Stackdriver Monitoring controls access to monitoring data in Workspaces using Cloud Identity and Access Management (Cloud IAM) roles and permissions.
Overview
To use Monitoring, you must have the appropriate Cloud IAM permissions granted on the Workspace.
In general, each REST method in an API has an associated permission, and you must have the permission to use the corresponding method. Permissions aren't granted directly to users; permissions are instead granted indirectly through roles, which group multiple permissions to make managing them easier. For more information on these concepts, go to the Cloud IAM documentation on roles, permissions, and related concepts.
Roles for common combinations of permissions are predefined for you, but it's also possible to create your own combinations of permissions by creating Cloud IAM custom roles.
Predefined roles
The following Cloud IAM roles are predefined by Stackdriver Monitoring. They grant permissions only for Monitoring.
Monitoring
The following roles grant general permissions for Monitoring:
| Role ID Role name |
Description |
|---|---|
roles/monitoring.viewerMonitoring Viewer |
Gives you read-only access to the Stackdriver Monitoring console and API |
roles/monitoring.editorMonitoring Editor |
Gives you read-write access to the Stackdriver Monitoring console and API, and lets you write monitoring data to a Workspace |
roles/monitoring.adminMonitoring Admin |
Gives you full access to all Monitoring features |
The following role is used by service accounts for write-only access:
| Role ID Role name |
Description |
|---|---|
roles/monitoring.metricWriterMonitoring Metric Writer |
Permits writing monitoring data to a Workspace; doesn't permit access to the Stackdriver Monitoring console. For service accounts. |
Alert policies
The following roles grant permissions only for alert policies:
| Role ID Role name |
Description |
|---|---|
roles/monitoring.alertPolicyViewerMonitoring AlertPolicy Viewer |
Gives you read-only access to alert policies |
roles/monitoring.alertPolicyEditorMonitoring AlertPolicy Editor |
Gives you read-write access to alert policies |
Dashboards
The following roles grant permissions only for dashboards:
| Role ID Role name |
Description |
|---|---|
roles/monitoring.dashboardViewerMonitoring Dashboard Configuration Viewer |
Gives you read-only access to dashboard configurations |
roles/monitoring.dashboardEditorMonitoring Dashboard Configuration Editor |
Gives you read-write access to dashboard configurations |
Notification channels
The following roles grant permissions only for notification channels:
| Role ID Role name |
Description |
|---|---|
roles/monitoring.notificationChannelViewerMonitoring NotificationChannel Viewer |
Gives you read-only access to notification channels |
roles/monitoring.notificationChannelEditorMonitoring NotificationChannel Editor |
Gives you read-write access to notification channels |
Service monitoring
The following roles grant permissions for managing services:
| Role ID Role name |
Description |
|---|---|
roles/monitoring.servicesViewerMonitoring Services Viewer |
Gives you read-only access to services |
roles/monitoring.servicesEditorMonitoring Services Editor |
Gives you read-write access to services |
For more information on service monitoring, see Service monitoring: Working with the API.
Uptime-check configurations
The following roles grant permissions only for uptime-check configurations:
| Role ID Role name |
Description |
|---|---|
roles/monitoring.uptimeCheckConfigViewerMonitoring Uptime Check Configurations Viewer |
Gives you read-only access to uptime-check configurations |
roles/monitoring.uptimeCheckConfigEditorMonitoring Uptime Check Configurations Editor |
Gives you read-write access to uptime-check configurations |
Google Cloud
The following roles grant permissions for many services and resources in Google Cloud, including Monitoring:
| Role ID Role name |
Description |
|---|---|
roles/viewerProject Viewer |
Gives you read-only access to the Stackdriver Monitoring console and the API |
roles/editorProject Editor |
Gives you read-write access to the Stackdriver Monitoring console and the API |
roles/ownerProject Owner |
Gives you full access to the Stackdriver Monitoring console and the API |
Custom roles
You can also create your own custom roles that contain lists of permissions. For more details about roles and permissions, go to Permissions and roles and Custom roles on this page.
Permissions and roles
This section lists the Cloud IAM permissions and roles that apply to Monitoring.
API permissions
Each Monitoring API method requires a specific Cloud IAM permission, as listed in the following table.
| Monitoring API method | Permission | Resource type |
|---|---|---|
projects.alertPolicies.create |
monitoring.alertPolicies.create |
project1 |
projects.alertPolicies.delete |
monitoring.alertPolicies.delete |
AlertPolicy |
projects.alertPolicies.get |
monitoring.alertPolicies.get |
AlertPolicy |
projects.alertPolicies.list |
monitoring.alertPolicies.list |
project1 |
projects.alertPolicies.patch |
monitoring.alertPolicies.update |
AlertPolicy |
projects.dashboards.create |
monitoring.dashboards.create |
project1 |
projects.dashboards.delete |
monitoring.dashboards.delete |
project1 |
projects.dashboards.get |
monitoring.dashboards.get |
project1 |
projects.dashboards.list |
monitoring.dashboards.list |
project1 |
projects.dashboards.patch |
monitoring.dashboards.update |
project1 |
projects.groups.create |
monitoring.groups.create |
project1 |
projects.groups.delete |
monitoring.groups.delete |
Group |
projects.groups.get |
monitoring.groups.get |
Group |
projects.groups.list |
monitoring.groups.list |
project1 |
projects.groups.update |
monitoring.groups.update |
Group |
projects.groups.members.list |
monitoring.groups.get |
Group |
projects.metricDescriptors.create |
monitoring.metricDescriptors.create |
project |
projects.metricDescriptors.delete |
monitoring.metricDescriptors.delete |
MetricDescriptor |
projects.metricDescriptors.get |
monitoring.metricDescriptors.get |
MetricDescriptor |
projects.metricDescriptors.list |
monitoring.metricDescriptors.list |
project |
projects.monitoredResourceDescriptors.get |
monitoring.monitoredResourceDescriptors.get |
MonitoredResourceDescriptor |
projects.monitoredResourceDescriptors.list |
monitoring.monitoredResourceDescriptors.list |
project |
projects.notificationChannelDescriptors.get |
monitoring.notificationChannelDescriptors.get |
NotificationChannelDescriptor |
projects.notificationChannelDescriptors.list |
monitoring.notificationChannelDescriptors.list |
project1 |
projects.notificationChannels.create |
monitoring.notificationChannels.create |
project1 |
projects.notificationChannels.delete |
monitoring.notificationChannels.delete |
NotificationChannel |
projects.notificationChannels.get |
monitoring.notificationChannels.get |
NotificationChannel |
projects.notificationChannels.getVerificationCode |
monitoring.notificationChannels.getVerificationCode |
NotificationChannel |
projects.notificationChannels.list |
monitoring.notificationChannels.list |
project1 |
projects.notificationChannels.patch |
monitoring.notificationChannels.update |
NotificationChannel |
projects.notificationChannels.sendVerificationCode |
monitoring.notificationChannels.sendVerificationCode |
NotificationChannel |
projects.notificationChannels.verify |
monitoring.notificationChannels.verify |
NotificationChannel |
projects.services.create |
monitoring.services.create |
project1 |
projects.services.delete |
monitoring.services.delete |
Service |
projects.services.get |
monitoring.services.get |
Service |
projects.services.list |
monitoring.services.list |
project1 |
projects.services.patch |
monitoring.services.update |
Service |
projects.services.serviceLevelObjectives.create |
monitoring.slos.create |
project1 |
projects.services.serviceLevelObjectives.delete |
monitoring.slos.delete |
ServiceLevelObjective |
projects.services.serviceLevelObjectives.get |
monitoring.slos.get |
ServiceLevelObjective |
projects.services.serviceLevelObjectives.list |
monitoring.slos.list |
project1 |
projects.services.serviceLevelObjectives.patch |
monitoring.slos.update |
ServiceLevelObjective |
projects.timeSeries.create |
monitoring.timeSeries.create |
project |
projects.timeSeries.list |
monitoring.timeSeries.list |
project |
projects.uptimeCheckConfigs.create |
monitoring.uptimeCheckConfigs.create |
UptimeCheckConfig |
projects.uptimeCheckConfigs.delete |
monitoring.uptimeCheckConfigs.delete |
UptimeCheckConfig |
projects.uptimeCheckConfigs.get |
monitoring.uptimeCheckConfigs.get |
UptimeCheckConfig |
projects.uptimeCheckConfigs.list |
monitoring.uptimeCheckConfigs.list |
UptimeCheckConfig |
projects.uptimeCheckConfigs.patch |
monitoring.uptimeCheckConfigs.update |
UptimeCheckConfig |
--> 1 The project must be in a Workspace.
Stackdriver Monitoring console permissions
Each feature of the Stackdriver Monitoring console requires that you have
the permission for the API used to implement the feature. For example,
the ability to browse groups requires that you have permission for the
list and get methods applicable to groups and group members.
The Stackdriver Monitoring console might lose functionality if required permissions
are revoked.
The following table lists the permissions required to use the Stackdriver Monitoring console:
| Stackdriver Monitoring console activity | Required permissions | For resource type |
|---|---|---|
| Full read-only access | The set of permissions included in the roles/monitoring.viewer role |
project1 |
| Read-write access console | The set of permissions included in the roles/monitoring.editor role |
project1 |
| Full access to the console | The set of permissions included in the roles/monitoring.admin role |
project1 |
1 The project must be in a Workspace.
Roles
The following table lists the Cloud IAM roles that grant access to
Monitoring and the permissions associated with each role.
Several of these roles are graduated: for example, the
roles/monitoring.editor role includes all the permissions of
the roles/monitoring.viewer role, plus an additional set of
permissions.
Roles can be assigned at the project level only, and the projects must be in Workspaces.
Monitoring
The Monitoring roles include these permissions:
| Role ID Role name |
Includes permissions |
|---|---|
roles/monitoring.viewerMonitoring Viewer |
monitoring.alertPolicies.getmonitoring.alertPolicies.listmonitoring.analyzedMetrics.get1monitoring.analyzedMetrics.list1monitoring.dashboards.getmonitoring.dashboards.listmonitoring.groups.getmonitoring.groups.listmonitoring.metricDescriptors.getmonitoring.metricDescriptors.listmonitoring.monitoredResourceDescriptors.getmonitoring.monitoredResourceDescriptors.listmonitoring.notificationChannelDescriptors.getmonitoring.notificationChannelDescriptors.listmonitoring.notificationChannels.getmonitoring.notificationChannels.listmonitoring.publicWidgets.getmonitoring.publicWidgets.listmonitoring.services.getmonitoring.services.listmonitoring.slos.getmonitoring.slos.listmonitoring.timeSeries.listmonitoring.uptimeCheckConfigs.getmonitoring.uptimeCheckConfigs.listopsconfigmonitoring.resourceMetadata.listresourcemanager.projects.getresourcemanager.projects.list
stackdriver.projects.get
|
roles/monitoring.editorMonitoring Editor |
monitoring.alertPolicies.createmonitoring.alertPolicies.deletemonitoring.alertPolicies.getmonitoring.alertPolicies.listmonitoring.alertPolicies.updatemonitoring.analyzedMetrics.create1monitoring.analyzedMetrics.delete1monitoring.dashboards.createmonitoring.dashboards.deletemonitoring.dashboards.getmonitoring.dashboards.listmonitoring.dashboards.updatemonitoring.groups.createmonitoring.groups.deletemonitoring.groups.getmonitoring.groups.listmonitoring.groups.updatemonitoring.metricDescriptors.createmonitoring.metricDescriptors.deletemonitoring.metricDescriptors.getmonitoring.metricDescriptors.listmonitoring.monitoredResourceDescriptors.getmonitoring.monitoredResourceDescriptors.listmonitoring.notificationChannelDescriptors.listmonitoring.notificationChannelDescriptors.getmonitoring.notificationChannels.createmonitoring.notificationChannels.deletemonitoring.notificationChannels.getmonitoring.notificationChannels.listmonitoring.notificationChannels.sendVerificationCodemonitoring.notificationChannels.updatemonitoring.notificationChannels.verifymonitoring.publicWidgets.createmonitoring.publicWidgets.deletemonitoring.publicWidgets.getmonitoring.publicWidgets.listmonitoring.publicWidgets.updatemonitoring.services.createmonitoring.services.deletemonitoring.services.getmonitoring.services.listmonitoring.services.updatemonitoring.slos.createmonitoring.slos.deletemonitoring.slos.getmonitoring.slos.listmonitoring.slos.updatemonitoring.timeSeries.createmonitoring.timeSeries.listmonitoring.uptimeCheckConfigs.createmonitoring.uptimeCheckConfigs.deletemonitoring.uptimeCheckConfigs.getmonitoring.uptimeCheckConfigs.listmonitoring.uptimeCheckConfigs.updateopsconfigmonitoring.resourceMetadata.writeresourcemanager.projects.getresourcemanager.projects.liststackdriver.projects.editstackdriver.projects.get
stackdriver.resourceMetadata.write
|
roles/monitoring.adminMonitoring Admin |
The permissions in roles/monitoring.editor,
plus the following:monitoring.notificationChannels.getVerificationCode |
1 These permissions are present to support the Stackdriver Monitoring console. They cannot be used in custom roles.
The following role is used by service accounts for write-only access:
| Role ID Role name |
Includes permissions |
|---|---|
roles/monitoring.metricWriterMonitoring Metric Writer |
monitoring.metricDescriptors.createmonitoring.metricDescriptors.getmonitoring.metricDescriptors.listmonitoring.monitoredResourceDescriptors.getmonitoring.monitoredResourceDescriptors.listmonitoring.timeSeries.create
|
Alert policies
The Alert policy roles include these permissions:
| Role ID Role name |
Includes permissions |
|---|---|
roles/monitoring.alertPolicyViewerMonitoring AlertPolicy Viewer |
monitoring.alertPolicies.getmonitoring.alertPolicies.list |
roles/monitoring.alertPolicyEditorMonitoring AlertPolicy Editor |
monitoring.alertPolicies.createmonitoring.alertPolicies.deletemonitoring.alertPolicies.getmonitoring.alertPolicies.listmonitoring.alertPolicies.update |
Dashboards
The Dashboards roles include these permissions:
| Role ID Role name |
Includes permissions |
|---|---|
roles/monitoring.dashboardsViewerMonitoring Dashboard Configuration Viewer |
monitoring.dashboards.getmonitoring.dashboards.list |
roles/monitoring.dashboardsEditorMonitoring Dashboard Configuration Editor |
monitoring.dashboards.getmonitoring.dashboards.listmonitoring.dashboards.createmonitoring.dashboards.deletemonitoring.dashboards.update |
Notification channels
The Notification channels roles include these permissions:
| Role ID Role name |
Includes permissions |
|---|---|
roles/monitoring.notificationChannelViewerMonitoring NotificationChannel Viewer |
monitoring.notificationChannelDescriptors.getmonitoring.notificationChannelDescriptors.listmonitoring.notificationChannels.getmonitoring.notificationChannels.list |
roles/monitoring.notificationChannelEditorMonitoring NotificationChannel Editor |
monitoring.notificationChannelDescriptors.getmonitoring.notificationChannelDescriptors.listmonitoring.notificationChannels.createmonitoring.notificationChannels.deletemonitoring.notificationChannels.getmonitoring.notificationChannels.listmonitoring.notificationChannels.sendVerificationCodemonitoring.notificationChannels.updatemonitoring.notificationChannels.verify |
Service monitoring
The Service monitoring roles include these permissions:
| Role ID Role name |
Includes permissions |
|---|---|
roles/monitoring.servicesViewerMonitoring Services Viewer |
monitoring.services.getmonitoring.services.listmonitoring.slos.getmonitoring.slos.list |
roles/monitoring.servicesEditorMonitoring Services Editor |
monitoring.services.createmonitoring.services.deletemonitoring.services.getmonitoring.services.listmonitoring.services.updatemonitoring.slos.createmonitoring.slos.deletemonitoring.slos.getmonitoring.slos.listmonitoring.slos.update |
Uptime-check configurations
The Uptime-check configuration roles include these permissions:
| Role ID Role name |
Includes permissions |
|---|---|
roles/monitoring.uptimeCheckConfigViewerMonitoring Uptime Check Configurations Viewer |
monitoring.uptimeCheckConfigs.getmonitoring.uptimeCheckConfigs.list |
roles/monitoring.uptimeCheckConfigEditorMonitoring Uptime Check Configurations Editor |
monitoring.uptimeCheckConfigs.createmonitoring.uptimeCheckConfigs.deletemonitoring.uptimeCheckConfigs.getmonitoring.uptimeCheckConfigs.listmonitoring.uptimeCheckConfigs.update |
Google Cloud
The Google Cloud roles include these permissions:
| Role ID Role name |
Includes permissions |
|---|---|
roles/viewerProject Viewer |
The Monitoring permissions are exactly the permissions
in roles/monitoring.viewer.
|
roles/editorProject Editor |
The Monitoring permissions are the same as those in
roles/monitoring.editor.
|
roles/ownerProject Owner |
The Monitoring permissions are the same as those
in roles/editor.
|
Granting Cloud IAM roles
The project owners, editors, and default service accounts for Compute Engine and App Engine have the necessary permissions already; however, for other user accounts, you might need to grant these roles explicitly.
For example, in order for a user account to read or write metric descriptors
by using the Monitoring API, that user must have the appropriate
monitoring.metricDescriptors.* Cloud IAM permissions. These can be
provided by granting the predefined Monitoring Viewer
(roles/monitoring.viewer) and Monitoring Editor
(roles/monitoring.editor) roles.
For more information, go to API permissions.
These permissions can be granted either by using the Cloud SDK
gcloud command-line tool or the Google Cloud Console (Cloud Console).
Cloud SDK
Use the
gcloud projects add-iam-policy-binding
command to grant the monitoring.viewer or
monitoring.editor role.
For example:
export PROJECT_ID="my-test-project"
export EMAIL_ADDRESS="myuser@gmail.com"
gcloud projects add-iam-policy-binding \
$PROJECT_ID \
--member="user:$EMAIL_ADDRESS" \
--role="roles/monitoring.editor"
You can confirm the granted roles using the
gcloud projects get-iam-policy
command:
export PROJECT_ID="my-test-project"
gcloud projects get-iam-policy $PROJECT_ID
Cloud Console
Go to the Cloud Console:
If necessary, click the drop-down list of Google Cloud projects and select the name of the project where you want to enable the API.
To expand the navigation menu, click Menu menu.
Click IAM & admin.
If the user isn't present, click the Add button and then click the drop-down list next to Select a role; otherwise, click the toggle under the Role(s) column next to the existing user whose permissions you wish to edit.
In the Manage Roles pane, move your pointer to the left side and scroll to Monitoring.
In the Manage Roles pane, move your pointer to the right side and select the appropriate role:
- Monitoring Editor grants read-write access.
- Monitoring Viewer grants read-only access.
Custom roles
To create a custom role with Monitoring permissions, do the following:
For a role granting permissions only for the Monitoring API, choose from the permissions in the API permissions section.
For a role granting permissions for the Stackdriver Monitoring console, choose from permission groups in the Stackdriver Monitoring console permissions section.
To grant the ability to write monitoring data, include the permissions from the role
roles/monitoring.metricWriterin the Roles section.
For more information on custom roles, go to Understanding IAM custom roles.
Compute Engine access scopes
Access scopes are the legacy method of specifying permissions for your Compute Engine VM instances. The following access scopes apply to Monitoring:
| Access scope | Permissions granted |
|---|---|
| https://www.googleapis.com/auth/monitoring.read | The same permissions as in roles/monitoring.viewer. |
| https://www.googleapis.com/auth/monitoring.write | The same permissions as in roles/monitoring.metricWriter. |
| https://www.googleapis.com/auth/monitoring | Full access to Monitoring. |
| https://www.googleapis.com/auth/cloud-platform | Full access to all enabled Cloud APIs. |
For more details, go to Access scopes.
Best practice. Because service account Cloud IAM roles are easy
to configure and change, a good practice is to give your VM instances the
most powerful access scope (cloud-platform) and then use Cloud IAM
roles to restrict access to specific APIs and operations. For details, go to
Service account permissions.
