Cloud Logging roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM roles and permissions for Cloud Logging. To search through all roles and permissions, see the role and permission index.

Cloud Logging roles

Role Permissions

Role	Permissions
Logging Admin (`roles/logging.admin`) Provides all permissions necessary to use all features of Cloud Logging. Lowest-level resources where you can grant this role: Project	`logging.buckets.copyLogEntries` `logging.buckets.create` `logging.buckets.createTagBinding` `logging.buckets.delete` `logging.buckets.deleteTagBinding` `logging.buckets.get` `logging.buckets.list` `logging.buckets.listEffectiveTags` `logging.buckets.listTagBindings` `logging.buckets.undelete` `logging.buckets.update` `logging.exclusions.` `logging.exclusions.create` `logging.exclusions.delete` `logging.exclusions.get` `logging.exclusions.list` `logging.exclusions.update` `logging.fields.access` `logging.links.` `logging.links.create` `logging.links.delete` `logging.links.get` `logging.links.list` `logging.locations.` `logging.locations.get` `logging.locations.list` `logging.logEntries.` `logging.logEntries.create` `logging.logEntries.download` `logging.logEntries.list` `logging.logEntries.route` `logging.logMetrics.` `logging.logMetrics.create` `logging.logMetrics.delete` `logging.logMetrics.get` `logging.logMetrics.list` `logging.logMetrics.update` `logging.logScopes.` `logging.logScopes.create` `logging.logScopes.delete` `logging.logScopes.get` `logging.logScopes.list` `logging.logScopes.update` `logging.logServiceIndexes.list` `logging.logServices.list` `logging.logs.` `logging.logs.delete` `logging.logs.list` `logging.notificationRules.` `logging.notificationRules.create` `logging.notificationRules.delete` `logging.notificationRules.get` `logging.notificationRules.list` `logging.notificationRules.update` `logging.operations.` `logging.operations.cancel` `logging.operations.get` `logging.operations.list` `logging.privateLogEntries.list` `logging.queries.` `logging.queries.deleteShared` `logging.queries.getShared` `logging.queries.listShared` `logging.queries.share` `logging.queries.updateShared` `logging.queries.usePrivate` `logging.settings.` `logging.settings.get` `logging.settings.update` `logging.sinks.` `logging.sinks.create` `logging.sinks.delete` `logging.sinks.get` `logging.sinks.list` `logging.sinks.update` `logging.sqlAlerts.` `logging.sqlAlerts.create` `logging.sqlAlerts.update` `logging.usage.get` `logging.views.` `logging.views.access` `logging.views.create` `logging.views.delete` `logging.views.get` `logging.views.getIamPolicy` `logging.views.list` `logging.views.listLogs` `logging.views.listResourceKeys` `logging.views.listResourceValues` `logging.views.setIamPolicy` `logging.views.update` `observability.scopes.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Logs Bucket Writer (`roles/logging.bucketWriter`) Ability to write logs to a log bucket. Lowest-level resources where you can grant this role: Project	`logging.buckets.write`
Logs Configuration Writer (`roles/logging.configWriter`) Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs. Lowest-level resources where you can grant this role: Project	`logging.buckets.create` `logging.buckets.createTagBinding` `logging.buckets.delete` `logging.buckets.deleteTagBinding` `logging.buckets.get` `logging.buckets.list` `logging.buckets.listEffectiveTags` `logging.buckets.listTagBindings` `logging.buckets.undelete` `logging.buckets.update` `logging.exclusions.` `logging.exclusions.create` `logging.exclusions.delete` `logging.exclusions.get` `logging.exclusions.list` `logging.exclusions.update` `logging.links.` `logging.links.create` `logging.links.delete` `logging.links.get` `logging.links.list` `logging.locations.` `logging.locations.get` `logging.locations.list` `logging.logMetrics.` `logging.logMetrics.create` `logging.logMetrics.delete` `logging.logMetrics.get` `logging.logMetrics.list` `logging.logMetrics.update` `logging.logScopes.` `logging.logScopes.create` `logging.logScopes.delete` `logging.logScopes.get` `logging.logScopes.list` `logging.logScopes.update` `logging.logServiceIndexes.list` `logging.logServices.list` `logging.logs.list` `logging.notificationRules.` `logging.notificationRules.create` `logging.notificationRules.delete` `logging.notificationRules.get` `logging.notificationRules.list` `logging.notificationRules.update` `logging.operations.` `logging.operations.cancel` `logging.operations.get` `logging.operations.list` `logging.settings.` `logging.settings.get` `logging.settings.update` `logging.sinks.` `logging.sinks.create` `logging.sinks.delete` `logging.sinks.get` `logging.sinks.list` `logging.sinks.update` `logging.sqlAlerts.` `logging.sqlAlerts.create` `logging.sqlAlerts.update` `logging.views.create` `logging.views.delete` `logging.views.get` `logging.views.getIamPolicy` `logging.views.list` `logging.views.update` `observability.scopes.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Log Field Accessor (`roles/logging.fieldAccessor`) Ability to read restricted fields in a log bucket. Lowest-level resources where you can grant this role: Project	`logging.fields.access`
Log Link Accessor (`roles/logging.linkViewer`) Ability to see links for a bucket.	`logging.links.get` `logging.links.list`
Logs Writer (`roles/logging.logWriter`) Provides the permissions to write log entries. Lowest-level resources where you can grant this role: Project	`logging.logEntries.create` `logging.logEntries.route`
Private Logs Viewer (`roles/logging.privateLogViewer`) Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs. Lowest-level resources where you can grant this role: Project	`logging.buckets.get` `logging.buckets.list` `logging.exclusions.get` `logging.exclusions.list` `logging.links.get` `logging.links.list` `logging.locations.*` `logging.locations.get` `logging.locations.list` `logging.logEntries.list` `logging.logMetrics.get` `logging.logMetrics.list` `logging.logServiceIndexes.list` `logging.logServices.list` `logging.logs.list` `logging.operations.get` `logging.operations.list` `logging.privateLogEntries.list` `logging.queries.getShared` `logging.queries.listShared` `logging.queries.usePrivate` `logging.sinks.get` `logging.sinks.list` `logging.usage.get` `logging.views.access` `logging.views.get` `logging.views.list` `observability.scopes.get` `resourcemanager.projects.get`
Cloud Logging Service Agent (`roles/logging.serviceAgent`) Grants a Cloud Logging Service Account the ability to create and link datasets. Warning: Do not grant service agent roles to any principals except service agents.	`bigquery.datasets.create` `bigquery.datasets.get` `bigquery.datasets.link`
SQL Alert Writer ^Beta (`roles/logging.sqlAlertWriter`) Ability to write SQL Alerts.	`logging.sqlAlerts.*` `logging.sqlAlerts.create` `logging.sqlAlerts.update`
Logs View Accessor (`roles/logging.viewAccessor`) Ability to read logs in a view. Lowest-level resources where you can grant this role: Project	`logging.logEntries.download` `logging.views.access` `logging.views.listLogs` `logging.views.listResourceKeys` `logging.views.listResourceValues`
Logs Viewer (`roles/logging.viewer`) Provides access to view logs. Lowest-level resources where you can grant this role: Project	`logging.buckets.get` `logging.buckets.list` `logging.exclusions.get` `logging.exclusions.list` `logging.links.get` `logging.links.list` `logging.locations.*` `logging.locations.get` `logging.locations.list` `logging.logEntries.list` `logging.logMetrics.get` `logging.logMetrics.list` `logging.logScopes.get` `logging.logScopes.list` `logging.logServiceIndexes.list` `logging.logServices.list` `logging.logs.list` `logging.operations.get` `logging.operations.list` `logging.queries.getShared` `logging.queries.listShared` `logging.queries.usePrivate` `logging.sinks.get` `logging.sinks.list` `logging.usage.get` `logging.views.get` `logging.views.list` `observability.scopes.get` `resourcemanager.projects.get`

Logging Admin

(roles/logging.admin)

Provides all permissions necessary to use all features of Cloud Logging.

Lowest-level resources where you can grant this role:

Project

logging.buckets.copyLogEntries

logging.buckets.create

logging.buckets.createTagBinding

logging.buckets.delete

logging.buckets.deleteTagBinding

logging.buckets.get

logging.buckets.list

logging.buckets.listEffectiveTags

logging.buckets.listTagBindings

logging.buckets.undelete

logging.buckets.update

logging.exclusions.*

logging.exclusions.create
logging.exclusions.delete
logging.exclusions.get
logging.exclusions.list
logging.exclusions.update

logging.fields.access

logging.links.*

logging.links.create
logging.links.delete
logging.links.get
logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.*

logging.logEntries.create
logging.logEntries.download
logging.logEntries.list
logging.logEntries.route

logging.logMetrics.*

logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.list
logging.logMetrics.update

logging.logScopes.*

logging.logScopes.create
logging.logScopes.delete
logging.logScopes.get
logging.logScopes.list
logging.logScopes.update

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.*

logging.logs.delete
logging.logs.list

logging.notificationRules.*

logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update

logging.operations.*

logging.operations.cancel
logging.operations.get
logging.operations.list

logging.privateLogEntries.list

logging.queries.*

logging.queries.deleteShared
logging.queries.getShared
logging.queries.listShared
logging.queries.share
logging.queries.updateShared
logging.queries.usePrivate

logging.settings.*

logging.settings.get
logging.settings.update

logging.sinks.*

logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update

logging.sqlAlerts.*

logging.sqlAlerts.create
logging.sqlAlerts.update

logging.usage.get

logging.views.*

logging.views.access
logging.views.create
logging.views.delete
logging.views.get
logging.views.getIamPolicy
logging.views.list
logging.views.listLogs
logging.views.listResourceKeys
logging.views.listResourceValues
logging.views.setIamPolicy
logging.views.update

observability.scopes.get

resourcemanager.projects.get

resourcemanager.projects.list

Logs Bucket Writer

(roles/logging.bucketWriter)

Ability to write logs to a log bucket.

Lowest-level resources where you can grant this role:

Project

logging.buckets.write

Logs Configuration Writer

(roles/logging.configWriter)

Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs.

Lowest-level resources where you can grant this role:

Project

logging.buckets.create

logging.buckets.createTagBinding

logging.buckets.delete

logging.buckets.deleteTagBinding

logging.buckets.get

logging.buckets.list

logging.buckets.listEffectiveTags

logging.buckets.listTagBindings

logging.buckets.undelete

logging.buckets.update

logging.exclusions.*

logging.exclusions.create
logging.exclusions.delete
logging.exclusions.get
logging.exclusions.list
logging.exclusions.update

logging.links.*

logging.links.create
logging.links.delete
logging.links.get
logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logMetrics.*

logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.list
logging.logMetrics.update

logging.logScopes.*

logging.logScopes.create
logging.logScopes.delete
logging.logScopes.get
logging.logScopes.list
logging.logScopes.update

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.notificationRules.*

logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update

logging.operations.*

logging.operations.cancel
logging.operations.get
logging.operations.list

logging.settings.*

logging.settings.get
logging.settings.update

logging.sinks.*

logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update

logging.sqlAlerts.*

logging.sqlAlerts.create
logging.sqlAlerts.update

logging.views.create

logging.views.delete

logging.views.get

logging.views.getIamPolicy

logging.views.list

logging.views.update

observability.scopes.get

resourcemanager.projects.get

resourcemanager.projects.list

Log Field Accessor

(roles/logging.fieldAccessor)

Ability to read restricted fields in a log bucket.

Lowest-level resources where you can grant this role:

Project

logging.fields.access

Log Link Accessor

(roles/logging.linkViewer)

Ability to see links for a bucket.

logging.links.get

logging.links.list

Logs Writer

(roles/logging.logWriter)

Provides the permissions to write log entries.

Lowest-level resources where you can grant this role:

Project

logging.logEntries.create

logging.logEntries.route

Private Logs Viewer

(roles/logging.privateLogViewer)

Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs.

Lowest-level resources where you can grant this role:

Project

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.privateLogEntries.list

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.access

logging.views.get

logging.views.list

observability.scopes.get

resourcemanager.projects.get

Cloud Logging Service Agent

(roles/logging.serviceAgent)

Grants a Cloud Logging Service Account the ability to create and link datasets.

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.link

SQL Alert Writer ^Beta

(roles/logging.sqlAlertWriter)

Ability to write SQL Alerts.

logging.sqlAlerts.*

logging.sqlAlerts.create
logging.sqlAlerts.update

Logs View Accessor

(roles/logging.viewAccessor)

Ability to read logs in a view.

Lowest-level resources where you can grant this role:

Project

logging.logEntries.download

logging.views.access

logging.views.listLogs

logging.views.listResourceKeys

logging.views.listResourceValues

Logs Viewer

(roles/logging.viewer)

Provides access to view logs.

Lowest-level resources where you can grant this role:

Project

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logScopes.get

logging.logScopes.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

observability.scopes.get

resourcemanager.projects.get

Cloud Logging permissions

Permission	Included in roles
`logging.buckets.copyLogEntries`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Logging Admin (`roles/logging.admin`)
`logging.buckets.create`	Owner (`roles/owner`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Apigee Service Agent (`roles/apigee.serviceAgent`)
`logging.buckets.createTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Tag User (`roles/resourcemanager.tagUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.buckets.delete`	Owner (`roles/owner`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.buckets.deleteTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Tag User (`roles/resourcemanager.tagUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.buckets.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Apigee Service Agent (`roles/apigee.serviceAgent`)
`logging.buckets.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Apigee Service Agent (`roles/apigee.serviceAgent`)
`logging.buckets.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.buckets.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.buckets.undelete`	Owner (`roles/owner`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.buckets.update`	Owner (`roles/owner`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.buckets.write`	Logs Bucket Writer (`roles/logging.bucketWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Logging Service Agent (`roles/cloudbuild.loggingServiceAgent`)
`logging.exclusions.create`	Owner (`roles/owner`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.exclusions.delete`	Owner (`roles/owner`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.exclusions.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.exclusions.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.exclusions.update`	Owner (`roles/owner`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.fields.access`	Owner (`roles/owner`) Logging Admin (`roles/logging.admin`) Log Field Accessor (`roles/logging.fieldAccessor`)
`logging.links.create`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.links.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.links.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Log Link Accessor (`roles/logging.linkViewer`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.links.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Log Link Accessor (`roles/logging.linkViewer`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Monitoring Service Agent (`roles/monitoring.notificationServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logEntries.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Deploy Runner (`roles/clouddeploy.jobRunner`) Composer Worker (`roles/composer.worker`) Confidential Space Workload User (`roles/confidentialcomputing.workloadUser`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Kubernetes Engine Default Node Service Account (`roles/container.defaultNodeServiceAccount`) Dataflow Worker (`roles/dataflow.worker`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Dataproc Worker (`roles/dataproc.worker`) Anthos Multi-cloud Telemetry Writer (`roles/gkemulticloud.telemetryWriter`) Logging Admin (`roles/logging.admin`) Logs Writer (`roles/logging.logWriter`) Cloud Run Builder (`roles/run.builder`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Extension Service Agent (`roles/aiplatform.extensionServiceAgent`) Vertex AI Notebook Service Agent (`roles/aiplatform.notebookServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Reasoning Engine Service Agent (`roles/aiplatform.reasoningEngineServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) BigQuery Connection Service Agent (`roles/bigqueryconnection.serviceAgent`) BigQuery Data Transfer Service Agent (`roles/bigquerydatatransfer.serviceAgent`) Gemini for Google Cloud Service Agent (`roles/cloudaicompanion.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud IoT Core Service Agent (`roles/cloudiot.serviceAgent`) Cloud Scheduler Service Agent (`roles/cloudscheduler.serviceAgent`) Cloud Tasks Service Agent (`roles/cloudtasks.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Compute Engine Service Agent (`roles/compute.serviceAgent`) Kubernetes Engine Default Node Service Agent (`roles/container.defaultNodeServiceAgent`) [Deprecated] Kubernetes Engine Node Service Agent (`roles/container.nodeServiceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Resource Manager Node Service Agent (`roles/dataprocrm.nodeServiceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Firebase Machine Learning Service Agent (`roles/firebaseml.serviceAgent`) Anthos Multi-Cloud Container Service Agent (`roles/gkemulticloud.containerServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Mesh Data Plane Service Agent (`roles/meshdataplane.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) RMA Service Agent (`roles/rapidmigrationassessment.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Serverless VPC Access Service Agent (`roles/vpcaccess.serviceAgent`) Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`)
`logging.logEntries.download`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Logging Admin (`roles/logging.admin`) Logs View Accessor (`roles/logging.viewAccessor`)
`logging.logEntries.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Billing Account Administrator (`roles/billing.admin`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Hub Operator (`roles/cloudhub.operator`) Composer Worker (`roles/composer.worker`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase Viewer (`roles/firebase.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`logging.logEntries.route`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Dataflow Worker (`roles/dataflow.worker`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Dataproc Worker (`roles/dataproc.worker`) Anthos Multi-cloud Telemetry Writer (`roles/gkemulticloud.telemetryWriter`) Logging Admin (`roles/logging.admin`) Logs Writer (`roles/logging.logWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Extension Service Agent (`roles/aiplatform.extensionServiceAgent`) Vertex AI Notebook Service Agent (`roles/aiplatform.notebookServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Reasoning Engine Service Agent (`roles/aiplatform.reasoningEngineServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) BigQuery Connection Service Agent (`roles/bigqueryconnection.serviceAgent`) BigQuery Data Transfer Service Agent (`roles/bigquerydatatransfer.serviceAgent`) Gemini for Google Cloud Service Agent (`roles/cloudaicompanion.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud IoT Core Service Agent (`roles/cloudiot.serviceAgent`) Cloud Scheduler Service Agent (`roles/cloudscheduler.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Resource Manager Node Service Agent (`roles/dataprocrm.nodeServiceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Firebase Machine Learning Service Agent (`roles/firebaseml.serviceAgent`) Anthos Multi-Cloud Container Service Agent (`roles/gkemulticloud.containerServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Mesh Data Plane Service Agent (`roles/meshdataplane.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`)
`logging.logMetrics.create`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Serverless VPC Access Service Agent (`roles/vpcaccess.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`)
`logging.logMetrics.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Serverless VPC Access Service Agent (`roles/vpcaccess.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`)
`logging.logMetrics.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Serverless VPC Access Service Agent (`roles/vpcaccess.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`)
`logging.logMetrics.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logMetrics.update`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Serverless VPC Access Service Agent (`roles/vpcaccess.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`)
`logging.logScopes.create`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logScopes.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logScopes.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logScopes.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logScopes.update`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logServiceIndexes.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Billing Account Administrator (`roles/billing.admin`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logServices.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Billing Account Administrator (`roles/billing.admin`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`)
`logging.logs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Billing Account Administrator (`roles/billing.admin`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.notificationRules.create`	Owner (`roles/owner`) Editor (`roles/editor`) Error Reporting Admin (`roles/errorreporting.admin`) Error Reporting User (`roles/errorreporting.user`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.notificationRules.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Error Reporting Admin (`roles/errorreporting.admin`) Error Reporting User (`roles/errorreporting.user`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.notificationRules.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Error Reporting Admin (`roles/errorreporting.admin`) Error Reporting User (`roles/errorreporting.user`) Error Reporting Viewer (`roles/errorreporting.viewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.notificationRules.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Error Reporting Admin (`roles/errorreporting.admin`) Error Reporting User (`roles/errorreporting.user`) Error Reporting Viewer (`roles/errorreporting.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.notificationRules.update`	Owner (`roles/owner`) Editor (`roles/editor`) Error Reporting Admin (`roles/errorreporting.admin`) Error Reporting User (`roles/errorreporting.user`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.privateLogEntries.list`	Owner (`roles/owner`) Billing Account Administrator (`roles/billing.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Private Logs Viewer (`roles/logging.privateLogViewer`)
`logging.queries.deleteShared`	Owner (`roles/owner`) Logging Admin (`roles/logging.admin`)
`logging.queries.getShared`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Logging Admin (`roles/logging.admin`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`)
`logging.queries.listShared`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Logging Admin (`roles/logging.admin`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`)
`logging.queries.share`	Owner (`roles/owner`) Logging Admin (`roles/logging.admin`)
`logging.queries.updateShared`	Owner (`roles/owner`) Logging Admin (`roles/logging.admin`)
`logging.queries.usePrivate`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`)
`logging.settings.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.settings.update`	Owner (`roles/owner`) Editor (`roles/editor`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`)
`logging.sinks.create`	Owner (`roles/owner`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.sinks.delete`	Owner (`roles/owner`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.sinks.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.sinks.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.sinks.update`	Owner (`roles/owner`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.sqlAlerts.create`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) SQL Alert Writer (`roles/logging.sqlAlertWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.sqlAlerts.update`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) SQL Alert Writer (`roles/logging.sqlAlertWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.usage.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Logging Admin (`roles/logging.admin`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`)
`logging.views.access`	Owner (`roles/owner`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Composer Worker (`roles/composer.worker`) Logging Admin (`roles/logging.admin`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs View Accessor (`roles/logging.viewAccessor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`logging.views.create`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Apigee Service Agent (`roles/apigee.serviceAgent`)
`logging.views.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.views.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Apigee Service Agent (`roles/apigee.serviceAgent`)
`logging.views.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.views.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Apigee Service Agent (`roles/apigee.serviceAgent`)
`logging.views.listLogs`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Logging Admin (`roles/logging.admin`) Logs View Accessor (`roles/logging.viewAccessor`)
`logging.views.listResourceKeys`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Logging Admin (`roles/logging.admin`) Logs View Accessor (`roles/logging.viewAccessor`)
`logging.views.listResourceValues`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Logging Admin (`roles/logging.admin`) Logs View Accessor (`roles/logging.viewAccessor`)
`logging.views.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Logging Admin (`roles/logging.admin`)
`logging.views.update`	Owner (`roles/owner`) Editor (`roles/editor`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)

Cloud Logging roles and permissions Stay organized with collections Save and categorize content based on your preferences.