Manage Personalized Service Health access

This document discusses how to enable access and set permissions for the Personalized Service Health dashboard to view service health events and configure alerts.

Before you begin

Make sure that billing is enabled for your Google Cloud project.

Enable Personalized Service Health for a single project

Personalized Service Health and processing of service health events require enabling the Service Health API. You can enable the API through the Google Cloud console or Google Cloud CLI. Event and log processing will start automatically a few hours after API enablement.

Console

  1. In the APIs and Services library, go to the Service Health API.

    Go to the Service Health API

    Alternatively, you can go to the API Library and search "Service Health API".

  2. Select the project.

  3. Select the Enable button.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

  2. Make sure that the most recent version of Google Cloud CLI is installed. Run the following command from the Cloud Shell:

      gcloud components update

  3. Create or select a new project, PROJECT_ID.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID
    • Select the Google Cloud project that you created:

      gcloud projects config set project PROJECT_ID
  4. Enable the Service Health API in the project that you just created.

    gcloud services enable servicehealth.googleapis.com \
     --project PROJECT_ID
    

Script

You can use a script to enable the Service Health API and have Personalized Service Health start processing events for projects in your organization or folder.

For background information, see Enabling an API in your Google Cloud project.

Set required permissions

Personalized Service Health provides the following roles.

Access the Service Health API and dashboard

Personalized Service Health provides a predefined servicehealth.viewer role that you can use to provide access to project members. You'll need this role to access the Service Health API and dashboard.

Role name Description Personalized Service Health permissions
roles/servicehealth.viewer Personalized Service Health viewer Read-only access to service health events. servicehealth.location.list

servicehealth.location.get

servicehealth.events.list

servicehealth.events.get

servicehealth.organizationEvents.list

servicehealth.organizationEvents.get

servicehealth.organizationImpacts.list

servicehealth.organizationImpacts.get

You can use the roles and permissions directly through the gcloud CLI to set up proper access controls. For example, you can grant the role directly with the following command:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member {USER|GROUP|SERVICE_ACCOUNT} \
  --role roles/servicehealth.viewer

You can view the Identity and Access Management (IAM) policy for the given project with the following command:

gcloud projects get-iam-policy PROJECT_ID

Alternatively, you can add the permissions directly to an existing role:

gcloud iam roles update ROLE_ID --project=PROJECT_ID \
  --add-permissions=servicehealth.events.list
gcloud iam roles update ROLE_ID --project=PROJECT_ID \
  --add-permissions=servicehealth.events.get
gcloud iam roles update ROLE_ID --project=PROJECT_ID \
  --add-permissions=servicehealth.locations.list
gcloud iam roles update ROLE_ID --project=PROJECT_ID \
  --add-permissions=servicehealth.locations.get

Use APIs and services in your projects

Grant the Service Usage Consumer role (roles/serviceusage.serviceUsageConsumer).

Access logs and configure log alerts

At the minimum, you'll need permissions for log-based alerts.

If you don't want to grant the Monitoring NotificationChannel Editor role (roles/monitoring.notificationChannelEditor), you can grant the Monitoring NotificationChannel Viewer role (roles/monitoring.notificationChannelViewer) instead to allow you to link to a notification channel to an alerting policy.

For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.