Google Cloud offers Identity and Access Management (IAM), which lets you give granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the IAM roles for Cloud Trace.
- To learn how to assign IAM roles to a user or service account, read Manage access to projects, folders, and organizations.
- For more information about predefined roles, see IAM: Roles and permissions.
- For help choosing the most appropriate predefined roles, see Choose predefined roles.
Permissions and predefined Cloud Trace roles
IAM roles include permissions and can be assigned to users, groups, and service accounts. The following table lists the predefined roles for Cloud Trace, and it lists the permissions for those roles:
| Role | Permissions |
|---|---|
Cloud Trace Admin( Provides full access to the Trace console and read-write access to traces. Lowest-level resources where you can grant this role:
|
|
Cloud Trace Agent( For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace. Lowest-level resources where you can grant this role:
|
|
Cloud Trace User( Provides full access to the Trace console and read access to traces. Lowest-level resources where you can grant this role:
|
|
Create custom roles
To create a custom role that includes Cloud Trace permissions, do the following:
- For a role granting permissions only for the Cloud Trace API, choose the permissions required by the API method.
- For a role granting permissions for the Cloud Trace API and console, choose permission groups from one of the predefined Cloud Trace roles.
- To grant the ability to write trace data, include the permission(s) in
the role Cloud Trace Agent (
roles/cloudtrace.agent).
For more information on custom roles, go to Create and manage custom roles.
Permissions for API methods
For information about the permissions required to execute an API call, see the Cloud Trace API reference documentation: