Google Cloud Platform offers Identity and Access Management (IAM), which lets you give granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Stackdriver Trace IAM roles. For a detailed description of Cloud IAM, read the IAM documentation.
Setting roles
To learn how to assign IAM roles to a user or service account, read Managing Policies in the IAM documentation.
To be able to use Stackdriver Trace, a user must have one of the following roles:
- Trace User
- Trace Agent (generally granted to a service account)
- Owner
- Editor
- Viewer
Required permissions
| Method (REST / RPC) | Required permission(s) | For resource type |
|---|---|---|
traces.list /
ListTracesRequest
|
cloudtrace.traces.list |
project |
traces.get /
GetTraceRequest
|
cloudtrace.traces.get |
project |
patchTraces /
PatchTracesRequest
|
cloudtrace.traces.patch |
project |
Roles
IAM roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for Stackdriver Trace:
| Role name | Includes permissions | Description |
|---|---|---|
roles/cloudtrace.agent |
cloudtrace.traces.patch |
Can send trace data to Stackdriver Trace. Intended for service accounts. |
roles/cloudtrace.user |
cloudtrace.traces.getcloudtrace.traces.list |
Can read trace data. |
roles/viewer |
cloudtrace.traces.getcloudtrace.traces.list |
Can list traces. |
roles/editor |
cloudtrace.traces.getcloudtrace.traces.listcloudtrace.traces.patch |
Can read and write trace data. |
roles/owner |
cloudtrace.traces.getcloudtrace.traces.listcloudtrace.traces.patch |
Can read and write trace data. |
