Esta página foi traduzida pela API Cloud Translation.

Controlar o acesso com o IAM

Quando você cria um projeto Google Cloud , é o único usuário no projeto. Por padrão, nenhum outro usuário tem acesso ao seu projeto ou recursos dele. O Identity and Access Management (IAM) gerencia o acesso a Google Cloud recursos, como clusters. As permissões são atribuídas aos participantes do IAM.

O IAM permite conceder papéis aos principais. Um papel é um conjunto de permissões e, quando concedido a um participante, controla o acesso a um ou mais Google Cloud recursos. Você pode usar os seguintes tipos de papéis:

Papéis básicos fornecem permissões gerais limitadas a Proprietário, Editor e Leitor.
Papéis predefinidos, que oferecem acesso mais restrito do que papéis básicos e abordam muitos casos de uso comuns.
Papéis personalizados permitem que você crie combinações exclusivas de permissões.

Um principal pode ser qualquer um destes:

Conta de usuário
Conta de serviço
Grupos do Google do Google Workspace
Domínio do Google Workspace
Domínio do Cloud Identity

Tipos de políticas do IAM

O IAM aceita os seguintes tipos de políticas:

Permitir políticas: atribua papéis aos principais. Para detalhes, consulte a Política de permissão.
Políticas de negação: impedem que os principais usem permissões específicas do IAM, independentemente dos papéis atribuídos a eles. Para mais detalhes, consulte as Políticas de negação.

Use as políticas de negação para impedir que principais específicos executem ações específicas no projeto, pasta ou organização, mesmo que uma política de permissão do IAM conceda a esses principais um papel que contenha as permissões relevantes.

Papéis predefinidos

O IAM fornece papéis predefinidos para conceder acesso granular a recursos específicos do Google Cloud e impedir o acesso indesejado a outros recursos.O Google Cloud cria e mantém esses papéis e atualiza automaticamente as permissões conforme necessário, como quando a Observabilidade do Google Cloud adiciona novos recursos.

Os papéis predefinidos para a Observability do Google Cloud contêm permissões para recursos que abrangem várias áreas de produto. Por esse motivo, algumas permissões, como observability.scopes.get, podem aparecer em papéis predefinidos para essas áreas de produto. Por exemplo, o papel de leitor de registros (roles/logging.viewer) inclui a permissão observability.scopes.get, além de muitas permissões específicas de registro.

A tabela a seguir lista os papéis predefinidos para a Observability do Google Cloud. Para cada função, a tabela mostra o título, a descrição, as permissões contidas e o tipo de recurso de menor nível em que as funções podem ser concedidas. É possível conceder os papéis predefinidos no nível do Google Cloud projeto ou, na maioria dos casos, qualquer tipo acima na hierarquia de recursos.

Para conferir uma lista de todas as permissões individuais contidas em um papel, consulte Como receber os metadados do papel.

Papéis de observabilidade

Role Permissions

Role	Permissions
Observability Admin ^Beta (`roles/observability.admin`) Full access to Observability resources.	`observability.*` `observability.analyticsViews.create` `observability.analyticsViews.delete` `observability.analyticsViews.get` `observability.analyticsViews.list` `observability.analyticsViews.update` `observability.buckets.create` `observability.buckets.delete` `observability.buckets.get` `observability.buckets.list` `observability.buckets.undelete` `observability.buckets.update` `observability.datasets.create` `observability.datasets.delete` `observability.datasets.get` `observability.datasets.list` `observability.datasets.undelete` `observability.datasets.update` `observability.links.create` `observability.links.delete` `observability.links.get` `observability.links.list` `observability.links.update` `observability.operations.cancel` `observability.operations.delete` `observability.operations.get` `observability.operations.list` `observability.scopes.get` `observability.scopes.update` `observability.views.access` `observability.views.create` `observability.views.delete` `observability.views.get` `observability.views.list` `observability.views.update`
Observability Analytics User ^Beta (`roles/observability.analyticsUser`) Grants permissions to use Cloud Observability Analytics.	`logging.queries.getShared` `logging.queries.listShared` `logging.queries.usePrivate` `observability.analyticsViews.*` `observability.analyticsViews.create` `observability.analyticsViews.delete` `observability.analyticsViews.get` `observability.analyticsViews.list` `observability.analyticsViews.update` `observability.buckets.get` `observability.buckets.list` `observability.datasets.get` `observability.datasets.list` `observability.links.get` `observability.links.list` `observability.operations.get` `observability.operations.list` `observability.scopes.get` `observability.views.get` `observability.views.list`
Observability Editor ^Beta (`roles/observability.editor`) Edit access to Observability resources.	`observability.analyticsViews.` `observability.analyticsViews.create` `observability.analyticsViews.delete` `observability.analyticsViews.get` `observability.analyticsViews.list` `observability.analyticsViews.update` `observability.buckets.create` `observability.buckets.get` `observability.buckets.list` `observability.buckets.update` `observability.datasets.create` `observability.datasets.get` `observability.datasets.list` `observability.datasets.update` `observability.links.` `observability.links.create` `observability.links.delete` `observability.links.get` `observability.links.list` `observability.links.update` `observability.operations.` `observability.operations.cancel` `observability.operations.delete` `observability.operations.get` `observability.operations.list` `observability.scopes.` `observability.scopes.get` `observability.scopes.update` `observability.views.create` `observability.views.delete` `observability.views.get` `observability.views.list` `observability.views.update`
Observability Scopes Editor ^Beta (`roles/observability.scopesEditor`) Grants permission to view and edit Observability, Logging, Trace, and Monitoring scopes	`logging.logScopes.` `logging.logScopes.create` `logging.logScopes.delete` `logging.logScopes.get` `logging.logScopes.list` `logging.logScopes.update` `monitoring.metricsScopes.link` `observability.scopes.` `observability.scopes.get` `observability.scopes.update`
Observability Service Agent (`roles/observability.serviceAgent`) Grants Observability service account the ability to list, create and link datasets in the consumer project. Warning: Do not grant service agent roles to any principals except service agents.	`bigquery.datasets.create` `bigquery.datasets.get` `bigquery.datasets.link`
Observability View Accessor ^Beta (`roles/observability.viewAccessor`) Read only access to data defined by an Observability View.	`observability.views.access`
Observability Viewer ^Beta (`roles/observability.viewer`) Read only access to Observability resources.	`observability.analyticsViews.get` `observability.analyticsViews.list` `observability.buckets.get` `observability.buckets.list` `observability.datasets.get` `observability.datasets.list` `observability.links.get` `observability.links.list` `observability.operations.get` `observability.operations.list` `observability.scopes.get` `observability.views.get` `observability.views.list`

Observability Admin ^Beta

(roles/observability.admin)

Full access to Observability resources.

observability.*

observability.analyticsViews.create
observability.analyticsViews.delete
observability.analyticsViews.get
observability.analyticsViews.list
observability.analyticsViews.update
observability.buckets.create
observability.buckets.delete
observability.buckets.get
observability.buckets.list
observability.buckets.undelete
observability.buckets.update
observability.datasets.create
observability.datasets.delete
observability.datasets.get
observability.datasets.list
observability.datasets.undelete
observability.datasets.update
observability.links.create
observability.links.delete
observability.links.get
observability.links.list
observability.links.update
observability.operations.cancel
observability.operations.delete
observability.operations.get
observability.operations.list
observability.scopes.get
observability.scopes.update
observability.views.access
observability.views.create
observability.views.delete
observability.views.get
observability.views.list
observability.views.update

Observability Analytics User ^Beta

(roles/observability.analyticsUser)

Grants permissions to use Cloud Observability Analytics.

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

observability.analyticsViews.*

observability.analyticsViews.create
observability.analyticsViews.delete
observability.analyticsViews.get
observability.analyticsViews.list
observability.analyticsViews.update

observability.buckets.get

observability.buckets.list

observability.datasets.get

observability.datasets.list

observability.links.get

observability.links.list

observability.operations.get

observability.operations.list

observability.scopes.get

observability.views.get

observability.views.list

Observability Editor ^Beta

(roles/observability.editor)

Edit access to Observability resources.

observability.analyticsViews.*

observability.analyticsViews.create
observability.analyticsViews.delete
observability.analyticsViews.get
observability.analyticsViews.list
observability.analyticsViews.update

observability.buckets.create

observability.buckets.get

observability.buckets.list

observability.buckets.update

observability.datasets.create

observability.datasets.get

observability.datasets.list

observability.datasets.update

observability.links.*

observability.links.create
observability.links.delete
observability.links.get
observability.links.list
observability.links.update

observability.operations.*

observability.operations.cancel
observability.operations.delete
observability.operations.get
observability.operations.list

observability.scopes.*

observability.scopes.get
observability.scopes.update

observability.views.create

observability.views.delete

observability.views.get

observability.views.list

observability.views.update

Observability Scopes Editor ^Beta

(roles/observability.scopesEditor)

Grants permission to view and edit Observability, Logging, Trace, and Monitoring scopes

logging.logScopes.*

logging.logScopes.create
logging.logScopes.delete
logging.logScopes.get
logging.logScopes.list
logging.logScopes.update

monitoring.metricsScopes.link

observability.scopes.*

observability.scopes.get
observability.scopes.update

Observability Service Agent

(roles/observability.serviceAgent)

Grants Observability service account the ability to list, create and link datasets in the consumer project.

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.link

Observability View Accessor ^Beta

(roles/observability.viewAccessor)

Read only access to data defined by an Observability View.

observability.views.access

Observability Viewer ^Beta

(roles/observability.viewer)

Read only access to Observability resources.

observability.analyticsViews.get

observability.analyticsViews.list

observability.buckets.get

observability.buckets.list

observability.datasets.get

observability.datasets.list

observability.links.get

observability.links.list

observability.operations.get

observability.operations.list

observability.scopes.get

observability.views.get

observability.views.list

Papéis da API Telemetry

Role	Permissions
Cloud Telemetry Metrics Writer (`roles/telemetry.metricsWriter`) Access to write metrics.	`telemetry.metrics.write`
Integrated Service Telemetry Logs Writer ^Beta (`roles/telemetry.serviceLogsWriter`) Allows an onboarded service to write log data to a destination.	`telemetry.consumers.writeLogs`
Integrated Service Telemetry Metrics Writer ^Beta (`roles/telemetry.serviceMetricsWriter`) Allows an onboarded service to write metrics data to a destination.	`telemetry.consumers.writeMetrics`
Integrated Service Telemetry Writer ^Beta (`roles/telemetry.serviceTelemetryWriter`) Allows an onboarded service to write all telemetry data to a destination.	`telemetry.consumers.*` `telemetry.consumers.writeLogs` `telemetry.consumers.writeMetrics` `telemetry.consumers.writeTraces`
Integrated Service Telemetry Traces Writer ^Beta (`roles/telemetry.serviceTracesWriter`) Allows an onboarded service to write trace data to a destination.	`telemetry.consumers.writeTraces`
Cloud Telemetry Traces Writer (`roles/telemetry.tracesWriter`) Access to write trace spans.	`telemetry.traces.write`
Cloud Telemetry Writer (`roles/telemetry.writer`) Full access to write all telemetry data.	`telemetry.metrics.write` `telemetry.traces.write`

Controlar o acesso com o IAM Mantenha tudo organizado com as coleções Salve e categorize o conteúdo com base nas suas preferências.

Tipos de políticas do IAM

Papéis predefinidos

Papéis de observabilidade

Observability Admin Beta

Observability Analytics User Beta

Observability Editor Beta

Observability Scopes Editor Beta

Observability Service Agent

Observability View Accessor Beta

Observability Viewer Beta

Papéis da API Telemetry

Cloud Telemetry Metrics Writer

Integrated Service Telemetry Logs Writer Beta

Integrated Service Telemetry Metrics Writer Beta

Integrated Service Telemetry Writer Beta

Integrated Service Telemetry Traces Writer Beta

Cloud Telemetry Traces Writer

Cloud Telemetry Writer

A seguir

Controlar o acesso com o IAM

Observability Admin ^Beta

Observability Analytics User ^Beta

Observability Editor ^Beta

Observability Scopes Editor ^Beta

Observability View Accessor ^Beta

Observability Viewer ^Beta

Integrated Service Telemetry Logs Writer ^Beta

Integrated Service Telemetry Metrics Writer ^Beta

Integrated Service Telemetry Writer ^Beta

Integrated Service Telemetry Traces Writer ^Beta