此页面由 Cloud Translation API 翻译。

使用 IAM 控制访问权限

要使用 Monitoring，您必须拥有适当的 Identity and Access Management (IAM) 权限。通常，API 中的每个 REST 方法都有关联的权限。若要使用该方法，或使用依赖于该方法的控制台功能，您必须：您有权使用相应的方法。权限不会直接授予用户；改为授予通过角色间接管理，角色可将多个权限分为一组：

如需了解访问权限控制，请参阅与访问权限管理相关的概念。

如需了解如何向主账号授予角色，请参阅授予对 Cloud Monitoring 的访问权限。

系统会为您预定义常用权限组合的角色。不过，还可以创建您自己的权限组合创建 IAM 自定义角色。

最佳实践

我们建议您创建 Google 群组来管理对 Google Cloud 项目：

如需了解详情，请参阅在 Google Cloud 控制台中管理群组。
如需了解如何设置角色限制，请参阅设置角色授予限制。
如需查看 IAM 角色和权限的完整列表，请参阅 IAM 基本角色和预定义角色参考文档。

VPC Service Controls

如需进一步控制对监控数据的访问权限，除了使用 IAM 以外，还请使用 VPC Service Controls。

VPC Service Controls 可为 Cloud Monitoring 提供额外的安全保护，有助于降低数据泄露的风险。使用 VPC Service Controls，您可以向服务边界添加指标范围，以保护 Cloud Monitoring 资源和服务免受来自该范围之外的请求的影响。

如需详细了解服务边界，请参阅 VPC Service Controls 服务边界配置文档。

如需了解 VPC Service Controls 的 Monitoring 支持，包括已知限制，请参阅 Monitoring VPC Service Controls 文档。

授予对 Cloud Monitoring 的访问权限

如需管理主账号的 IAM 角色，您可以使用 Google Cloud 控制台或 Google Cloud CLI 中的 Identity and Access Management 页面。不过，Cloud Monitoring 提供了一个简化的界面，让您可以管理特定于 Monitoring 的角色、项目级角色、以及 Cloud Logging 和 Cloud Trace 的常见角色。

如需向主账号授予对 Monitoring、Cloud Logging、或 Cloud Trace，或者要授予项目级角色，请执行以下操作：

控制台

在 Google Cloud 控制台中，前往权限页面：
前往权限

如果您使用搜索栏查找此页面，请选择子标题为监控的结果。

权限页面并未显示所有主账号。它只会列出拥有项目级角色或 Monitoring、Logging 或 Trace。

通过本页面上的选项，您可以查看其角色中包含的所有主账号任何 Monitoring 权限。
点击 授予访问权限。
点击新的主账号，然后输入主账号的用户名。您可以添加多个主账号。

展开 选择角色，然后从 按产品或服务菜单，然后从角色中选择一个角色菜单：

按产品或服务选项	选择角色	说明
监控	Monitoring Viewer	查看 Monitoring 数据和配置信息。例如，拥有此角色的主账号可以查看自定义信息中心和提醒政策。
监控	Monitoring Editor	查看 Monitoring 数据以及创建和修改配置。例如，主账号此角色可以创建自定义信息中心和提醒政策。
监控	Monitoring Admin	查看 Monitoring 数据，创建和修改配置以及修改指标范围。
Cloud Trace	Cloud Trace 用户	拥有对 Trace 控制台的完整访问权限以及对跟踪记录的读取访问权限，以及对接收器的读写权限如需了解详情，请参阅 Trace 角色。
Cloud Trace	Cloud Trace 管理员	拥有对 Trace 控制台的完整访问权限、对跟踪记录的读写权限以及对接收器的读写权限如需了解详情，请参阅 Trace 角色。
日志记录	Logs Viewer	拥有对日志的查看权限。如需了解详情，请参阅 Logging 角色。
日志记录	Logging 管理员	拥有对 Cloud Logging 所有功能的完全访问权限。对于请参阅 Logging 角色。
项目	查看者	拥有对大多数 Google Cloud 资源的查看权限。
项目	Editor	查看、创建、更新和删除大多数 Google Cloud 资源。
项目	Owner	拥有对大多数 Google Cloud 资源的完整访问权限。

可选：要向相同的主账号授予其他角色，请点击 添加其他角色，然后重复上一步。
点击保存。

前面的步骤介绍了如何使用 Google Cloud 控制台中的监控页面。对于这些此页面还支持编辑和删除选项：

如需移除主账号的角色，请执行以下操作：选中主账号旁边的复选框，然后点击 撤消访问权限。
如需修改主账号的角色，请执行以下操作：点击修改。更新设置后点击保存。

gcloud

使用 gcloud projects add-iam-policy-binding 命令授予 monitoring.viewer 或 monitoring.editor 角色。

例如：

export PROJECT_ID="my-test-project"
export EMAIL_ADDRESS="myuser@gmail.com"
gcloud projects add-iam-policy-binding \
      $PROJECT_ID \
      --member="user:$EMAIL_ADDRESS" \
      --role="roles/monitoring.editor"

您可以使用 gcloud projects get-iam-policy 命令确认已授予的角色：

export PROJECT_ID="my-test-project"
gcloud projects get-iam-policy $PROJECT_ID

预定义角色

本部分列出了由 Cloud Monitoring。

Monitoring 角色

以下角色可授予针对 Monitoring 的一般权限：

名称职位	具有的权限
`roles/monitoring.viewer` Monitoring Viewer	可授予对以下对象的只读权限：在 Google Cloud 控制台进行监控，以及 Cloud Monitoring API。
`roles/monitoring.editor` Monitoring Editor	可授予对以下对象的读写权限：在 Google Cloud 控制台进行监控，以及 Cloud Monitoring API。
`roles/monitoring.admin` Monitoring Admin	可授予对以下对象的完全访问权限：在 Google Cloud 控制台进行监控，以及拥有对 Cloud Monitoring API 的读写权限。

以下角色可为服务账号提供只写权限：

名称职位	说明
`roles/monitoring.metricWriter` Monitoring Metric Writer	此角色适用于服务账号和代理。不允许在 Google Cloud 控制台中访问 Monitoring。允许将监控数据写入指标范围。

提醒政策角色

以下角色可授予针对提醒政策的权限：

名称职位	说明
`roles/monitoring.alertPolicyViewer` Monitoring AlertPolicy Viewer	授予对提醒政策的只读权限。
`roles/monitoring.alertPolicyEditor` Monitoring AlertPolicy Editor	授予对提醒政策的读写权限。

信息中心角色

以下角色仅授予针对信息中心的权限：

名称职位	说明
`roles/monitoring.dashboardViewer` Monitoring Dashboard Configuration Viewer	授予对信息中心配置的只读权限。
`roles/monitoring.dashboardEditor` Monitoring Dashboard Configuration Editor	授予对信息中心配置的读写权限。

突发事件角色

以下角色仅授予针对突发事件的权限：

名称职位	说明
`roles/monitoring.cloudConsoleIncidentViewer` Monitoring Cloud Console Incident Viewer	授予使用 Google Cloud 控制台查看突发事件的权限。
`roles/monitoring.cloudConsoleIncidentEditor` Monitoring Cloud Console Incident Editor	授予使用 Google Cloud 控制台查看、确认和关闭突发事件的权限。

了解如何在出现以下情况时解决 IAM 权限错误：查看突发事件，请参阅由于权限错误，无法查看突发事件详情。

通知渠道角色

以下角色仅授予针对通知渠道的权限：

名称职位	说明
`roles/monitoring.notificationChannelViewer` Monitoring NotificationChannel Viewer	授予对通知渠道的只读权限。
`roles/monitoring.notificationChannelEditor` Monitoring NotificationChannel Editor	授予对通知渠道的读写权限。

延后通知角色

以下角色授予暂停通知的权限：

名称职位	说明
`roles/monitoring.snoozeViewer` 监控延后查看器	授予对延后的只读权限。
`roles/monitoring.snoozeEditor` 监控延后编辑器	授予对延后的读写权限。

Service Monitoring 角色

以下角色授予管理服务的权限：

名称职位	说明
`roles/monitoring.servicesViewer` Monitoring Services Viewer	授予对服务的只读权限。
`roles/monitoring.servicesEditor` Monitoring Services Editor	授予对服务的读写权限。

如需详细了解服务监控，请参阅 SLO 监控。

拨测配置角色

以下角色仅授予针对正常运行时间检查配置的权限：

名称职位	说明
`roles/monitoring.uptimeCheckConfigViewer` Monitoring Uptime Check Configurations Viewer	授予对拨测配置的只读权限。
`roles/monitoring.uptimeCheckConfigEditor` Monitoring Uptime Check Configurations Editor	授予对拨测配置的读写权限。

指标范围配置角色

以下角色授予了指标范围的一般权限：

名称职位	说明
`roles/monitoring.metricsScopesViewer` Monitoring Metrics Scopes Viewer	授予对指标范围的只读权限。
`roles/monitoring.metricsScopesAdmin` Monitoring Metrics Scopes Admin	授予对指标范围的读写权限。

预定义角色的权限

本部分列出了为关联的预定义角色分配的权限。

如需详细了解预定义角色，请参阅 IAM：角色和权限。如果在选择最合适的预定义角色时需要帮助，请参阅选择预定义角色。

Monitoring 角色的权限

Role Permissions

Role	Permissions
Monitoring Admin (`roles/monitoring.admin`) Provides the same access as the Monitoring Editor role (`roles/monitoring.editor`). Lowest-level resources where you can grant this role: Project	`cloudnotifications.activities.list` `monitoring.` `monitoring.alertPolicies.create` `monitoring.alertPolicies.delete` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.update` `monitoring.dashboards.create` `monitoring.dashboards.delete` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.update` `monitoring.groups.create` `monitoring.groups.delete` `monitoring.groups.get` `monitoring.groups.list` `monitoring.groups.update` `monitoring.metricDescriptors.create` `monitoring.metricDescriptors.delete` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.metricsScopes.link` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.create` `monitoring.notificationChannels.delete` `monitoring.notificationChannels.get` `monitoring.notificationChannels.getVerificationCode` `monitoring.notificationChannels.list` `monitoring.notificationChannels.sendVerificationCode` `monitoring.notificationChannels.update` `monitoring.notificationChannels.verify` `monitoring.publicWidgets.create` `monitoring.publicWidgets.delete` `monitoring.publicWidgets.get` `monitoring.publicWidgets.list` `monitoring.publicWidgets.update` `monitoring.services.create` `monitoring.services.delete` `monitoring.services.get` `monitoring.services.list` `monitoring.services.update` `monitoring.slos.create` `monitoring.slos.delete` `monitoring.slos.get` `monitoring.slos.list` `monitoring.slos.update` `monitoring.snoozes.create` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.snoozes.update` `monitoring.timeSeries.create` `monitoring.timeSeries.list` `monitoring.uptimeCheckConfigs.create` `monitoring.uptimeCheckConfigs.delete` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `monitoring.uptimeCheckConfigs.update` `opsconfigmonitoring.` `opsconfigmonitoring.resourceMetadata.list` `opsconfigmonitoring.resourceMetadata.write` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.enable` `serviceusage.services.get` `stackdriver.*` `stackdriver.projects.edit` `stackdriver.projects.get` `stackdriver.resourceMetadata.list` `stackdriver.resourceMetadata.write`
Monitoring AlertPolicy Editor (`roles/monitoring.alertPolicyEditor`) Read/write access to alerting policies.	`monitoring.alertPolicies.*` `monitoring.alertPolicies.create` `monitoring.alertPolicies.delete` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.update`
Monitoring AlertPolicy Viewer (`roles/monitoring.alertPolicyViewer`) Read-only access to alerting policies.	`monitoring.alertPolicies.get` `monitoring.alertPolicies.list`
Monitoring Cloud Console Incident Editor ^Beta (`roles/monitoring.cloudConsoleIncidentEditor`) Read/write access to incidents from Cloud Console.
Monitoring Cloud Console Incident Viewer ^Beta (`roles/monitoring.cloudConsoleIncidentViewer`) Read access to incidents from Cloud Console.
Monitoring Dashboard Configuration Editor (`roles/monitoring.dashboardEditor`) Read/write access to dashboard configurations.	`monitoring.dashboards.*` `monitoring.dashboards.create` `monitoring.dashboards.delete` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.update`
Monitoring Dashboard Configuration Viewer (`roles/monitoring.dashboardViewer`) Read-only access to dashboard configurations.	`monitoring.dashboards.get` `monitoring.dashboards.list`
Monitoring Editor (`roles/monitoring.editor`) Provides full access to information about all monitoring data and configurations. Lowest-level resources where you can grant this role: Project	`cloudnotifications.activities.list` `monitoring.alertPolicies.` `monitoring.alertPolicies.create` `monitoring.alertPolicies.delete` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.update` `monitoring.dashboards.` `monitoring.dashboards.create` `monitoring.dashboards.delete` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.update` `monitoring.groups.` `monitoring.groups.create` `monitoring.groups.delete` `monitoring.groups.get` `monitoring.groups.list` `monitoring.groups.update` `monitoring.metricDescriptors.` `monitoring.metricDescriptors.create` `monitoring.metricDescriptors.delete` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.notificationChannelDescriptors.` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.create` `monitoring.notificationChannels.delete` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list` `monitoring.notificationChannels.sendVerificationCode` `monitoring.notificationChannels.update` `monitoring.notificationChannels.verify` `monitoring.publicWidgets.` `monitoring.publicWidgets.create` `monitoring.publicWidgets.delete` `monitoring.publicWidgets.get` `monitoring.publicWidgets.list` `monitoring.publicWidgets.update` `monitoring.services.` `monitoring.services.create` `monitoring.services.delete` `monitoring.services.get` `monitoring.services.list` `monitoring.services.update` `monitoring.slos.` `monitoring.slos.create` `monitoring.slos.delete` `monitoring.slos.get` `monitoring.slos.list` `monitoring.slos.update` `monitoring.snoozes.` `monitoring.snoozes.create` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.snoozes.update` `monitoring.timeSeries.` `monitoring.timeSeries.create` `monitoring.timeSeries.list` `monitoring.uptimeCheckConfigs.` `monitoring.uptimeCheckConfigs.create` `monitoring.uptimeCheckConfigs.delete` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `monitoring.uptimeCheckConfigs.update` `opsconfigmonitoring.` `opsconfigmonitoring.resourceMetadata.list` `opsconfigmonitoring.resourceMetadata.write` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.enable` `serviceusage.services.get` `stackdriver.` `stackdriver.projects.edit` `stackdriver.projects.get` `stackdriver.resourceMetadata.list` `stackdriver.resourceMetadata.write`
Monitoring Metric Writer (`roles/monitoring.metricWriter`) Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics. Lowest-level resources where you can grant this role: Project	`monitoring.metricDescriptors.create` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.*` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.timeSeries.create`
Monitoring Metrics Scopes Admin ^Beta (`roles/monitoring.metricsScopesAdmin`) Access to add and remove monitored projects from metrics scopes.	`monitoring.metricsScopes.link` `resourcemanager.projects.get` `resourcemanager.projects.list`
Monitoring Metrics Scopes Viewer ^Beta (`roles/monitoring.metricsScopesViewer`) Read-only access to metrics scopes and their monitored projects.	`resourcemanager.projects.get` `resourcemanager.projects.list`
Monitoring NotificationChannel Editor ^Beta (`roles/monitoring.notificationChannelEditor`) Read/write access to notification channels.	`monitoring.notificationChannelDescriptors.*` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.create` `monitoring.notificationChannels.delete` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list` `monitoring.notificationChannels.sendVerificationCode` `monitoring.notificationChannels.update` `monitoring.notificationChannels.verify`
Monitoring NotificationChannel Viewer ^Beta (`roles/monitoring.notificationChannelViewer`) Read-only access to notification channels.	`monitoring.notificationChannelDescriptors.*` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list`
Monitoring Services Editor (`roles/monitoring.servicesEditor`) Read/write access to services.	`monitoring.services.` `monitoring.services.create` `monitoring.services.delete` `monitoring.services.get` `monitoring.services.list` `monitoring.services.update` `monitoring.slos.` `monitoring.slos.create` `monitoring.slos.delete` `monitoring.slos.get` `monitoring.slos.list` `monitoring.slos.update`
Monitoring Services Viewer (`roles/monitoring.servicesViewer`) Read-only access to services.	`monitoring.services.get` `monitoring.services.list` `monitoring.slos.get` `monitoring.slos.list`
Monitoring Snooze Editor (`roles/monitoring.snoozeEditor`)	`monitoring.snoozes.*` `monitoring.snoozes.create` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.snoozes.update`
Monitoring Snooze Viewer (`roles/monitoring.snoozeViewer`)	`monitoring.snoozes.get` `monitoring.snoozes.list`
Monitoring Uptime Check Configuration Editor ^Beta (`roles/monitoring.uptimeCheckConfigEditor`) Read/write access to uptime check configurations.	`monitoring.uptimeCheckConfigs.*` `monitoring.uptimeCheckConfigs.create` `monitoring.uptimeCheckConfigs.delete` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `monitoring.uptimeCheckConfigs.update`
Monitoring Uptime Check Configuration Viewer ^Beta (`roles/monitoring.uptimeCheckConfigViewer`) Read-only access to uptime check configurations.	`monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list`
Monitoring Viewer (`roles/monitoring.viewer`) Provides read-only access to get and list information about all monitoring data and configurations. Lowest-level resources where you can grant this role: Project	`cloudnotifications.activities.list` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.groups.get` `monitoring.groups.list` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.notificationChannelDescriptors.` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list` `monitoring.publicWidgets.get` `monitoring.publicWidgets.list` `monitoring.services.get` `monitoring.services.list` `monitoring.slos.get` `monitoring.slos.list` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.timeSeries.list` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `opsconfigmonitoring.resourceMetadata.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `stackdriver.projects.get` `stackdriver.resourceMetadata.list`

Monitoring Admin

(roles/monitoring.admin)

Provides the same access as the Monitoring Editor role (roles/monitoring.editor).

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.*

monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update
monitoring.dashboards.create
monitoring.dashboards.delete
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.update
monitoring.groups.create
monitoring.groups.delete
monitoring.groups.get
monitoring.groups.list
monitoring.groups.update
monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.metricsScopes.link
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.getVerificationCode
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
monitoring.publicWidgets.create
monitoring.publicWidgets.delete
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.publicWidgets.update
monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update
monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update
monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update
monitoring.timeSeries.create
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

opsconfigmonitoring.resourceMetadata.list
opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.*

stackdriver.projects.edit
stackdriver.projects.get
stackdriver.resourceMetadata.list
stackdriver.resourceMetadata.write

Monitoring AlertPolicy Editor

(roles/monitoring.alertPolicyEditor)

Read/write access to alerting policies.

monitoring.alertPolicies.*

monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update

Monitoring AlertPolicy Viewer

(roles/monitoring.alertPolicyViewer)

Read-only access to alerting policies.

monitoring.alertPolicies.get

monitoring.alertPolicies.list

Monitoring Cloud Console Incident Editor ^Beta

(roles/monitoring.cloudConsoleIncidentEditor)

Read/write access to incidents from Cloud Console.

Monitoring Cloud Console Incident Viewer ^Beta

(roles/monitoring.cloudConsoleIncidentViewer)

Read access to incidents from Cloud Console.

Monitoring Dashboard Configuration Editor

(roles/monitoring.dashboardEditor)

Read/write access to dashboard configurations.

monitoring.dashboards.*

monitoring.dashboards.create
monitoring.dashboards.delete
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.update

Monitoring Dashboard Configuration Viewer

(roles/monitoring.dashboardViewer)

Read-only access to dashboard configurations.

monitoring.dashboards.get

monitoring.dashboards.list

Monitoring Editor

(roles/monitoring.editor)

Provides full access to information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.alertPolicies.*

monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update

monitoring.dashboards.*

monitoring.dashboards.create
monitoring.dashboards.delete
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.update

monitoring.groups.*

monitoring.groups.create
monitoring.groups.delete
monitoring.groups.get
monitoring.groups.list
monitoring.groups.update

monitoring.metricDescriptors.*

monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

monitoring.publicWidgets.*

monitoring.publicWidgets.create
monitoring.publicWidgets.delete
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.publicWidgets.update

monitoring.services.*

monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update

monitoring.slos.*

monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update

monitoring.snoozes.*

monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.*

monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

opsconfigmonitoring.resourceMetadata.list
opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.*

stackdriver.projects.edit
stackdriver.projects.get
stackdriver.resourceMetadata.list
stackdriver.resourceMetadata.write

Monitoring Metric Writer

(roles/monitoring.metricWriter)

Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.

Lowest-level resources where you can grant this role:

Project

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

Monitoring Metrics Scopes Admin ^Beta

(roles/monitoring.metricsScopesAdmin)

Access to add and remove monitored projects from metrics scopes.

monitoring.metricsScopes.link

resourcemanager.projects.get

resourcemanager.projects.list

Monitoring Metrics Scopes Viewer ^Beta

(roles/monitoring.metricsScopesViewer)

Read-only access to metrics scopes and their monitored projects.

resourcemanager.projects.get

resourcemanager.projects.list

Monitoring NotificationChannel Editor ^Beta

(roles/monitoring.notificationChannelEditor)

Read/write access to notification channels.

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

Monitoring NotificationChannel Viewer ^Beta

(roles/monitoring.notificationChannelViewer)

Read-only access to notification channels.

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

Monitoring Services Editor

(roles/monitoring.servicesEditor)

Read/write access to services.

monitoring.services.*

monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update

monitoring.slos.*

monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update

Monitoring Services Viewer

(roles/monitoring.servicesViewer)

Read-only access to services.

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

Monitoring Snooze Editor

(roles/monitoring.snoozeEditor)

monitoring.snoozes.*

monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update

Monitoring Snooze Viewer

(roles/monitoring.snoozeViewer)

monitoring.snoozes.get

monitoring.snoozes.list

Monitoring Uptime Check Configuration Editor ^Beta

(roles/monitoring.uptimeCheckConfigEditor)

Read/write access to uptime check configurations.

monitoring.uptimeCheckConfigs.*

monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

Monitoring Uptime Check Configuration Viewer ^Beta

(roles/monitoring.uptimeCheckConfigViewer)

Read-only access to uptime check configurations.

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

Monitoring Viewer

(roles/monitoring.viewer)

Provides read-only access to get and list information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.publicWidgets.get

monitoring.publicWidgets.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

Ops Config Monitoring 角色的权限

Role Permissions

Role	Permissions
Ops Config Monitoring Resource Metadata Viewer ^Beta (`roles/opsconfigmonitoring.resourceMetadata.viewer`) Read-only access to resource metadata.	`opsconfigmonitoring.resourceMetadata.list`
Ops Config Monitoring Resource Metadata Writer ^Beta (`roles/opsconfigmonitoring.resourceMetadata.writer`) Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.	`opsconfigmonitoring.resourceMetadata.write`

Ops Config Monitoring Resource Metadata Viewer ^Beta

(roles/opsconfigmonitoring.resourceMetadata.viewer)

Read-only access to resource metadata.

opsconfigmonitoring.resourceMetadata.list

Ops Config Monitoring Resource Metadata Writer ^Beta

(roles/opsconfigmonitoring.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.

opsconfigmonitoring.resourceMetadata.write

Stackdriver 角色的权限

Role Permissions

Role	Permissions
Stackdriver Accounts Editor (`roles/stackdriver.accounts.editor`) Read/write access to manage Stackdriver account structure.	`resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.enable` `serviceusage.services.get` `stackdriver.projects.*` `stackdriver.projects.edit` `stackdriver.projects.get`
Stackdriver Accounts Viewer (`roles/stackdriver.accounts.viewer`) Read-only access to get and list information about Stackdriver account structure.	`resourcemanager.projects.get` `resourcemanager.projects.list` `stackdriver.projects.get`
Stackdriver Resource Metadata Writer ^Beta (`roles/stackdriver.resourceMetadata.writer`) Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.	`stackdriver.resourceMetadata.write`

Stackdriver Accounts Editor

(roles/stackdriver.accounts.editor)

Read/write access to manage Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.projects.*

stackdriver.projects.edit
stackdriver.projects.get

Stackdriver Accounts Viewer

(roles/stackdriver.accounts.viewer)

Read-only access to get and list information about Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

Stackdriver Resource Metadata Writer ^Beta

(roles/stackdriver.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.

stackdriver.resourceMetadata.write

Google Cloud 角色中包含的监控权限

Google Cloud 角色具备以下权限：

名称
职位具有的权限

roles/viewer
Viewer Monitoring 权限与 roles/monitoring.viewer 的权限相同。

名称职位	具有的权限
`roles/viewer` Viewer	Monitoring 权限与 `roles/monitoring.viewer` 的权限相同。
`roles/editor` Editor	Monitoring 权限与 `roles/monitoring.editor` 替换为 `stackdriver.projects.edit` 权限除外。 `roles/editor` 角色不包含 `stackdriver.projects.edit` 权限。此角色不授予修改指标范围的权限。如需在使用 API 时修改指标范围，您的角色必须包含权限 `monitoring.metricsScopes.link`。如需在使用 Google Cloud 控制台时修改指标范围，您的角色必须包含 `monitoring.metricsScopes.link`，或者您必须拥有该角色 `roles/monitoring.editor`.
`roles/owner` Owner	Monitoring 权限与 `roles/monitoring.admin`.

roles/editor
Editor

Monitoring 权限与 roles/monitoring.editor 替换为 stackdriver.projects.edit 权限除外。 roles/editor 角色不包含 stackdriver.projects.edit 权限。

此角色不授予修改指标范围的权限。如需在使用 API 时修改指标范围，您的角色必须包含权限 monitoring.metricsScopes.link。如需在使用 Google Cloud 控制台时修改指标范围，您的角色必须包含 monitoring.metricsScopes.link，或者您必须拥有该角色 roles/monitoring.editor.

roles/owner
Owner Monitoring 权限与 roles/monitoring.admin.

自定义角色

如果您想向主账号授予与使用预定义角色授予的权限相比，可限制的权限集更为有限。例如，如果您设置了 Assured Workloads 因为你有数据驻留或影响级别 4 (IL4) 要求，则不应使用拨测无法保证正常运行时间检查数据会保存在特定的地理位置。为防止使用拨测，请创建一个不包含任何带有 monitoring.uptimeCheckConfigs 前缀的权限。

要创建具备 Monitoring 权限的自定义角色，请执行以下操作：

对于仅授予 Monitoring API 权限的角色，从权限和预定义角色部分。
对于在 Google Cloud 控制台中的权限组，请从 Monitoring 角色部分。
如需授予写入监控数据的权限，添加来自 roles/monitoring.metricWriter的角色权限和预定义角色部分。

如需详细了解自定义角色，请转到了解 IAM 自定义角色。

Compute Engine 访问权限范围

访问权限范围是为 Compute Engine 虚拟机实例指定权限的传统方法。以下访问权限范围适用于 Monitoring：

访问权限范围	授予的权限
https://www.googleapis.com/auth/monitoring.read	权限与 `roles/monitoring.viewer` 相同。
https://www.googleapis.com/auth/monitoring.write	权限与 `roles/monitoring.metricWriter` 相同。
https://www.googleapis.com/auth/monitoring	拥有 Monitoring 的完整访问权限。
https://www.googleapis.com/auth/cloud-platform	拥有所有已启用 Cloud API 的完整访问权限。

如需了解详情，请转到访问权限范围。

最佳做法。 一种比较好的做法是为虚拟机实例提供最强大的访问权限范围 (cloud-platform)，然后使用 IAM 角色来限制对特定 API 和操作的访问权限。如需了解详情，请转到服务账号权限。

使用 IAM 控制访问权限

最佳实践

VPC Service Controls

授予对 Cloud Monitoring 的访问权限

控制台

gcloud

预定义角色

Monitoring 角色

提醒政策角色

信息中心角色

突发事件角色

通知渠道角色

延后通知角色

Service Monitoring 角色

拨测配置角色

指标范围配置角色

预定义角色的权限

Monitoring 角色的权限

Monitoring Admin

Monitoring AlertPolicy Editor

Monitoring AlertPolicy Viewer

Monitoring Cloud Console Incident Editor Beta

Monitoring Cloud Console Incident Viewer Beta

Monitoring Dashboard Configuration Editor

Monitoring Dashboard Configuration Viewer

Monitoring Editor

Monitoring Metric Writer

Monitoring Metrics Scopes Admin Beta

Monitoring Metrics Scopes Viewer Beta

Monitoring NotificationChannel Editor Beta

Monitoring NotificationChannel Viewer Beta

Monitoring Services Editor

Monitoring Services Viewer

Monitoring Snooze Editor

Monitoring Snooze Viewer

Monitoring Uptime Check Configuration Editor Beta

Monitoring Uptime Check Configuration Viewer Beta

Monitoring Viewer

Ops Config Monitoring 角色的权限

Ops Config Monitoring Resource Metadata Viewer Beta

Ops Config Monitoring Resource Metadata Writer Beta

Stackdriver 角色的权限

Stackdriver Accounts Editor

Stackdriver Accounts Viewer

Stackdriver Resource Metadata Writer Beta

Google Cloud 角色中包含的监控权限

自定义角色

Compute Engine 访问权限范围

Monitoring Cloud Console Incident Editor ^Beta

Monitoring Cloud Console Incident Viewer ^Beta

Monitoring Metrics Scopes Admin ^Beta

Monitoring Metrics Scopes Viewer ^Beta

Monitoring NotificationChannel Editor ^Beta

Monitoring NotificationChannel Viewer ^Beta

Monitoring Uptime Check Configuration Editor ^Beta

Monitoring Uptime Check Configuration Viewer ^Beta

Ops Config Monitoring Resource Metadata Viewer ^Beta

Ops Config Monitoring Resource Metadata Writer ^Beta

Stackdriver Resource Metadata Writer ^Beta