Access Control

Google Cloud Platform offers Identity and Access Management (IAM), which lets you give granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Stackdriver Trace IAM roles.

To learn how to assign IAM roles to a user or service account, read Managing Policies in the IAM documentation.

Permissions and roles

This section summarizes the permissions and roles Trace supports.

API permissions

The following table lists the permissions that the caller must have to call each method in the Stackdriver Trace API, cloudtrace.googleapis.com/v1:

Method (REST/RPC) Required Permission(s) For resource type
projects.traces.list / ListTracesRequest cloudtrace.traces.list project
projects.traces.get / GetTraceRequest cloudtrace.traces.get project
projects.patchTraces / PatchTracesRequest cloudtrace.traces.patch project

Console permissions

The following table lists the permissions required to use the Stackdriver Trace pages in the Cloud Platform Console:

Activity Required permissions
Minimal read-only access to the Trace console. cloudtrace.insights.get
cloudtrace.insights.list
cloudtrace.stats.get
cloudtrace.tasks.get
cloudtrace.tasks.list
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list
Add ability to create Analysis reports in the console. Minimal permissions plus:
cloudtrace.tasks.create
Add ability to delete Analysis reports in the console. Minimal permissions plus:
cloudtrace.tasks.delete
Add ability to show logs in the console. Minimal permissions plus:
logging.logEntries.list
Add ability to show the App Engine service and version filter menus. Minimal permissions plus:
appengine.applications.get
appengine.services.list
appengine.versions.list

Roles

IAM roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for Stackdriver Trace:

Role name Trace permissions Description
roles/cloudtrace.agent
Cloud Trace Agent
cloudtrace.traces.patch For service accounts. Ability to write traces by sending the data to Stackdriver Trace.
roles/cloudtrace.user
Cloud Trace User
cloudtrace.insights.get
cloudtrace.insights.list
cloudtrace.stats.get
cloudtrace.tasks.get
cloudtrace.tasks.list
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list
Full access to the Trace console and read access to traces.
roles/cloudtrace.admin
Cloud Trace Admin
Permissions in roles/cloudtrace.user, plus:
cloudtrace.traces.patch
Full access to the Trace console and read-write access to traces.
roles/viewer
Project Viewer
cloudtrace.insights.get
cloudtrace.insights.list
cloudtrace.stats.get
cloudtrace.tasks.get
cloudtrace.tasks.list
cloudtrace.traces.get
cloudtrace.traces.list
Read-only access to the Trace console and traces.
roles/editor
Project Editor
Permissions from roles/viewer, plus:
cloudtrace.tasks.create
cloudtrace.tasks.delete
Full access to the Trace console and read access to traces.
roles/owner
Project Owner
Permissions from roles/editor, plus:
cloudtrace.traces.patch
Full access to the Trace console and read-write access to traces.

Custom roles

To create a custom role including Trace permissions, do the following:

  • For a role granting permissions only for the Trace API, choose from the permissions in the preceding section, API permissions.
  • For a role granting permssions for the Trace API and console, choose permission groups in the preceding section, Console permissions.
  • To grant the ability to write trace data, include the permission(s) in the role roles/cloudtrace.agent in the section Roles.

Send feedback about...

Stackdriver Trace Documentation