Access to Anthos Service Mesh in the Google Cloud console is controlled by Identity and Access Management (IAM). To get access, a Project Owner must grant users the Project Editor or Viewer role, or the more restrictive roles described in the following tables. For information about how to grant roles to users, see Granting, changing, and revoking access to resources.
Minimum read-only roles
Users with the following roles can access the Anthos Service Mesh pages for monitoring purposes only. Users with these roles can't create or modify service level objects (SLOs) or make changes to the GKE infrastructure.
| IAM role name | Role title | Description |
|---|---|---|
| Monitoring Viewer | roles/monitoring.viewer | Provides read-only access to get and list information about all monitoring data and configurations. |
| Kubernetes Engine Viewer | roles/container.viewer | Provides read-only access to GKE resources. |
Minimum write roles
Users with the following roles can create or modify SLOs in the Anthos Service Mesh pages and create or modify alerting policies based on the SLOs. Users with these roles can't make changes to the GKE infrastructure.
| IAM role name | Role title | Description |
|---|---|---|
| Monitoring Editor | roles/monitoring.editor | Provides full access to information about all monitoring data and configurations. |
| Kubernetes Engine Viewer | roles/container.viewer | Provides read-only access to GKE resources. |
Additional roles and permissions
IAM has additional roles and granular permissions if the above roles don't meet your needs. For example, you might want to grant the Kubernetes Engine Admin role or the Kubernetes Engine Cluster Admin role to let a user administer your GKE infrastructure.
For more information see the following: