This document discusses how to enable access and set permissions for the Personalized Service Health dashboard to view service health events and configure alerts.
Before you begin
Make sure that billing is enabled for your Google Cloud project.
Enable Personalized Service Health for a single project
Personalized Service Health and processing of service health events require enabling the Service Health API. You can enable the API through the Google Cloud console or Google Cloud CLI. Event and log processing will start automatically a few hours after API enablement.
Console
In the APIs and Services library, go to the Service Health API.
Alternatively, you can go to the API Library and search "Service Health API".
Select the project.
Select the Enable button.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
Make sure that the most recent version of Google Cloud CLI is installed. Run the following command from the Cloud Shell:
gcloud components update
Create or select a new project,
PROJECT_ID
.Create a Google Cloud project:
gcloud projects create PROJECT_ID
Select the Google Cloud project that you created:
gcloud projects config set project PROJECT_ID
Enable the Service Health API in the project that you just created.
gcloud services enable servicehealth.googleapis.com \ --project PROJECT_ID
Script
You can use a script to enable the Service Health API and have Personalized Service Health start processing events for projects in your organization or folder.
For background information, see Enabling an API in your Google Cloud project.
Set required permissions
Personalized Service Health provides the following roles.
Access the Service Health API and dashboard
Personalized Service Health provides a predefined servicehealth.viewer
role that you can
use to provide access to project members. You'll need this role to access the
Service Health API and dashboard.
Role name | Description | Personalized Service Health permissions |
roles/servicehealth.viewer Personalized Service Health viewer
|
Read-only access to service health events. | servicehealth.location.list
|
You can use the roles and permissions directly through the gcloud CLI to set up proper access controls. For example, you can grant the role directly with the following command:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member {USER|GROUP|SERVICE_ACCOUNT} \
--role roles/servicehealth.viewer
You can view the Identity and Access Management (IAM) policy for the given project with the following command:
gcloud projects get-iam-policy PROJECT_ID
Alternatively, you can add the permissions directly to an existing role:
gcloud iam roles update ROLE_ID --project=PROJECT_ID \
--add-permissions=servicehealth.events.list
gcloud iam roles update ROLE_ID --project=PROJECT_ID \
--add-permissions=servicehealth.events.get
gcloud iam roles update ROLE_ID --project=PROJECT_ID \
--add-permissions=servicehealth.locations.list
gcloud iam roles update ROLE_ID --project=PROJECT_ID \
--add-permissions=servicehealth.locations.get
Use APIs and services in your projects
Grant the Service Usage Consumer
role (roles/serviceusage.serviceUsageConsumer
).
Access logs and configure log alerts
At the minimum, you'll need permissions for log-based alerts.
If you don't want to grant the Monitoring NotificationChannel Editor role
(roles/monitoring.notificationChannelEditor
), you can grant the Monitoring NotificationChannel Viewer role (roles/monitoring.notificationChannelViewer
) instead to allow you to link to a notification channel to an alerting policy.
For more information about granting roles, see Manage access.
You might also be able to get the required permissions through custom roles or other predefined roles.