Controlling access to Anthos Service Mesh in the Google Cloud console

Access to Anthos Service Mesh in the Google Cloud console is controlled by Identity and Access Management (IAM). To get access, a Project Owner must grant users the Project Editor or Viewer role, or the more restrictive roles described in the following tables. For information about how to grant roles to users, see Granting, changing, and revoking access to resources.

Minimum read-only roles

Users with the following roles can access the Anthos Service Mesh pages for monitoring purposes only. Users with these roles can't create or modify service level objects (SLOs) or make changes to the GKE infrastructure.

IAM role name Role title Description
Monitoring Viewer roles/monitoring.viewer Provides read-only access to get and list information about all monitoring data and configurations.
Kubernetes Engine Viewer roles/container.viewer Provides read-only access to GKE resources. This role is not required for GKE clusters on Google Cloud.
Logs Viewer roles/logging.viewer Provides read-only access to the Diagnostics page in the service details view. If access to this page is not needed, then this permission may be omitted.

Minimum write roles

Users with the following roles can create or modify SLOs in the Anthos Service Mesh pages and create or modify alerting policies based on the SLOs. Users with these roles can't make changes to the GKE infrastructure.

IAM role name Role title Description
Monitoring Editor roles/monitoring.editor Provides full access to information about all monitoring data and configurations.
Kubernetes Engine Editor roles/container.editor Provides write permissions needed to managed GKE resources.
Logs Editor roles/logging.editor Provides write permissions needed to the Diagnostics page in the service details view.

Special cases

The following roles are required for particular mesh configurations.

IAM role name Role title Description
GKE Hub Viewer roles/gkehub.viewer Provides view access to clusters outside Google Cloud in the Google Cloud console. This role is required for users to view off-Google Cloud clusters in the mesh. Also, you will need to grant the user the cluster-admin RBAC role to allow the dashboard to query the cluster on their behalf.

Additional roles and permissions

IAM has additional roles and granular permissions if the above roles don't meet your needs. For example, you might want to grant the Kubernetes Engine Admin role or the Kubernetes Engine Cluster Admin role to let a user administer your GKE infrastructure.

For more information see the following:

What's next