Access Control

Google Cloud Platform offers Identity and Access Management (IAM), which lets you give granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Stackdriver Trace IAM roles. For a detailed description of Cloud IAM, read the IAM documentation.

Setting roles

To learn how to assign IAM roles to a user or service account, read Managing Policies in the IAM documentation.

To be able to use Stackdriver Trace, a user must have one of the following roles:

  • Trace User
  • Trace Agent (generally granted to a service account)
  • Owner
  • Editor
  • Viewer

Required permissions

Method (REST / RPC) Required permission(s) For resource type
traces.list / ListTracesRequest cloudtrace.traces.list project
traces.get / GetTraceRequest cloudtrace.traces.get project
patchTraces / PatchTracesRequest cloudtrace.traces.patch project

Roles

IAM roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for Stackdriver Trace:

Role name Includes permissions Description
roles/cloudtrace.agent cloudtrace.traces.patch Can send trace data to Stackdriver Trace. Intended for service accounts.
roles/cloudtrace.user cloudtrace.traces.get
cloudtrace.traces.list
Can read trace data.
roles/viewer cloudtrace.traces.get
cloudtrace.traces.list
Can list traces.
roles/editor cloudtrace.traces.get
cloudtrace.traces.list
cloudtrace.traces.patch
Can read and write trace data.
roles/owner cloudtrace.traces.get
cloudtrace.traces.list
cloudtrace.traces.patch
Can read and write trace data.

Send feedback about...

Stackdriver Trace Documentation