Access Control Guide

Stackdriver Monitoring controls access to monitoring data in Stackdriver accounts using Cloud Identity and Access Management (Cloud IAM) roles and permissions. Stackdriver service tiers impose additional limits on specific monitoring features.

Overview

To use Stackdriver Monitoring, you must have the appropriate Cloud IAM permissions granted on the Stackdriver account for the feature or operation in question.

In general, each REST method in an API has an associated permission, and you must have the permission to use the corresponding method. Permissions are not granted directly to users; permissions are instead granted indirectly through roles, which group multiple permissions to make managing them easier. For more information on these concepts, see the Cloud IAM documentation on roles, permissions, and related concepts.

Roles for common combinations of permissions are predefined for you, but it is also possible to create your own combinations of permissions by creating Cloud IAM custom roles.

Predefined roles

The following Cloud IAM roles are predefined by Stackdriver Monitoring. They grant permissions only for Stackdriver Monitoring.

Monitoring

The following roles grant general permissions for Stackdriver Monitoring:

Role ID
Role name
Description
roles/monitoring.viewer
Monitoring Viewer
Gives you read-only access to the Stackdriver Monitoring console and API
roles/monitoring.editor
Monitoring Editor
Gives you read-write access to the Stackdriver Monitoring console and API, and lets you write monitoring data to a Stackdriver account
roles/monitoring.admin
Monitoring Admin
Gives you full access to all Stackdriver Monitoring features

The following role is used by service accounts for write-only access:

Role ID
Role name
Description
roles/monitoring.metricWriter
Monitoring Metric Writer
Permits writing monitoring data to a Stackdriver account; does not permit access to the Stackdriver Monitoring console. For service accounts.

Alert Policies

The following roles grant permissions only for Alert Policies:

Role ID
Role name
Description
roles/monitoring.alertPolicyViewer
Monitoring AlertPolicy Viewer
Gives you read-only access to alerting policies
roles/monitoring.alertPolicyEditor
Monitoring AlertPolicy Editor
Gives you read-write access to alerting policies

Notification Channels

The following roles grant permissions only for Notification Channels:

Role ID
Role name
Description
roles/monitoring.notificationChannelViewer
Monitoring NotificationChannel Viewer
Gives you read-only access to notification channels
roles/monitoring.notificationChannelEditor
Monitoring NotificationChannel Editor
Gives you read-write access to notification channels

Google Cloud Platform

The following roles grant permissions for many services and resources in Google Cloud Platform, including Stackdriver Monitoring:

Role ID
Role name
Description
roles/viewer
Project Viewer
Gives you read-only access to the Stackdriver Monitoring console and the API
roles/editor
Project Editor
Gives you read-write access to the Stackdriver Monitoring console and the API
roles/owner
Project Owner
Gives you full access to the Stackdriver Monitoring console and the API

Custom roles

You can also create your own custom roles that contain specific lists of permissions. For more details about roles and permissions, see Permissions and roles and Custom roles on this page.

Service tiers

Stackdriver Monitoring places additional limits on what you can do based on your Stackdriver account's service tier:

  • In the Basic Tier, you can use metrics from GCP services, use groups and dashboards, and use alerting policies with some limitations. You can use custom metrics and logs-based metrics if you opt-in for additional charges.

  • In the Premium Tier, you gain access to metrics from AWS resources and services; access to metrics delivered by the Stackdriver Monitoring agent; and access to all alerting policy features. You have an allotment for custom metrics and logs-based metrics without a separate charge.

For more details, see Stackdriver Pricing.

Permissions and roles

This section lists the Cloud IAM permissions and roles that apply to Stackdriver Monitoring.

API permissions

Each Stackdriver Monitoring API method requires a specific Cloud IAM permission, as listed in the following table.

Stackdriver Monitoring API method Permission Resource type
projects.alertPolicies.create monitoring.alertPolicies.create project1
projects.alertPolicies.delete monitoring.alertPolicies.delete AlertPolicy
projects.alertPolicies.get monitoring.alertPolicies.get AlertPolicy
projects.alertPolicies.list monitoring.alertPolicies.list project1
projects.alertPolicies.patch monitoring.alertPolicies.update AlertPolicy
projects.groups.create monitoring.groups.create project1
projects.groups.delete monitoring.groups.delete Group
projects.groups.get monitoring.groups.get Group
projects.groups.list monitoring.groups.list project1
projects.groups.update monitoring.groups.update Group
projects.groups.members.list monitoring.groups.get Group
projects.metricDescriptors.create monitoring.metricDescriptors.create project
projects.metricDescriptors.delete monitoring.metricDescriptors.delete MetricDescriptor
projects.metricDescriptors.get monitoring.metricDescriptors.get MetricDescriptor
projects.metricDescriptors.list monitoring.metricDescriptors.list project
projects.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.get MonitoredResourceDescriptor
projects.monitoredResourceDescriptors.list monitoring.monitoredResourceDescriptors.list project
projects.notificationChannelDescriptors.get monitoring.notificationChannelDescriptors.get NotificationChannelDescriptor
projects.notificationChannelDescriptors.list monitoring.notificationChannelDescriptors.list project1
projects.notificationChannels.create monitoring.notificationChannels.create project1
projects.notificationChannels.delete monitoring.notificationChannels.delete NotificationChannel
projects.notificationChannels.get monitoring.notificationChannels.get NotificationChannel
projects.notificationChannels.getVerificationCode monitoring.notificationChannels.getVerificationCode NotificationChannel
projects.notificationChannels.list monitoring.notificationChannels.list project1
projects.notificationChannels.patch monitoring.notificationChannels.update NotificationChannel
projects.notificationChannels.sendVerificationCode monitoring.notificationChannels.sendVerificationCode NotificationChannel
projects.notificationChannels.verify monitoring.notificationChannels.verify NotificationChannel
projects.timeSeries.create monitoring.timeSeries.create project
projects.timeSeries.list monitoring.timeSeries.list project

1 The project must be a Stackdriver account.

Console permissions

Each feature of the Stackdriver Monitoring console requires permissions for the API methods used to implement the feature. For example, the ability to browse groups requires permissions for the list and get methods applicable to groups and group members. The Stackdriver Monitoring console may become partially functional if required permissions are revoked.

The following table lists the permissions required to use the Stackdriver Monitoring console:

Console activity Required permissions For resource type
Full read-only access The set of permissions included in the roles/monitoring.viewer role project1
Read-write access console The set of permissions included in the roles/monitoring.editor role project1
Full access to the console The set of permissions included in the roles/monitoring.admin role project1

1 The project must be a Stackdriver account.

Roles

The following table lists the Cloud IAM roles that grant access to Stackdriver Monitoring and the permissions associated with each role. Several of these roles are graduated: for example, the roles/monitoring.editor role includes all the permissions of the roles/monitoring.viewer role, plus an additional set of permissions.

Roles can be assigned at the project level only, and the projects must be Stackdriver accounts.

Monitoring

The Monitoring roles include these permissions:

Role ID
Role name
Includes permissions
roles/monitoring.viewer
Monitoring Viewer
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.analyzedMetrics.get1
monitoring.analyzedMetrics.list1
monitoring.dashboards.get1
monitoring.dashboards.list1
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.get1
monitoring.uptimeCheckConfigs.list1
resourcemanager.projects.get
resourcemanager.projects.list stackdriver.projects.get
roles/monitoring.editor
Monitoring Editor
monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update
monitoring.analyzedMetrics.create1
monitoring.analyzedMetrics.delete1
monitoring.dashboards.create1
monitoring.dashboards.delete1
monitoring.dashboards.get1
monitoring.dashboards.list1
monitoring.dashboards.update1
monitoring.groups.create
monitoring.groups.delete
monitoring.groups.get
monitoring.groups.list
monitoring.groups.update
monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerification
monitoring.notificationChannels.verify
monitoring.timeSeries.create
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.create1
monitoring.uptimeCheckConfigs.delete1
monitoring.uptimeCheckConfigs.get1
monitoring.uptimeCheckConfigs.list1
monitoring.uptimeCheckConfigs.update1
resourcemanager.projects.get
resourcemanager.projects.list stackdriver.projects.edit
stackdriver.projects.get
roles/monitoring.admin
Monitoring Admin
The permissions in roles/monitoring.editor, plus the following:
monitoring.notificationChannels.sendVerification

1 These permissions are present to support the Stackdriver Monitoring console. They cannot be used in custom roles.

The following role is used by service accounts for write-only access:

Role ID
Role name
Includes permissions
roles/monitoring.metricWriter
Monitoring Metric Writer
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.create

Alert Policies

The Alert Policy roles include these permissions:

Role ID
Role name
Includes permissions
roles/monitoring.alertPolicyViewer
Monitoring AlertPolicy Viewer
monitoring.alertPolicies.get
monitoring.alertPolicies.list
roles/monitoring.alertPolicyEditor
Monitoring AlertPolicy Editor
monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update

Notification Channels

The Notification Channels roles include these permissions:

Role ID
Role name
Includes permissions
roles/monitoring.notificationChannelViewer
Monitoring NotificationChannel Viewer
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.get
monitoring.notificationChannels.list
roles/monitoring.notificationChannelEditor
Monitoring NotificationChannel Editor
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerification
monitoring.notificationChannels.verify

Google Cloud Plaform

The GCP roles include these permissions:

Role ID
Role name
Includes permissions
roles/viewer
Project Viewer
The Monitoring permissions are exactly the permissions in roles/monitoring.viewer.
roles/editor
Project Editor
The Monitoring permissions are the same as those in roles/monitoring.editor.
roles/owner
Project Owner
The Monitoring permissions are the same as those in roles/editor.

Granting Cloud IAM roles

The project owners, editors, and default service accounts for Compute Engine and App Engine should have the necessary permissions already; however, for other user accounts, it may be necessary to grant these roles explicitly.

For example, in order for a user account to be able to read or write MetricDescriptors using the API, that user must have the appropriate monitoring.metricDescriptors.* Cloud IAM permissions. These can be provided by granting the predefined "Monitoring Viewer" (monitoring.viewer) and "Monitoring Editor" (monitoring.editor) roles. See API permissions for more information.

These permissions can be granted either by using the Cloud SDK gcloud command-line tool or the Cloud Console.

Cloud SDK

Use the gcloud projects add-iam-policy-binding command to grant the monitoring.viewer or monitoring.editor role.

For example:

export PROJECT_ID="my-test-project"
export EMAIL_ADDRESS="myuser@gmail.com"
gcloud projects add-iam-policy-binding \
      $PROJECT_ID \
      --member="user:$EMAIL_ADDRESS" \
      --role="roles/monitoring.editor"

You can confirm the granted roles using the gcloud projects get-iam-policy command:

export PROJECT_ID="my-test-project"
gcloud projects get-iam-policy $PROJECT_ID

Cloud Console

To grant the Cloud IAM roles for the AlertPolicy resources via Cloud Console:

  1. Navigate to https://console.cloud.google.com/.
  2. Select the project with which you intend to enable the API.
  3. Expand the left-hand navigation menu by clicking on the three horizontal-line menu button.
  4. Click IAM & admin.
  5. If the user is not present, click the Add button; otherwise, click the toggle under the "Role(s)" column next to the existing user whose permissions you wish to edit.
  6. Scroll down to "Monitoring" and hover over it.
  7. Mark the appropriate role: "Monitoring Editor" grants read-write access; "Monitoring Viewer" grants read-only access.

Custom roles

To create a custom role with Stackdriver Monitoring permissions, do the following:

  • For a role granting permissions only for the Stackdriver Monitoring API, choose from the permissions in the API permissions section.

  • For a role granting permssions for the Stackdriver Monitoring console, choose from permission groups in the Console permissions section.

  • To grant the ability to write monitoring data, include the permission(s) from the role roles/monitoring.metricWriter in the Roles section.

For more information on custom roles, see Understanding IAM Custom Roles.

Compute Engine access scopes

Access scopes are the legacy method of specifying permissions for your Compute Engine VM instances. The following access scopes apply to Stackdriver Monitoring:

Access scope Permissions granted
https://www.googleapis.com/auth/monitoring.read The same permissions as in roles/monitoring.viewer.
https://www.googleapis.com/auth/monitoring.write The same permissions as in roles/monitoring.metricWriter.
https://www.googleapis.com/auth/monitoring Full access to Stackdriver Monitoring.
https://www.googleapis.com/auth/cloud-platform Full access to all enabled Google Cloud APIs.

For more details, see Access scopes.

Best practice. Since service account Cloud IAM roles are easy to configure and change, a good practice is to give your VM instances the most powerful access scope (cloud-platform) and then use IAM roles to restrict access to specific APIs and operations. For details, see Service account permissions.

Send feedback about...

Stackdriver Monitoring