Google Cloud Platform offers Identity and Access Management (IAM), which lets you give granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Stackdriver Trace IAM roles.
To learn how to assign IAM roles to a user or service account, read Managing Policies in the IAM documentation.
Permissions and roles
This section summarizes the permissions and roles Stackdriver Trace supports.
API permissions
The following table lists the permissions that the caller must have to call each
method in the Stackdriver Trace API, cloudtrace.googleapis.com/v1:
| Method (REST/RPC) | Required Permission(s) | For resource type |
|---|---|---|
projects.traces.list / ListTracesRequest |
cloudtrace.traces.list |
project |
projects.traces.get / GetTraceRequest |
cloudtrace.traces.get |
project |
projects.patchTraces / PatchTracesRequest |
cloudtrace.traces.patch |
project |
Console permissions
The following table lists the permissions required to use the Stackdriver Trace pages in the GCP Console:
| Activity | Required permissions |
|---|---|
| Minimal read-only access to the Trace console. | cloudtrace.insights.getcloudtrace.insights.listcloudtrace.stats.getcloudtrace.tasks.getcloudtrace.tasks.listcloudtrace.traces.getcloudtrace.traces.listresourcemanager.projects.getresourcemanager.projects.list |
| Add ability to create Analysis reports in the console. | Minimal permissions plus:cloudtrace.tasks.create |
| Add ability to delete Analysis reports in the console. | Minimal permissions plus:cloudtrace.tasks.delete |
| Add ability to show logs in the console. | Minimal permissions plus:logging.logEntries.list |
| Add ability to show the App Engine service and version filter menus. | Minimal permissions plus:appengine.applications.getappengine.services.listappengine.versions.list |
Roles
IAM roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for Stackdriver Trace:
| Role name | Trace permissions | Description |
|---|---|---|
roles/cloudtrace.agentCloud Trace Agent |
cloudtrace.traces.patch |
For service accounts. Ability to write traces by sending the data to Stackdriver Trace. |
roles/cloudtrace.userCloud Trace User |
cloudtrace.insights.getcloudtrace.insights.listcloudtrace.stats.getcloudtrace.tasks.createcloudtrace.tasks.deletecloudtrace.tasks.getcloudtrace.tasks.listcloudtrace.traces.getcloudtrace.traces.listresourcemanager.projects.getresourcemanager.projects.list |
Full access to the Trace console and read access to traces. |
roles/cloudtrace.adminCloud Trace Admin |
Permissions in roles/cloudtrace.user, plus:cloudtrace.traces.patch |
Full access to the Trace console and read-write access to traces. |
roles/viewerProject Viewer |
cloudtrace.insights.getcloudtrace.insights.listcloudtrace.stats.getcloudtrace.tasks.getcloudtrace.tasks.listcloudtrace.traces.getcloudtrace.traces.listresourcemanager.projects.getresourcemanager.projects.list |
Read access to the Trace console and traces. |
roles/editorProject Editor |
Permissions from roles/viewer, plus:cloudtrace.tasks.createcloudtrace.tasks.delete |
Read-write access to the Trace console and read access to traces. |
roles/ownerProject Owner |
Permissions from roles/editor, plus:cloudtrace.traces.patch |
Read-write access to the Trace console and traces. |
Custom roles
To create a custom role that includes Stackdriver Trace permissions, do the following:
- For a role granting permissions only for the Stackdriver Trace API, choose from the permissions in the preceding section, API permissions.
- For a role granting permssions for the Stackdriver Trace API and console, choose permission groups in the preceding section, Console permissions.
- To grant the ability to write trace data, include the permission(s) in
the role
roles/cloudtrace.agentin the section Roles.
