使用 IAM 控管存取權

Google Cloud 提供「身分與存取權管理」(IAM) 功能,可讓您精細劃分特定 Google Cloud 資源的存取權限,同時避免其他資源遭到未經授權者擅自存取。本頁面說明 Cloud Trace 的 IAM 角色。

最佳做法

為方便排解問題,建議您為所有可能需要查看專案中追蹤資料的使用者、群組和網域,授予該專案的 Cloud Trace 使用者角色 (roles/cloudtrace.user)。這個角色會授予主體查看追蹤記錄資料所需的權限。

權限和預先定義的角色

身分與存取權管理角色包含權限,可以指派給使用者、群組和服務帳戶。

Cloud Trace 角色

下表列出 Cloud Trace 的預先定義角色,以及這些角色的權限:

Role Permissions

(roles/cloudtrace.admin)

Provides full access to the Trace console and read-write access to traces.

Lowest-level resources where you can grant this role:

  • Project

cloudtrace.*

  • cloudtrace.insights.get
  • cloudtrace.insights.list
  • cloudtrace.stats.get
  • cloudtrace.tasks.create
  • cloudtrace.tasks.delete
  • cloudtrace.tasks.get
  • cloudtrace.tasks.list
  • cloudtrace.traceScopes.create
  • cloudtrace.traceScopes.delete
  • cloudtrace.traceScopes.get
  • cloudtrace.traceScopes.list
  • cloudtrace.traceScopes.update
  • cloudtrace.traces.get
  • cloudtrace.traces.list
  • cloudtrace.traces.patch

observability.scopes.get

observability.traceScopes.*

  • observability.traceScopes.create
  • observability.traceScopes.delete
  • observability.traceScopes.get
  • observability.traceScopes.list
  • observability.traceScopes.update

resourcemanager.projects.get

resourcemanager.projects.list

telemetry.traces.write

(roles/cloudtrace.agent)

For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace.

Lowest-level resources where you can grant this role:

  • Project

cloudtrace.traces.patch

telemetry.traces.write

(roles/cloudtrace.user)

Provides full access to the Trace console and read access to traces.

Lowest-level resources where you can grant this role:

  • Project

cloudtrace.insights.*

  • cloudtrace.insights.get
  • cloudtrace.insights.list

cloudtrace.stats.get

cloudtrace.tasks.*

  • cloudtrace.tasks.create
  • cloudtrace.tasks.delete
  • cloudtrace.tasks.get
  • cloudtrace.tasks.list

cloudtrace.traceScopes.*

  • cloudtrace.traceScopes.create
  • cloudtrace.traceScopes.delete
  • cloudtrace.traceScopes.get
  • cloudtrace.traceScopes.list
  • cloudtrace.traceScopes.update

cloudtrace.traces.get

cloudtrace.traces.list

observability.scopes.get

observability.traceScopes.*

  • observability.traceScopes.create
  • observability.traceScopes.delete
  • observability.traceScopes.get
  • observability.traceScopes.list
  • observability.traceScopes.update

resourcemanager.projects.get

resourcemanager.projects.list

Telemetry API 角色

下表列出 Telemetry (OTLP) API 的預先定義角色,以及這些角色的權限:

Role Permissions

(roles/telemetry.metricsWriter)

Access to write metrics.

telemetry.metrics.write

(roles/telemetry.serviceLogsWriter)

Allows an onboarded service to write log data to a destination.

telemetry.consumers.writeLogs

(roles/telemetry.serviceMetricsWriter)

Allows an onboarded service to write metrics data to a destination.

telemetry.consumers.writeMetrics

(roles/telemetry.serviceTelemetryWriter)

Allows an onboarded service to write all telemetry data to a destination.

telemetry.consumers.*

  • telemetry.consumers.writeLogs
  • telemetry.consumers.writeMetrics
  • telemetry.consumers.writeTraces

(roles/telemetry.serviceTracesWriter)

Allows an onboarded service to write trace data to a destination.

telemetry.consumers.writeTraces

(roles/telemetry.tracesWriter)

Access to write trace spans.

telemetry.traces.write

(roles/telemetry.writer)

Full access to write all telemetry data.

telemetry.metrics.write

telemetry.traces.write

建立自訂角色

如要建立包含 Cloud Trace 權限的自訂角色,請執行下列步驟:

  • 如要建立僅授予 Cloud Trace API 權限的角色,請選擇 API 方法所需的權限。
  • 如要建立授予 Cloud Trace API 和主控台權限的角色,請從預先定義的 Cloud Trace 角色中選擇權限群組。
  • 如要授予寫入追蹤記錄資料的權限,請加入 Cloud Trace Agent (roles/cloudtrace.agent) 角色的權限。

如要進一步瞭解自訂角色,請參閱「建立及管理自訂角色」一文。

API 方法的權限

如要瞭解執行 API 呼叫所需的權限,請參閱 Cloud Trace API 參考說明文件: