Console
    Contact Us Start free

    Control access with IAM

    When you create a Google Cloud project, you are the only user on the project. By default, no other users have access to your project or its resources. Identity and Access Management (IAM) manages access to Google Cloud resources, like clusters. Permissions are assigned to IAM principals .

    IAM lets you grant roles to principals . A role is a collection of permissions, and when granted to a principal, controls access to one or more Google Cloud resources . You can use the following types of roles:

    • Basic roles provide coarse permissions limited to Owner, Editor, and Viewer.
    • Pre-defined roles , provide finer-grained access than basic roles and address many common use cases.
    • Custom roles allow you to create unique combinations of permissions.

    A principal can be any of the following:

    • User account
    • Service account
    • Google Workspace Google Group
    • Google Workspace domain
    • Cloud Identity domain

    IAM policy types

    IAM supports the following policy types:

    • Allow policies: grant roles to principals. For details, see Allow policy .
    • Deny policies: prevent principals from using specific IAM permissions regardless of the roles that those principals are granted. For details, see Deny policies .

    Use deny policies to restrict specific principals from performing specific actions in your project, folder, or organization even if an IAM allow policy grants those principals a role that contains the relevant permissions.

    Predefined roles

    IAM provides predefined roles to grant granular access to specific Google Cloud resources and to prevent unwanted access to other resources. Google Cloud creates and maintains these roles and automatically updates their permissions as necessary, such as when Google Cloud Observability adds new features.

    Predefined roles for Google Cloud Observability contain permissions for features that span multiple product areas. For this reason, you might see some permissions, like observability.scopes.get , included in predefined roles for those product areas. For example, the Logs Viewer role ( roles/logging.viewer ) includes the observability.scopes.get permission in addition to many logging-specific permissions.

    The following table lists the predefined roles for Google Cloud Observability. For each role, the table displays the role title, description, contained permissions, and the lowest-level resource type where the roles can be granted. You can grant the predefined roles at the Google Cloud project level or, in most cases, any type higher in the resource hierarchy .

    To get a list of all individual permissions contained in a role, see Getting the role metadata .

    Observability roles

    Role
    Permissions

    ( roles/ observability.admin )

    Full access to Observability resources.

    observability.*

    • observability. analyticsViews. create
    • observability. analyticsViews. delete
    • observability. analyticsViews. get
    • observability. analyticsViews. list
    • observability. analyticsViews. update
    • observability.buckets.create
    • observability.buckets.delete
    • observability.buckets.get
    • observability.buckets.list
    • observability.buckets.undelete
    • observability.buckets.update
    • observability.datasets.create
    • observability.datasets.delete
    • observability.datasets.get
    • observability.datasets.list
    • observability. datasets. undelete
    • observability.datasets.update
    • observability.links.create
    • observability.links.delete
    • observability.links.get
    • observability.links.list
    • observability.links.update
    • observability. operations. cancel
    • observability. operations. delete
    • observability.operations.get
    • observability.operations.list
    • observability.scopes.get
    • observability.scopes.update
    • observability. traceScopes. create
    • observability. traceScopes. delete
    • observability.traceScopes.get
    • observability.traceScopes.list
    • observability. traceScopes. update
    • observability.views.access
    • observability.views.create
    • observability.views.delete
    • observability.views.get
    • observability.views.list
    • observability.views.update

    ( roles/ observability.analyticsUser )

    Grants permissions to use Cloud Observability Analytics.

    logging.queries.getShared

    logging.queries.listShared

    logging.queries.usePrivate

    observability.analyticsViews.*

    • observability. analyticsViews. create
    • observability. analyticsViews. delete
    • observability. analyticsViews. get
    • observability. analyticsViews. list
    • observability. analyticsViews. update

    observability.buckets.get

    observability.buckets.list

    observability.datasets.get

    observability.datasets.list

    observability.links.get

    observability.links.list

    observability.operations.get

    observability.operations.list

    observability.scopes.get

    observability.traceScopes.get

    observability.traceScopes.list

    observability.views.get

    observability.views.list

    ( roles/ observability.editor )

    Edit access to Observability resources.

    observability.analyticsViews.*

    • observability. analyticsViews. create
    • observability. analyticsViews. delete
    • observability. analyticsViews. get
    • observability. analyticsViews. list
    • observability. analyticsViews. update

    observability.buckets.create

    observability.buckets.get

    observability.buckets.list

    observability.buckets.update

    observability.datasets.create

    observability.datasets.get

    observability.datasets.list

    observability.datasets.update

    observability.links.*

    • observability.links.create
    • observability.links.delete
    • observability.links.get
    • observability.links.list
    • observability.links.update

    observability.operations.*

    • observability. operations. cancel
    • observability. operations. delete
    • observability.operations.get
    • observability.operations.list

    observability.scopes.*

    • observability.scopes.get
    • observability.scopes.update

    observability.traceScopes.*

    • observability. traceScopes. create
    • observability. traceScopes. delete
    • observability.traceScopes.get
    • observability.traceScopes.list
    • observability. traceScopes. update

    observability.views.create

    observability.views.delete

    observability.views.get

    observability.views.list

    observability.views.update

    ( roles/ observability.scopesEditor )

    Grants permission to view and edit Observability, Logging, Trace, and Monitoring scopes

    logging.logScopes.*

    • logging.logScopes.create
    • logging.logScopes.delete
    • logging.logScopes.get
    • logging.logScopes.list
    • logging.logScopes.update

    monitoring.metricsScopes.link

    observability.scopes.*

    • observability.scopes.get
    • observability.scopes.update

    observability.traceScopes.*

    • observability. traceScopes. create
    • observability. traceScopes. delete
    • observability.traceScopes.get
    • observability.traceScopes.list
    • observability. traceScopes. update

    ( roles/ observability.serviceAgent )

    Grants Observability service account the ability to list, create and link datasets in the consumer project.

    bigquery.datasets.create

    bigquery.datasets.get

    bigquery.datasets.link

    ( roles/ observability.viewAccessor )

    Read only access to data defined by an Observability View.

    observability.views.access

    ( roles/ observability.viewer )

    Read only access to Observability resources.

    observability. analyticsViews. get

    observability. analyticsViews. list

    observability.buckets.get

    observability.buckets.list

    observability.datasets.get

    observability.datasets.list

    observability.links.get

    observability.links.list

    observability.operations.get

    observability.operations.list

    observability.scopes.get

    observability.traceScopes.get

    observability.traceScopes.list

    observability.views.get

    observability.views.list

    Telemetry API roles

    Role
    Permissions

    ( roles/ telemetry.metricsWriter )

    Access to write metrics.

    telemetry.metrics.write

    ( roles/ telemetry.serviceLogsWriter )

    Allows an onboarded service to write log data to a destination.

    telemetry.consumers.writeLogs

    ( roles/ telemetry.serviceMetricsWriter )

    Allows an onboarded service to write metrics data to a destination.

    telemetry. consumers. writeMetrics

    ( roles/ telemetry.serviceTelemetryWriter )

    Allows an onboarded service to write all telemetry data to a destination.

    telemetry.consumers.*

    • telemetry.consumers.writeLogs
    • telemetry. consumers. writeMetrics
    • telemetry. consumers. writeTraces

    ( roles/ telemetry.serviceTracesWriter )

    Allows an onboarded service to write trace data to a destination.

    telemetry. consumers. writeTraces

    ( roles/ telemetry.tracesWriter )

    Access to write trace spans.

    telemetry.traces.write

    ( roles/ telemetry.writer )

    Full access to write all telemetry data.

    telemetry.metrics.write

    telemetry.traces.write

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: