Google Cloud Platform (GCP) offers Cloud Identity and Access Management (Cloud IAM), which lets you give granular access to specific GCP resources and prevents unwanted access to other resources. This page describes the Cloud IAM roles for Stackdriver Trace.
To learn how to assign Cloud IAM roles to a user or service account, read Managing policies in the Cloud IAM documentation.
Permissions and roles
This section summarizes the permissions and roles Stackdriver Trace supports.
API permissions
The following table lists the permissions that the caller must have to call each
method in the Stackdriver Trace API, cloudtrace.googleapis.com/v1:
| Method (REST/RPC) | Required Permission(s) | For resource type |
|---|---|---|
projects.traces.list / ListTracesRequest |
cloudtrace.traces.list |
project |
projects.traces.get / GetTraceRequest |
cloudtrace.traces.get |
project |
projects.patchTraces / PatchTracesRequest |
cloudtrace.traces.patch |
project |
Console permissions
The following table lists the permissions required to use the Stackdriver Trace pages in the GCP Console:
| Activity | Required permissions |
|---|---|
| Read-only access to the Trace console. | cloudtrace.insights.getcloudtrace.insights.listcloudtrace.stats.getcloudtrace.tasks.getcloudtrace.tasks.listcloudtrace.traces.getcloudtrace.traces.listresourcemanager.projects.getresourcemanager.projects.list |
| Add ability to create Analysis reports in the console. | Read-only permissions plus:cloudtrace.tasks.create |
| Add ability to delete Analysis reports in the console. | Read-only permissions plus:cloudtrace.tasks.delete |
| Add ability to show logs in the console. | Read-only permissions plus:logging.logEntries.list |
| Add ability to show the App Engine service and version filter menus. | Read-only permissions plus:appengine.applications.getappengine.services.listappengine.versions.list |
Roles
Cloud IAM roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for Stackdriver Trace:
| Role name | Trace permissions | Description |
|---|---|---|
roles/cloudtrace.agentCloud Trace Agent |
cloudtrace.traces.patch |
For service accounts. Ability to write traces by sending the data to Trace. |
roles/cloudtrace.userCloud Trace User |
cloudtrace.insights.getcloudtrace.insights.listcloudtrace.stats.getcloudtrace.tasks.createcloudtrace.tasks.deletecloudtrace.tasks.getcloudtrace.tasks.listcloudtrace.traces.getcloudtrace.traces.listresourcemanager.projects.getresourcemanager.projects.list |
Full access to the Trace console and read access to traces. |
roles/cloudtrace.adminCloud Trace Admin |
Permissions in roles/cloudtrace.user, plus:cloudtrace.traces.patch |
Full access to the Trace console and read-write access to traces. |
roles/viewerProject Viewer |
cloudtrace.insights.getcloudtrace.insights.listcloudtrace.stats.getcloudtrace.tasks.getcloudtrace.tasks.listcloudtrace.traces.getcloudtrace.traces.listresourcemanager.projects.getresourcemanager.projects.list |
Read access to the Trace console and traces. |
roles/editorProject Editor |
Permissions from roles/viewer, plus:cloudtrace.tasks.createcloudtrace.tasks.delete |
Read-write access to the Trace console and read access to traces. |
roles/ownerProject Owner |
Permissions from roles/editor, plus:cloudtrace.traces.patch |
Read-write access to the Trace console and traces. |
Custom roles
To create a custom role that includes Stackdriver Trace permissions, do the following:
- For a role granting permissions only for the Stackdriver Trace API, choose from the permissions in the preceding section, API permissions.
- For a role granting permissions for the Stackdriver Trace API and console, choose permission groups in the preceding section, Console permissions.
- To grant the ability to write trace data, include the permission(s) in
the role
roles/cloudtrace.agentin the section Roles.
For more information on custom roles, go to Creating and managing custom roles.
Need help? Visit our