Access control

Google Cloud Platform (GCP) offers Cloud Identity and Access Management (Cloud IAM), which lets you give granular access to specific GCP resources and prevents unwanted access to other resources. This page describes the Cloud IAM roles for Stackdriver Trace.

To learn how to assign Cloud IAM roles to a user or service account, read Managing policies in the Cloud IAM documentation.

Permissions and roles

This section summarizes the permissions and roles Stackdriver Trace supports.

API permissions

The following table lists the permissions that the caller must have to call each method in the Stackdriver Trace API, cloudtrace.googleapis.com/v1:

Method (REST/RPC) Required Permission(s) For resource type
projects.traces.list / ListTracesRequest cloudtrace.traces.list project
projects.traces.get / GetTraceRequest cloudtrace.traces.get project
projects.patchTraces / PatchTracesRequest cloudtrace.traces.patch project

Console permissions

The following table lists the permissions required to use the Stackdriver Trace pages in the GCP Console:

Activity Required permissions
Read-only access to the Trace console. cloudtrace.insights.get
cloudtrace.insights.list
cloudtrace.stats.get
cloudtrace.tasks.get
cloudtrace.tasks.list
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list
Add ability to create Analysis reports in the console. Read-only permissions plus:
cloudtrace.tasks.create
Add ability to delete Analysis reports in the console. Read-only permissions plus:
cloudtrace.tasks.delete
Add ability to show logs in the console. Read-only permissions plus:
logging.logEntries.list
Add ability to show the App Engine service and version filter menus. Read-only permissions plus:
appengine.applications.get
appengine.services.list
appengine.versions.list

Roles

Cloud IAM roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for Stackdriver Trace:

Role name Trace permissions Description
roles/cloudtrace.agent
Cloud Trace Agent
cloudtrace.traces.patch For service accounts. Ability to write traces by sending the data to Trace.
roles/cloudtrace.user
Cloud Trace User
cloudtrace.insights.get
cloudtrace.insights.list
cloudtrace.stats.get
cloudtrace.tasks.create
cloudtrace.tasks.delete
cloudtrace.tasks.get
cloudtrace.tasks.list
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list
Full access to the Trace console and read access to traces.
roles/cloudtrace.admin
Cloud Trace Admin
Permissions in roles/cloudtrace.user, plus:
cloudtrace.traces.patch
Full access to the Trace console and read-write access to traces.
roles/viewer
Project Viewer
cloudtrace.insights.get
cloudtrace.insights.list
cloudtrace.stats.get
cloudtrace.tasks.get
cloudtrace.tasks.list
cloudtrace.traces.get
cloudtrace.traces.list
resourcemanager.projects.get
resourcemanager.projects.list
Read access to the Trace console and traces.
roles/editor
Project Editor
Permissions from roles/viewer, plus:
cloudtrace.tasks.create
cloudtrace.tasks.delete
Read-write access to the Trace console and read access to traces.
roles/owner
Project Owner
Permissions from roles/editor, plus:
cloudtrace.traces.patch
Read-write access to the Trace console and traces.

Custom roles

To create a custom role that includes Stackdriver Trace permissions, do the following:

  • For a role granting permissions only for the Stackdriver Trace API, choose from the permissions in the preceding section, API permissions.
  • For a role granting permissions for the Stackdriver Trace API and console, choose permission groups in the preceding section, Console permissions.
  • To grant the ability to write trace data, include the permission(s) in the role roles/cloudtrace.agent in the section Roles.

For more information on custom roles, go to Creating and managing custom roles.

Czy ta strona była pomocna? Podziel się z nami swoją opinią:

Wyślij opinię na temat...

Stackdriver Trace
Potrzebujesz pomocy? Odwiedź naszą stronę wsparcia.