Google Cloud offers Identity and Access Management (IAM), which lets you give granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the IAM roles for Cloud Trace.
To learn how to assign IAM roles to a user or service account, read Managing policies in the IAM documentation.
Permissions and roles
This section summarizes the permissions and roles Cloud Trace supports.
API permissions
The following table lists the permissions that the caller must have to call each method in the Cloud Trace API:
Method (REST/RPC) | Required Permission(s) | For resource type |
---|---|---|
projects.traces.list / ListTraces |
cloudtrace.traces.list |
project |
projects.traces.get / GetTrace |
cloudtrace.traces.get |
project |
projects.patchTraces / PatchTraces |
cloudtrace.traces.patch |
project |
projects.traces.batchWrite / BatchWriteSpans |
cloudtrace.traces.patch |
project |
projects.traces.spans.createSpan / CreateSpan |
cloudtrace.traces.patch |
project |
projects.traceSinks.list / ListTracesSinks |
cloudtrace.tracesinks.list |
project |
projects.traceSinks.get / GetTraceSink |
cloudtrace.tracesinks.get |
project |
projects.traceSinks.create / CreateTraceSink |
cloudtrace.tracesinks.create |
project |
projects.traceSinks.patch / UpdateTraceSink |
cloudtrace.tracesinks.update |
project |
projects.traceSinks.delete / DeleteTraceSink |
cloudtrace.tracesinks.delete |
project |
Console permissions
The following table lists the permissions required to use the Cloud Trace pages in the Cloud Console:
Activity | Required permissions |
---|---|
Read-only access to the Trace console. | cloudtrace.insights.get cloudtrace.insights.list cloudtrace.stats.get cloudtrace.tasks.get cloudtrace.tasks.list cloudtrace.traces.get cloudtrace.traces.list resourcemanager.projects.get resourcemanager.projects.list |
Add ability to create Analysis reports in the console. | Read-only permissions plus:cloudtrace.tasks.create |
Add ability to delete Analysis reports in the console. | Read-only permissions plus:cloudtrace.tasks.delete |
Add ability to show logs in the console. | Read-only permissions plus:logging.logEntries.list |
Add ability to show the App Engine service and version filter menus. | Read-only permissions plus:appengine.applications.get appengine.services.list appengine.versions.list |
The cloud.tasks.*
permissions pertain to management of
analysis reports. cloudtrace.insights.*
permissions are used to display trace insights.
cloudtrace.stats.get
allows the console to retrieve the current project's most
frequent URI's and URL's as well as project specific trace
statistics.
Roles
IAM roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for Cloud Trace:
Role name | Trace permissions | Description |
---|---|---|
roles/cloudtrace.agent Cloud Trace Agent |
cloudtrace.traces.patch |
For service accounts. Ability to write traces by sending the data to Trace. |
roles/cloudtrace.user Cloud Trace User |
cloudtrace.insights.get cloudtrace.insights.list cloudtrace.stats.get cloudtrace.tasks.create cloudtrace.tasks.delete cloudtrace.tasks.get cloudtrace.tasks.list cloudtrace.traces.get cloudtrace.traces.list resourcemanager.projects.get resourcemanager.projects.list cloudtrace.tracesinks.list cloudtrace.tracesinks.create cloudtrace.tracesinks.get cloudtrace.tracesinks.update cloudtrace.tracesinks.delete |
Full access to the Trace console, read access to traces, and read-write access to sinks. |
roles/cloudtrace.admin Cloud Trace Admin |
Permissions in roles/cloudtrace.user , plus:cloudtrace.traces.patch |
Full access to the Trace console, read-write access to traces, and read-write access to sinks. |
roles/viewer Project Viewer |
cloudtrace.insights.get cloudtrace.insights.list cloudtrace.stats.get cloudtrace.tasks.get cloudtrace.tasks.list cloudtrace.traces.get cloudtrace.traces.list resourcemanager.projects.get resourcemanager.projects.list cloudtrace.tracesinks.list cloudtrace.tracesinks.get |
Read access to the Trace console, traces, and sinks. |
roles/editor Project Editor |
Permissions from roles/viewer , plus:cloudtrace.tasks.create cloudtrace.tasks.delete |
Read-write access to the Trace console and read access to traces. |
roles/owner Project Owner |
Permissions from roles/editor , plus:cloudtrace.traces.patch |
Read-write access to the Trace console and traces. |
Custom roles
To create a custom role that includes Cloud Trace permissions, do the following:
- For a role granting permissions only for the Cloud Trace API, choose from the permissions in the preceding section, API permissions.
- For a role granting permissions for the Cloud Trace API and console, choose permission groups in the preceding section, Console permissions.
- To grant the ability to write trace data, include the permission(s) in
the role
roles/cloudtrace.agent
in the section Roles.
For more information on custom roles, go to Creating and managing custom roles.