopesByMonitoredProject |
resourcemanager.projects.get |
project |
locations.global.metricsScopes.projects.create |
monitoring.metricsScopes.link |
project |
locations.global.metricsScopes.projects.delete |
monitoring.metricsScopes.link |
project |
Console permissions for Monitoring
Each feature of Monitoring in the Google Cloud console requires that you have
the permission for the API used to implement the feature. For example,
the ability to browse groups requires that you have permission for the
list and get methods applicable to groups and group members.
You might lose functionality if required permissions
are revoked.
The following table lists the permissions required to use the Monitoring in the Google Cloud console:
| Activity | Required permissions | For resource type |
|---|---|---|
| Read-only access | The set of permissions included in the roles/monitoring.viewer role |
project. |
| Read-write access console | The set of permissions included in the roles/monitoring.editor role |
project. |
| Full access to the console | The set of permissions included in the roles/monitoring.admin role |
project. |
Roles
The following table lists the IAM roles that grant access to
Monitoring and the permissions associated with each role.
Several of these roles are graduated: for example, the
roles/monitoring.editor role includes all the permissions of
the roles/monitoring.viewer role, plus an additional set of
permissions.
Roles can be assigned at the project level only.
Monitoring
The Monitoring roles include these permissions:
| Name Title |
Includes permissions |
|---|---|
roles/monitoring.viewerMonitoring Viewer |
cloudnotifications.activities.listmonitoring.alertPolicies.getmonitoring.alertPolicies.listmonitoring.dashboards.getmonitoring.dashboards.listmonitoring.groups.getmonitoring.groups.listmonitoring.metricDescriptors.getmonitoring.metricDescriptors.listmonitoring.monitoredResourceDescriptors.getmonitoring.monitoredResourceDescriptors.listmonitoring.notificationChannelDescriptors.getmonitoring.notificationChannelDescriptors.listmonitoring.notificationChannels.getmonitoring.notificationChannels.listmonitoring.publicWidgets.getmonitoring.publicWidgets.listmonitoring.services.getmonitoring.services.listmonitoring.slos.getmonitoring.slos.listmonitoring.snoozes.getmonitoring.snoozes.listmonitoring.timeSeries.listmonitoring.uptimeCheckConfigs.getmonitoring.uptimeCheckConfigs.listopsconfigmonitoring.resourceMetadata.listresourcemanager.projects.getresourcemanager.projects.liststackdriver.projects.get
stackdriver.resourceMetadata.list |
roles/monitoring.editorMonitoring Editor |
cloudnotifications.activities.listmonitoring.alertPolicies.createmonitoring.alertPolicies.deletemonitoring.alertPolicies.getmonitoring.alertPolicies.listmonitoring.alertPolicies.updatemonitoring.dashboards.createmonitoring.dashboards.deletemonitoring.dashboards.getmonitoring.dashboards.listmonitoring.dashboards.updatemonitoring.groups.createmonitoring.groups.deletemonitoring.groups.getmonitoring.groups.listmonitoring.groups.updatemonitoring.metricDescriptors.createmonitoring.metricDescriptors.deletemonitoring.metricDescriptors.getmonitoring.metricDescriptors.listmonitoring.monitoredResourceDescriptors.getmonitoring.monitoredResourceDescriptors.listmonitoring.notificationChannelDescriptors.listmonitoring.notificationChannelDescriptors.getmonitoring.notificationChannels.createmonitoring.notificationChannels.deletemonitoring.notificationChannels.getmonitoring.notificationChannels.listmonitoring.notificationChannels.sendVerificationCodemonitoring.notificationChannels.updatemonitoring.notificationChannels.verifymonitoring.publicWidgets.createmonitoring.publicWidgets.deletemonitoring.publicWidgets.getmonitoring.publicWidgets.listmonitoring.publicWidgets.updatemonitoring.services.createmonitoring.services.deletemonitoring.services.getmonitoring.services.listmonitoring.services.updatemonitoring.slos.createmonitoring.slos.deletemonitoring.slos.getmonitoring.slos.listmonitoring.slos.updatemonitoring.snoozes.createmonitoring.snoozes.getmonitoring.snoozes.listmonitoring.snoozes.updatemonitoring.timeSeries.createmonitoring.timeSeries.listmonitoring.uptimeCheckConfigs.createmonitoring.uptimeCheckConfigs.deletemonitoring.uptimeCheckConfigs.getmonitoring.uptimeCheckConfigs.listmonitoring.uptimeCheckConfigs.updateopsconfigmonitoring.resourceMetadata.writeopsconfigmonitoring.resourceSnapshot.createresourcemanager.projects.getresourcemanager.projects.listserviceusage.services.enablestackdriver.projects.editstackdriver.projects.getstackdriver.resourceMetadata.write
|
roles/monitoring.adminMonitoring Admin |
The permissions in roles/monitoring.editor,
plus the following:monitoring.notificationChannels.getVerificationCodemonitoring.metricsScopes.link |
The following role is used by service accounts for write-only access:
| Name Title |
Includes permissions |
|---|---|
roles/monitoring.metricWriterMonitoring Metric Writer |
monitoring.metricDescriptors.createmonitoring.metricDescriptors.getmonitoring.metricDescriptors.listmonitoring.monitoredResourceDescriptors.getmonitoring.monitoredResourceDescriptors.listmonitoring.timeSeries.create
|
Alert policies
The Alert policy roles include these permissions:
| Name Title |
Includes permissions |
|---|---|
roles/monitoring.alertPolicyViewerMonitoring AlertPolicy Viewer |
monitoring.alertPolicies.getmonitoring.alertPolicies.list |
roles/monitoring.alertPolicyEditorMonitoring AlertPolicy Editor |
monitoring.alertPolicies.createmonitoring.alertPolicies.deletemonitoring.alertPolicies.getmonitoring.alertPolicies.listmonitoring.alertPolicies.update |
Dashboards
The Dashboards roles include these permissions:
| Name Title |
Includes permissions |
|---|---|
roles/monitoring.dashboardViewerMonitoring Dashboard Configuration Viewer |
monitoring.dashboards.getmonitoring.dashboards.list |
roles/monitoring.dashboardEditorMonitoring Dashboard Configuration Editor |
monitoring.dashboards.getmonitoring.dashboards.listmonitoring.dashboards.createmonitoring.dashboards.deletemonitoring.dashboards.update |
Notification channels
The Notification channels roles include these permissions:
| Name Title |
Includes permissions |
|---|---|
roles/monitoring.notificationChannelViewerMonitoring NotificationChannel Viewer |
monitoring.notificationChannelDescriptors.getmonitoring.notificationChannelDescriptors.listmonitoring.notificationChannels.getmonitoring.notificationChannels.list |
roles/monitoring.notificationChannelEditorMonitoring NotificationChannel Editor |
monitoring.notificationChannelDescriptors.getmonitoring.notificationChannelDescriptors.listmonitoring.notificationChannels.createmonitoring.notificationChannels.deletemonitoring.notificationChannels.getmonitoring.notificationChannels.listmonitoring.notificationChannels.sendVerificationCodemonitoring.notificationChannels.updatemonitoring.notificationChannels.verify |
Snooze notifications
The Snooze roles include the permissions required to view or create snoozes.
| Name Title |
Includes permissions |
|---|---|
roles/monitoring.snoozeViewerMonitoring Snooze Viewer |
monitoring.snoozes.getmonitoring.snoozes.list |
roles/monitoring.snoozeEditorMonitoring Snooze Editor |
monitoring.snoozes.createmonitoring.snoozes.getmonitoring.snoozes.listmonitoring.snoozes.update |
Service monitoring
The Service monitoring roles include these permissions:
| Name Title |
Includes permissions |
|---|---|
roles/monitoring.servicesViewerMonitoring Services Viewer |
monitoring.services.getmonitoring.services.listmonitoring.slos.getmonitoring.slos.list |
roles/monitoring.servicesEditorMonitoring Services Editor |
monitoring.services.createmonitoring.services.deletemonitoring.services.getmonitoring.services.listmonitoring.services.updatemonitoring.slos.createmonitoring.slos.deletemonitoring.slos.getmonitoring.slos.listmonitoring.slos.update |
Uptime-check configurations
The Uptime-check configuration roles include these permissions:
| Name Title |
Includes permissions |
|---|---|
roles/monitoring.uptimeCheckConfigViewerMonitoring Uptime Check Configurations Viewer |
monitoring.uptimeCheckConfigs.getmonitoring.uptimeCheckConfigs.list |
roles/monitoring.uptimeCheckConfigEditorMonitoring Uptime Check Configurations Editor |
monitoring.uptimeCheckConfigs.createmonitoring.uptimeCheckConfigs.deletemonitoring.uptimeCheckConfigs.getmonitoring.uptimeCheckConfigs.listmonitoring.uptimeCheckConfigs.update |
Metrics scope configuration
The metrics scope configuration roles include these permissions:
| Name Title |
Includes permissions |
|---|---|
roles/monitoring.metricsScopesViewerMonitoring metrics scopes Viewer |
resourcemanager.projects.getresourcemanager.projects.list |
roles/monitoring.metricsScopesAdminMonitoring metrics scopes Admin Add and remove monitored projects. |
resourcemanager.projects.getresourcemanager.projects.listmonitoring.metricsScopes.link |
Google Cloud
The Google Cloud roles include these permissions:
| Name Title |
Includes permissions |
|---|---|
roles/viewerViewer |
The Monitoring permissions are exactly the permissions
in roles/monitoring.viewer.
|
roles/editorEditor |
The Monitoring permissions are the same as those in
This role doesn't grant permission to modify a metrics scope.
To modify a metrics scope when using the API, your role must include the
permission |
roles/ownerOwner |
The Monitoring permissions are the same as those in
roles/monitoring.admin.
|
Granting IAM roles
The project owners, editors, and default service accounts for Compute Engine and App Engine have the necessary permissions already; however, for other user accounts, you might need to grant these roles explicitly.
For example, in order for a user account to read or write metric descriptors
by using the Monitoring API, that user must have the appropriate
monitoring.metricDescriptors.* IAM permissions. These can be
provided by granting the predefined Monitoring Viewer
(roles/monitoring.viewer) and Monitoring Editor
(roles/monitoring.editor) roles.
For more information, go to API permissions.
These permissions can be granted either by using the Google Cloud CLI Google Cloud CLI or the Google Cloud console (Google Cloud console).
Google Cloud CLI
Use the
gcloud projects add-iam-policy-binding
command to grant the monitoring.viewer or
monitoring.editor role.
For example:
export PROJECT_ID="my-test-project"
export EMAIL_ADDRESS="myuser@gmail.com"
gcloud projects add-iam-policy-binding \
$PROJECT_ID \
--member="user:$EMAIL_ADDRESS" \
--role="roles/monitoring.editor"
You can confirm the granted roles using the
gcloud projects get-iam-policy
command:
export PROJECT_ID="my-test-project"
gcloud projects get-iam-policy $PROJECT_ID
Google Cloud console
Go to the Google Cloud console:
If necessary, click the drop-down list of Google Cloud projects and select the name of the project where you want to enable the API.
To expand the navigation menu, click Menu arrow_drop_down.
Click IAM & admin.
If the user is a member, click Edit edit to modify their permissions. You can modify the existing role or add an additional role. To save your changes, click Save.
If the user isn't a member, do the following:
- Click Add.
- Enter the user name in the New members text box.
- In Select a role, click menu arrow_drop_down.
- In the filter bar filter_list, enter the appropriate role:
- Monitoring Editor grants read-write access.
- Monitoring Viewer grants read-only access.
Custom roles
You might want to create a custom role when you want to grant a principal a
more limited set of permissions than those granted with predefined roles.
For example, if you set up Assured Workloads
because you have data-residency or
Impact Level 4 (IL4) requirements,
then you shouldn't use
uptime checks because there is
no guarantee that uptime-check data is kept in a specific geographic location.
To prevent usage of uptime checks, create a role that doesn't include any
permissions with the prefix monitoring.uptimeCheckConfigs.
To create a custom role with Monitoring permissions, do the following:
For a role granting permissions only for the Monitoring API, choose from the permissions in the API permissions section.
For a role granting permissions for Monitoring in the Google Cloud console, choose from permission groups in the Console permissions for Monitoring section.
To grant the ability to write monitoring data, include the permissions from the role
roles/monitoring.metricWriterin the Roles section.
For more information on custom roles, go to Understanding IAM custom roles.
Compute Engine access scopes
Access scopes are the legacy method of specifying permissions for your Compute Engine VM instances. The following access scopes apply to Monitoring:
| Access scope | Permissions granted |
|---|---|
| https://www.googleapis.com/auth/monitoring.read | The same permissions as in roles/monitoring.viewer. |
| https://www.googleapis.com/auth/monitoring.write | The same permissions as in roles/monitoring.metricWriter. |
| https://www.googleapis.com/auth/monitoring | Full access to Monitoring. |
| https://www.googleapis.com/auth/cloud-platform | Full access to all enabled Cloud APIs. |
For more details, go to Access scopes.
Best practice. Because service account IAM roles are easy
to configure and change, a good practice is to give your VM instances the
most powerful access scope (cloud-platform) and then use IAM
roles to restrict access to specific APIs and operations. For details, go to
Service account permissions.