Access control

Google Cloud offers Cloud Identity and Access Management (Cloud IAM), which lets you give granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Cloud IAM roles for Cloud Trace.

To learn how to assign Cloud IAM roles to a user or service account, read Managing policies in the Cloud IAM documentation.

Permissions and roles

This section summarizes the permissions and roles Cloud Trace supports.

API permissions

The following table lists the permissions that the caller must have to call each method in the Cloud Trace API:

Method (REST/RPC) Required Permission(s) For resource type
projects.traces.list / ListTraces cloudtrace.traces.list project
projects.traces.get / GetTrace cloudtrace.traces.get project
projects.patchTraces / PatchTraces cloudtrace.traces.patch project
projects.traces.batchWrite / BatchWriteSpans cloudtrace.traces.patch project
projects.traces.spans.createSpan / CreateSpan cloudtrace.traces.patch project
projects.traceSinks.list / ListTracesSinks cloudtrace.tracesinks.list project
projects.traceSinks.get / GetTraceSink cloudtrace.tracesinks.get project
projects.traceSinks.create / CreateTraceSink cloudtrace.tracesinks.create project
projects.traceSinks.patch / UpdateTraceSink cloudtrace.tracesinks.update project
projects.traceSinks.delete / DeleteTraceSink cloudtrace.tracesinks.delete project

Console permissions

The following table lists the permissions required to use the Cloud Trace pages in the Cloud Console:

Activity Required permissions
Read-only access to the Trace console. cloudtrace.insights.get
cloudtrace.insights.list
cloudtrace.stats.get
cloudtrace.tasks.get
cloudtrace.tasks.list
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list
Add ability to create Analysis reports in the console. Read-only permissions plus:
cloudtrace.tasks.create
Add ability to delete Analysis reports in the console. Read-only permissions plus:
cloudtrace.tasks.delete
Add ability to show logs in the console. Read-only permissions plus:
logging.logEntries.list
Add ability to show the App Engine service and version filter menus. Read-only permissions plus:
appengine.applications.get
appengine.services.list
appengine.versions.list

Roles

Cloud IAM roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for Cloud Trace:

Role name Trace permissions Description
roles/cloudtrace.agent
Cloud Trace Agent
cloudtrace.traces.patch For service accounts. Ability to write traces by sending the data to Trace.
roles/cloudtrace.user
Cloud Trace User
cloudtrace.insights.get
cloudtrace.insights.list
cloudtrace.stats.get
cloudtrace.tasks.create
cloudtrace.tasks.delete
cloudtrace.tasks.get
cloudtrace.tasks.list
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list
cloudtrace.tracesinks.list
cloudtrace.tracesinks.create
cloudtrace.tracesinks.get
cloudtrace.tracesinks.update
cloudtrace.tracesinks.delete
Full access to the Trace console, read access to traces,
and read-write access to sinks.
roles/cloudtrace.admin
Cloud Trace Admin
Permissions in roles/cloudtrace.user, plus:
cloudtrace.traces.patch
Full access to the Trace console, read-write access to traces,
and read-write access to sinks.
roles/viewer
Project Viewer
cloudtrace.insights.get
cloudtrace.insights.list
cloudtrace.stats.get
cloudtrace.tasks.get
cloudtrace.tasks.list
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list
cloudtrace.tracesinks.list
cloudtrace.tracesinks.get
Read access to the Trace console, traces, and sinks.
roles/editor
Project Editor
Permissions from roles/viewer, plus:
cloudtrace.tasks.create
cloudtrace.tasks.delete
Read-write access to the Trace console and read access to traces.
roles/owner
Project Owner
Permissions from roles/editor, plus:
cloudtrace.traces.patch
Read-write access to the Trace console and traces.

Custom roles

To create a custom role that includes Cloud Trace permissions, do the following:

  • For a role granting permissions only for the Cloud Trace API, choose from the permissions in the preceding section, API permissions.
  • For a role granting permissions for the Cloud Trace API and console, choose permission groups in the preceding section, Console permissions.
  • To grant the ability to write trace data, include the permission(s) in the role roles/cloudtrace.agent in the section Roles.

For more information on custom roles, go to Creating and managing custom roles.