Access control

Stackdriver Monitoring controls access to monitoring data in Workspaces using Cloud Identity and Access Management (Cloud IAM) roles and permissions.

Overview

To use Monitoring, you must have the appropriate Cloud IAM permissions granted on the Workspace.

In general, each REST method in an API has an associated permission, and you must have the permission to use the corresponding method. Permissions aren't granted directly to users; permissions are instead granted indirectly through roles, which group multiple permissions to make managing them easier. For more information on these concepts, go to the Cloud IAM documentation on roles, permissions, and related concepts.

Roles for common combinations of permissions are predefined for you, but it's also possible to create your own combinations of permissions by creating Cloud IAM custom roles.

Predefined roles

The following Cloud IAM roles are predefined by Stackdriver Monitoring. They grant permissions only for Monitoring.

Monitoring

The following roles grant general permissions for Monitoring:

Role ID
Role name
Description
roles/monitoring.viewer
Monitoring Viewer
Gives you read-only access to the Stackdriver Monitoring console and API
roles/monitoring.editor
Monitoring Editor
Gives you read-write access to the Stackdriver Monitoring console and API, and lets you write monitoring data to a Workspace
roles/monitoring.admin
Monitoring Admin
Gives you full access to all Monitoring features

The following role is used by service accounts for write-only access:

Role ID
Role name
Description
roles/monitoring.metricWriter
Monitoring Metric Writer
Permits writing monitoring data to a Workspace; doesn't permit access to the Stackdriver Monitoring console. For service accounts.

Alert policies

The following roles grant permissions only for alert policies:

Role ID
Role name
Description
roles/monitoring.alertPolicyViewer
Monitoring AlertPolicy Viewer
Gives you read-only access to alert policies
roles/monitoring.alertPolicyEditor
Monitoring AlertPolicy Editor
Gives you read-write access to alert policies

Notification channels

The following roles grant permissions only for notification channels:

Role ID
Role name
Description
roles/monitoring.notificationChannelViewer
Monitoring NotificationChannel Viewer
Gives you read-only access to notification channels
roles/monitoring.notificationChannelEditor
Monitoring NotificationChannel Editor
Gives you read-write access to notification channels

Uptime-check configurations

The following roles grant permissions only for uptime-check configurations:

Role ID
Role name
Description
roles/monitoring.uptimeCheckConfigViewer
Monitoring Uptime Check Configurations Viewer
Gives you read-only access to uptime-check configurations
roles/monitoring.uptimeCheckConfigEditor
Monitoring Uptime Check Configurations Editor
Gives you read-write access to uptime-check configurations

Google Cloud Platform

The following roles grant permissions for many services and resources in Google Cloud Platform (GCP), including Monitoring:

Role ID
Role name
Description
roles/viewer
Project Viewer
Gives you read-only access to the Stackdriver Monitoring console and the API
roles/editor
Project Editor
Gives you read-write access to the Stackdriver Monitoring console and the API
roles/owner
Project Owner
Gives you full access to the Stackdriver Monitoring console and the API

Custom roles

You can also create your own custom roles that contain lists of permissions. For more details about roles and permissions, go to Permissions and roles and Custom roles on this page.

Permissions and roles

This section lists the Cloud IAM permissions and roles that apply to Monitoring.

API permissions

Each Monitoring API method requires a specific Cloud IAM permission, as listed in the following table:

Monitoring API method Permission Resource type
projects.alertPolicies.create monitoring.alertPolicies.create project1
projects.alertPolicies.delete monitoring.alertPolicies.delete AlertPolicy
projects.alertPolicies.get monitoring.alertPolicies.get AlertPolicy
projects.alertPolicies.list monitoring.alertPolicies.list project1
projects.alertPolicies.patch monitoring.alertPolicies.update AlertPolicy
projects.groups.create monitoring.groups.create project1
projects.groups.delete monitoring.groups.delete Group
projects.groups.get monitoring.groups.get Group
projects.groups.list monitoring.groups.list project1
projects.groups.update monitoring.groups.update Group
projects.groups.members.list monitoring.groups.get Group
projects.metricDescriptors.create monitoring.metricDescriptors.create project
projects.metricDescriptors.delete monitoring.metricDescriptors.delete MetricDescriptor
projects.metricDescriptors.get monitoring.metricDescriptors.get MetricDescriptor
projects.metricDescriptors.list monitoring.metricDescriptors.list project
projects.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.get MonitoredResourceDescriptor
projects.monitoredResourceDescriptors.list monitoring.monitoredResourceDescriptors.list project
projects.notificationChannelDescriptors.get monitoring.notificationChannelDescriptors.get NotificationChannelDescriptor
projects.notificationChannelDescriptors.list monitoring.notificationChannelDescriptors.list project1
projects.notificationChannels.create monitoring.notificationChannels.create project1
projects.notificationChannels.delete monitoring.notificationChannels.delete NotificationChannel
projects.notificationChannels.get monitoring.notificationChannels.get NotificationChannel
projects.notificationChannels.getVerificationCode monitoring.notificationChannels.getVerificationCode NotificationChannel
projects.notificationChannels.list monitoring.notificationChannels.list project1
projects.notificationChannels.patch monitoring.notificationChannels.update NotificationChannel
projects.notificationChannels.sendVerificationCode monitoring.notificationChannels.sendVerificationCode NotificationChannel
projects.notificationChannels.verify monitoring.notificationChannels.verify NotificationChannel
projects.timeSeries.create monitoring.timeSeries.create project
projects.timeSeries.list monitoring.timeSeries.list project
projects.uptimeCheckConfigs.create monitoring.uptimeCheckConfigs.create UptimeCheckConfig
projects.uptimeCheckConfigs.delete monitoring.uptimeCheckConfigs.delete UptimeCheckConfig
projects.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.get UptimeCheckConfig
projects.uptimeCheckConfigs.list monitoring.uptimeCheckConfigs.list UptimeCheckConfig
projects.uptimeCheckConfigs.patch monitoring.uptimeCheckConfigs.update UptimeCheckConfig

1 The project must be in a Workspace.

Stackdriver Monitoring console permissions

Each feature of the Stackdriver Monitoring console requires that you have the permission for the API used to implement the feature. For example, the ability to browse groups requires that you have permission for the list and get methods applicable to groups and group members. The Stackdriver Monitoring console might lose functionality if required permissions are revoked.

The following table lists the permissions required to use the Stackdriver Monitoring console:

Stackdriver Monitoring console activity Required permissions For resource type
Full read-only access The set of permissions included in the roles/monitoring.viewer role project1
Read-write access console The set of permissions included in the roles/monitoring.editor role project1
Full access to the console The set of permissions included in the roles/monitoring.admin role project1

1 The project must be in a Workspace.

Roles

The following table lists the Cloud IAM roles that grant access to Monitoring and the permissions associated with each role. Several of these roles are graduated: for example, the roles/monitoring.editor role includes all the permissions of the roles/monitoring.viewer role, plus an additional set of permissions.

Roles can be assigned at the project level only, and the projects must be in Workspaces.

Monitoring

The Monitoring roles include these permissions:

Role ID
Role name
Includes permissions
roles/monitoring.viewer
Monitoring Viewer
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.analyzedMetrics.get1
monitoring.analyzedMetrics.list1
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.get
roles/monitoring.editor
Monitoring Editor
monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update
monitoring.analyzedMetrics.create1
monitoring.analyzedMetrics.delete1
monitoring.dashboards.create
monitoring.dashboards.delete
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.update
monitoring.groups.create
monitoring.groups.delete
monitoring.groups.get
monitoring.groups.list
monitoring.groups.update
monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
monitoring.publicWidgets.create
monitoring.publicWidgets.delete
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.publicWidgets.update
monitoring.timeSeries.create
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update
resourcemanager.projects.get
resourcemanager.projects.list
stackdriver.projects.edit
stackdriver.projects.get
stackdriver.resourceMetadata.write
roles/monitoring.admin
Monitoring Admin
The permissions in roles/monitoring.editor, plus the following:
monitoring.notificationChannels.getVerificationCode

1 These permissions are present to support the Stackdriver Monitoring console. They cannot be used in custom roles.

The following role is used by service accounts for write-only access:

Role ID
Role name
Includes permissions
roles/monitoring.metricWriter
Monitoring Metric Writer
monitoring.metricDescriptors.create
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.timeSeries.create

Alert policies

The Alert policy roles include these permissions:

Role ID
Role name
Includes permissions
roles/monitoring.alertPolicyViewer
Monitoring AlertPolicy Viewer
monitoring.alertPolicies.get
monitoring.alertPolicies.list
roles/monitoring.alertPolicyEditor
Monitoring AlertPolicy Editor
monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update

Notification channels

The Notification channels roles include these permissions:

Role ID
Role name
Includes permissions
roles/monitoring.notificationChannelViewer
Monitoring NotificationChannel Viewer
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.get
monitoring.notificationChannels.list
roles/monitoring.notificationChannelEditor
Monitoring NotificationChannel Editor
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify

Uptime-check configurations

The Uptime-check configuration roles include these permissions:

Role ID
Role name
Includes permissions
roles/monitoring.uptimeCheckConfigViewer
Monitoring Uptime Check Configurations Viewer
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
roles/monitoring.uptimeCheckConfigEditor
Monitoring Uptime Check Configurations Editor
monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

Google Cloud Platform

The GCP roles include these permissions:

Role ID
Role name
Includes permissions
roles/viewer
Project Viewer
The Monitoring permissions are exactly the permissions in roles/monitoring.viewer.
roles/editor
Project Editor
The Monitoring permissions are the same as those in roles/monitoring.editor.
roles/owner
Project Owner
The Monitoring permissions are the same as those in roles/editor.

Granting Cloud IAM roles

The project owners, editors, and default service accounts for Compute Engine and App Engine have the necessary permissions already; however, for other user accounts, you might need to grant these roles explicitly.

For example, in order for a user account to read or write metric descriptors by using the Monitoring API, that user must have the appropriate monitoring.metricDescriptors.* Cloud IAM permissions. These can be provided by granting the predefined Monitoring Viewer (roles/monitoring.viewer) and Monitoring Editor (roles/monitoring.editor) roles. For more information, go to API permissions.

These permissions can be granted either by using the Cloud SDK gcloud command-line tool or the Google Cloud Platform Console (GCP Console).

Cloud SDK

Use the gcloud projects add-iam-policy-binding command to grant the monitoring.viewer or monitoring.editor role.

For example:

export PROJECT_ID="my-test-project"
export EMAIL_ADDRESS="myuser@gmail.com"
gcloud projects add-iam-policy-binding \
      $PROJECT_ID \
      --member="user:$EMAIL_ADDRESS" \
      --role="roles/monitoring.editor"

You can confirm the granted roles using the gcloud projects get-iam-policy command:

export PROJECT_ID="my-test-project"
gcloud projects get-iam-policy $PROJECT_ID

GCP Console

  1. Go to the GCP Console:

    Go to the GCP Console

  2. If necessary, click the drop-down list of GCP projects and select the name of the project where you want to enable the API.

  3. To expand the navigation menu, click Menu .

  4. Click IAM & admin.

  5. If the user isn't present, click the Add button and then click the drop-down list next to Select a role; otherwise, click the toggle under the Role(s) column next to the existing user whose permissions you wish to edit.

  6. In the Manage Roles pane, move your pointer to the left side and scroll to Monitoring.

  7. In the Manage Roles pane, move your pointer to the right side and select the appropriate role:

    • Monitoring Editor grants read-write access.
    • Monitoring Viewer grants read-only access.

Custom roles

To create a custom role with Monitoring permissions, do the following:

  • For a role granting permissions only for the Monitoring API, choose from the permissions in the API permissions section.

  • For a role granting permissions for the Stackdriver Monitoring console, choose from permission groups in the Stackdriver Monitoring console permissions section.

  • To grant the ability to write monitoring data, include the permissions from the role roles/monitoring.metricWriter in the Roles section.

For more information on custom roles, go to Understanding IAM custom roles.

Compute Engine access scopes

Access scopes are the legacy method of specifying permissions for your Compute Engine VM instances. The following access scopes apply to Monitoring:

Access scope Permissions granted
https://www.googleapis.com/auth/monitoring.read The same permissions as in roles/monitoring.viewer.
https://www.googleapis.com/auth/monitoring.write The same permissions as in roles/monitoring.metricWriter.
https://www.googleapis.com/auth/monitoring Full access to Monitoring.
https://www.googleapis.com/auth/cloud-platform Full access to all enabled Cloud APIs.

For more details, go to Access scopes.

Best practice. Because service account Cloud IAM roles are easy to configure and change, a good practice is to give your VM instances the most powerful access scope (cloud-platform) and then use Cloud IAM roles to restrict access to specific APIs and operations. For details, go to Service account permissions.

Czy ta strona była pomocna? Podziel się z nami swoją opinią:

Wyślij opinię na temat...

Stackdriver Monitoring
Potrzebujesz pomocy? Odwiedź naszą stronę wsparcia.