Google Cloud offers Identity and Access Management (IAM), which lets you give granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the IAM roles for Cloud Trace.
To learn how to assign IAM roles to a user or service account, read Managing policies in the IAM documentation.
Permissions and roles
This section summarizes the permissions and roles Cloud Trace supports.
API permissions
The following table lists the permissions that the caller must have to call each method in the Cloud Trace API:
| Method (REST/RPC) | Required Permission(s) | For resource type |
|---|---|---|
projects.traces.list / ListTraces |
cloudtrace.traces.list |
project |
projects.traces.get / GetTrace |
cloudtrace.traces.get |
project |
projects.patchTraces / PatchTraces |
cloudtrace.traces.patch |
project |
projects.traces.batchWrite / BatchWriteSpans |
cloudtrace.traces.patch |
project |
projects.traces.spans.createSpan / CreateSpan |
cloudtrace.traces.patch |
project |
projects.traceSinks.list / ListTracesSinks |
cloudtrace.tracesinks.list |
project |
projects.traceSinks.get / GetTraceSink |
cloudtrace.tracesinks.get |
project |
projects.traceSinks.create / CreateTraceSink |
cloudtrace.tracesinks.create |
project |
projects.traceSinks.patch / UpdateTraceSink |
cloudtrace.tracesinks.update |
project |
projects.traceSinks.delete / DeleteTraceSink |
cloudtrace.tracesinks.delete |
project |
Console permissions
The following table lists the permissions required to use the Cloud Trace pages in the console:
| Activity | Required permissions |
|---|---|
| Read-only access to the Trace console. | cloudtrace.insights.getcloudtrace.insights.listcloudtrace.stats.getcloudtrace.tasks.getcloudtrace.tasks.listcloudtrace.traces.getcloudtrace.traces.listresourcemanager.projects.getresourcemanager.projects.list |
| Add ability to create Analysis reports in the console. | Read-only permissions plus:cloudtrace.tasks.create |
| Add ability to delete Analysis reports in the console. | Read-only permissions plus:cloudtrace.tasks.delete |
| Add ability to show logs in the console. | Read-only permissions plus:logging.logEntries.list |
| Add ability to show the App Engine service and version filter menus. | Read-only permissions plus:appengine.applications.getappengine.services.listappengine.versions.list |
The cloud.tasks.* permissions pertain to management of
analysis reports. cloudtrace.insights.*
permissions are used to display trace insights.
cloudtrace.stats.get allows the console to retrieve the current project's most
frequent URI's and URL's as well as project specific trace
statistics.
Roles
IAM roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for Cloud Trace:
| Role name | Trace permissions | Description |
|---|---|---|
roles/cloudtrace.agentCloud Trace Agent |
cloudtrace.traces.patch |
For service accounts. Ability to write traces by sending the data to Trace. |
roles/cloudtrace.userCloud Trace User |
cloudtrace.insights.getcloudtrace.insights.listcloudtrace.stats.getcloudtrace.tasks.createcloudtrace.tasks.deletecloudtrace.tasks.getcloudtrace.tasks.listcloudtrace.traces.getcloudtrace.traces.listresourcemanager.projects.getresourcemanager.projects.list cloudtrace.tracesinks.listcloudtrace.tracesinks.createcloudtrace.tracesinks.getcloudtrace.tracesinks.updatecloudtrace.tracesinks.delete |
Full access to the Trace console, read access to traces, and read-write access to sinks. |
roles/cloudtrace.adminCloud Trace Admin |
Permissions in roles/cloudtrace.user, plus:cloudtrace.traces.patch |
Full access to the Trace console, read-write access to traces, and read-write access to sinks. |
roles/viewerProject Viewer |
cloudtrace.insights.getcloudtrace.insights.listcloudtrace.stats.getcloudtrace.tasks.getcloudtrace.tasks.listcloudtrace.traces.getcloudtrace.traces.listresourcemanager.projects.getresourcemanager.projects.list cloudtrace.tracesinks.listcloudtrace.tracesinks.get |
Read access to the Trace console, traces, and sinks. |
roles/editorProject Editor |
Permissions from roles/viewer, plus:cloudtrace.tasks.createcloudtrace.tasks.delete |
Read-write access to the Trace console and read access to traces. |
roles/ownerProject Owner |
Permissions from roles/editor, plus:cloudtrace.traces.patch |
Read-write access to the Trace console and traces. |
Custom roles
To create a custom role that includes Cloud Trace permissions, do the following:
- For a role granting permissions only for the Cloud Trace API, choose from the permissions in the preceding section, API permissions.
- For a role granting permissions for the Cloud Trace API and console, choose permission groups in the preceding section, Console permissions.
- To grant the ability to write trace data, include the permission(s) in
the role
roles/cloudtrace.agentin the section Roles.
For more information on custom roles, go to Creating and managing custom roles.