Anthos Service Mesh 1.6

Controlling access to Anthos Service Mesh in the Cloud Console

Access to Anthos Service Mesh in the Google Cloud Console is controlled by Identity and Access Management (IAM). To get access, a Project Owner must grant users the Project Editor or Viewer role, or the more restrictive roles described in the following tables. For information about how to grant roles to users, see Granting, changing, and revoking access to resources.

Minimum read-only roles

Users with the following roles can access the Anthos Service Mesh pages for monitoring purposes only. Users with these roles can't create or modify service level objects (SLOs) or make changes to the GKE infrastructure.

IAM role name Role title Description
Monitoring Viewer roles/monitoring.viewer Provides read-only access to get and list information about all monitoring data and configurations.
Kubernetes Engine Viewer roles/container.viewer Provides read-only access to GKE resources.
Project Viewer roles/viewer Provides access to the topology graph.

Minimum write roles

Users with the following roles can create or modify SLOs in the Anthos Service Mesh pages and create or modify alerting policies based on the SLOs. Users with these roles can't make changes to the GKE infrastructure.

IAM role name Role title Description
Monitoring Editor roles/monitoring.editor Provides full access to information about all monitoring data and configurations.
Kubernetes Engine Viewer roles/container.viewer Provides read-only access to GKE resources.

Additional roles and permissions

IAM has additional roles and granular permissions if the above roles don't meet your needs. For example, you might want to grant the Kubernetes Engine Admin role or the Kubernetes Engine Cluster Admin role to let a user administer your GKE infrastructure.

For more information see the following:

What's next