Control access with IAM

Google Cloud offers Identity and Access Management (IAM), which lets you give granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the IAM roles for Cloud Trace.

Permissions and predefined Cloud Trace roles

IAM roles include permissions and can be assigned to users, groups, and service accounts. The following table lists the predefined roles for Cloud Trace, and it lists the permissions for those roles:

Role Permissions

(roles/cloudtrace.admin)

Provides full access to the Trace console and read-write access to traces.

Lowest-level resources where you can grant this role:

  • Project

cloudtrace.*

  • cloudtrace.insights.get
  • cloudtrace.insights.list
  • cloudtrace.stats.get
  • cloudtrace.tasks.create
  • cloudtrace.tasks.delete
  • cloudtrace.tasks.get
  • cloudtrace.tasks.list
  • cloudtrace.traceScopes.create
  • cloudtrace.traceScopes.delete
  • cloudtrace.traceScopes.get
  • cloudtrace.traceScopes.list
  • cloudtrace.traceScopes.update
  • cloudtrace.traces.get
  • cloudtrace.traces.list
  • cloudtrace.traces.patch

observability.scopes.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/cloudtrace.agent)

For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace.

Lowest-level resources where you can grant this role:

  • Project

cloudtrace.traces.patch

(roles/cloudtrace.user)

Provides full access to the Trace console and read access to traces.

Lowest-level resources where you can grant this role:

  • Project

cloudtrace.insights.*

  • cloudtrace.insights.get
  • cloudtrace.insights.list

cloudtrace.stats.get

cloudtrace.tasks.*

  • cloudtrace.tasks.create
  • cloudtrace.tasks.delete
  • cloudtrace.tasks.get
  • cloudtrace.tasks.list

cloudtrace.traceScopes.*

  • cloudtrace.traceScopes.create
  • cloudtrace.traceScopes.delete
  • cloudtrace.traceScopes.get
  • cloudtrace.traceScopes.list
  • cloudtrace.traceScopes.update

cloudtrace.traces.get

cloudtrace.traces.list

observability.scopes.get

resourcemanager.projects.get

resourcemanager.projects.list

Create custom roles

To create a custom role that includes Cloud Trace permissions, do the following:

  • For a role granting permissions only for the Cloud Trace API, choose the permissions required by the API method.
  • For a role granting permissions for the Cloud Trace API and console, choose permission groups from one of the predefined Cloud Trace roles.
  • To grant the ability to write trace data, include the permission(s) in the role Cloud Trace Agent (roles/cloudtrace.agent).

For more information on custom roles, go to Create and manage custom roles.

Permissions for API methods

For information about the permissions required to execute an API call, see the Cloud Trace API reference documentation: