For a discussion of controlling access to Stackdriver Monitoring using IAM roles and Google Compute Engine access scopes, see the Stackdriver Monitoring Access Control Guide.
If you are writing an application that uses the Stackdriver Monitoring API, the recommended client libraries authorize your application using Application Default Credentials. This hides authorization details from your application code.
Google Identity and Access Management (IAM)
For a description of IAM roles for Stackdriver Monitoring, see the Stackdriver Monitoring Access Control Guide.
Google Compute Engine access scopes
Compute Engine VM instances use access scopes in addition to IAM roles to authorize applications running on the instance. The access scopes relevant to the Stackdriver Monitoring API are described in the Access Control Guide. By default, new Compute Engine VM instances allow access to Stackdriver Monitoring.
Google App Engine
App Engine apps have default authorization to the Stackdriver Monitoring API. No separate authorization step is needed.
Service account authorization
You can use service account authorization to authorize the use of an API from computers outside Google Cloud Platform, such as Amazon Web Services or your local workstation. You create a service account in your Stackdriver account and generate a private-key credentials file for the account. You then place the credentials file on the computer from which you wish to access the API. More information is available as part of the installation of the Stackdriver Monitoring agent. See Installing the Agent.
Sample authorization code
See Sample Code to get started with the Stackdriver Monitoring client libraries.