使用 IAM 控制访问权限

如需使用 Monitoring,您必须具有适当的 Identity and Access Management (IAM) 权限。通常情况下,API 中的每个 REST 方法都有关联的权限。如需使用该方法或使用依赖于该方法的控制台功能,您必须拥有使用相应方法的权限。权限不是直接授予用户的,而是通过角色间接授予。角色可将多个权限分为一组,以便于管理:

系统会为您预定义常用权限组合的角色。不过,您也可以通过创建 IAM 自定义角色来创建自己的权限组合。

最佳做法

我们建议您创建 Google 群组来管理对 Google Cloud 项目的访问权限:

VPC Service Controls

如需进一步控制对监控数据的访问权限,除了使用 IAM 以外,还请使用 VPC Service Controls

VPC Service Controls 可为 Cloud Monitoring 提供额外的安全保护,有助于降低数据泄露的风险。使用 VPC Service Controls,您可以向服务边界添加指标范围,以保护 Cloud Monitoring 资源和服务免受来自该范围之外的请求的影响。

如需详细了解服务边界,请参阅 VPC Service Controls 服务边界配置文档

如需了解 VPC Service Controls 的 Monitoring 支持,包括已知限制,请参阅 Monitoring VPC Service Controls 文档

授予对 Cloud Monitoring 的访问权限

如需管理正文的 IAM 角色,您可以使用 Google Cloud 控制台中的“Identity and Access Management”页面或 Google Cloud CLI。不过,Cloud Monitoring 提供了一个简化的界面,可让您管理 Monitoring 专用角色、项目级角色以及 Cloud Logging 和 Cloud Trace 的通用角色。

如需向主账号授予对 Monitoring、Cloud Logging 或 Cloud Trace 的访问权限,或授予项目级角色,请执行以下操作:

控制台

  1. 在 Google Cloud 控制台中,前往  权限页面:

    前往权限

    如果您使用搜索栏查找此页面,请选择子标题为监控的结果。

    权限页面不会显示所有主账号。其中仅列出了具有项目级角色或特定于 Monitoring、Logging 或 Trace 的角色的主账号。

    您可以使用此页面上的选项查看角色包含任何 Monitoring 权限的所有主账号。

  2. 点击 授予访问权限

  3. 点击新主账号,然后输入主账号的用户名。您可以添加多个主账号。

  4. 展开 选择角色,从按产品或服务菜单中选择一个值,然后从角色菜单中选择一个角色:

    按产品或服务选择 Roles 选择 说明
    监控 Monitoring Viewer 查看监控数据和配置信息。 例如,具有此角色的主账号可以查看自定义信息中心提醒政策
    监控 Monitoring Editor 查看监控数据,以及创建和修改配置。例如,具有此角色的正文可以创建自定义信息中心提醒政策
    监控 Monitoring Admin 对 Google Cloud 控制台中的 Monitoring 和 Cloud Monitoring API 的完整访问权限。 您可以查看 Monitoring 数据、创建和修改配置,以及修改指标范围
    Cloud Trace Cloud Trace User Trace 控制台的完整访问权限,跟踪记录的读取权限,以及接收器的读写权限。如需了解详情,请参阅轨迹角色
    Cloud Trace Cloud Trace Admin Trace 控制台的完整访问权限,跟踪记录的读写权限,以及接收器的读写权限。如需了解详情,请参阅轨迹角色
    日志记录 Logs Viewer 查看日志的访问权限。如需了解详情,请参阅日志记录角色
    日志记录 Logging Admin 拥有对 Cloud Logging 的所有功能的完整访问权限。如需了解详情,请参阅日志记录角色
    项目 查看者 拥有对大多数 Google Cloud 资源的查看权限。
    项目 Editor 查看、创建、更新和删除大部分 Google Cloud 资源。
    项目 Owner 拥有对大多数 Google Cloud 资源的完整访问权限。

  5. 可选:如需向同一主账号授予其他角色,请点击添加其他角色,然后重复上述步骤。

  6. 点击保存

前面的步骤介绍了如何使用 Google Cloud 控制台中的“监控”页面向主账号授予特定角色。对于这些角色,此页面还支持修改和删除选项:

  • 如需移除主账号的角色,请选中主账号旁边的复选框,然后点击 移除访问权限

  • 如需修改主账号的角色,请点击 修改。更新设置后,点击保存

gcloud

使用 gcloud projects add-iam-policy-binding 命令授予 monitoring.viewermonitoring.editor 角色。

例如:

export PROJECT_ID="my-test-project"
export EMAIL_ADDRESS="myuser@gmail.com"
gcloud projects add-iam-policy-binding \
      $PROJECT_ID \
      --member="user:$EMAIL_ADDRESS" \
      --role="roles/monitoring.editor"

您可以使用 gcloud projects get-iam-policy 命令确认已授予的角色:

export PROJECT_ID="my-test-project"
gcloud projects get-iam-policy $PROJECT_ID

预定义角色

本部分列出了 Cloud Monitoring 预定义的部分 IAM 角色。

Monitoring 角色

以下角色可授予针对 Monitoring 的一般权限:

名称
职位		 具有的权限
roles/monitoring.viewer
Monitoring Viewer 		授予对 Google Cloud 控制台中的 Monitoring 和 Cloud Monitoring API 的只读权限。
roles/monitoring.editor
Monitoring Editor 		授予对 Google Cloud 控制台中的 Monitoring 和 Cloud Monitoring API 的读写权限。
roles/monitoring.admin
Monitoring Admin 		授予对 Google Cloud 控制台中的 Monitoring 和 Cloud Monitoring API 的完整访问权限。

以下角色可为服务账号提供只写权限:

名称
职位		 说明
roles/monitoring.metricWriter
Monitoring Metric Writer

此角色适用于服务账号和代理。
不允许访问 Google Cloud 控制台中的 Monitoring。
允许将监控数据写入指标范围。

提醒政策角色

以下角色可授予针对提醒策略的权限:

名称
职位		 说明
roles/monitoring.alertPolicyViewer
Monitoring AlertPolicy Viewer		 授予对提醒政策的只读权限。
roles/monitoring.alertPolicyEditor
Monitoring AlertPolicy Editor		 授予对提醒政策的读写权限。

信息中心角色

以下角色仅授予针对信息中心的权限:

名称
职位		 说明
roles/monitoring.dashboardViewer
Monitoring Dashboard Configuration Viewer		 授予对信息中心配置的只读权限。
roles/monitoring.dashboardEditor
Monitoring Dashboard Configuration Editor		 授予对信息中心配置的读写权限。

突发事件角色

以下角色仅授予针对突发事件的权限:

名称
职位		 说明
roles/monitoring.cloudConsoleIncidentViewer
Monitoring Cloud 控制台 Incident Viewer		 授予使用 Google Cloud 控制台查看突发事件的权限。
roles/monitoring.cloudConsoleIncidentEditor
Monitoring Cloud Console Incident Editor		 授予使用 Google Cloud 控制台查看、确认和关闭突发事件的权限。

如需了解如何解决查看突发事件时出现的 IAM 权限错误,请参阅由于权限错误而无法查看突发事件详情

通知渠道角色

以下角色仅授予针对通知渠道的权限:

名称
职位		 说明
roles/monitoring.notificationChannelViewer
Monitoring NotificationChannel Viewer		 授予对通知渠道的只读权限。
roles/monitoring.notificationChannelEditor
Monitoring NotificationChannel Editor		 授予对通知渠道的读写权限。

延后通知角色

以下角色可授予推迟通知的权限:

名称
职位		 说明
roles/monitoring.snoozeViewer
Monitoring Snooze Viewer		 授予对推迟的只读权限。
roles/monitoring.snoozeEditor
Monitoring Snooze Editor		 授予对暂停的读写权限。

服务监控角色

以下角色授予管理服务的权限:

名称
职位		 说明
roles/monitoring.servicesViewer
Monitoring Services Viewer		 授予对服务的只读权限。
roles/monitoring.servicesEditor
Monitoring Services Editor		 授予对服务的读写权限。

如需详细了解服务监控,请参阅 SLO 监控

正常运行时间检查配置角色

以下角色仅授予针对正常运行时间检查配置的权限:

名称
职位		 说明
roles/monitoring.uptimeCheckConfigViewer
Monitoring Uptime Check Configurations Viewer		 授予对正常运行时间检查配置的只读权限。
roles/monitoring.uptimeCheckConfigEditor
Monitoring Uptime Check Configurations Editor		 授予对正常运行时间检查配置的读写权限。

指标范围配置角色

以下角色授予了指标范围的一般权限:

名称
职位		 说明
roles/monitoring.metricsScopesViewer
Monitoring Metrics Scopes Viewer		 授予对指标范围的只读权限。
roles/monitoring.metricsScopesAdmin
Monitoring Metrics Scopes Admin		 授予对指标范围的读写权限。

预定义角色的权限

本部分列出了分配给与 Monitoring 关联的预定义角色的权限。

如需详细了解预定义角色,请参阅 IAM:角色和权限。如需有关选择最合适的预定义角色的帮助,请参阅选择预定义角色

Monitoring 角色的权限

Role Permissions

(roles/monitoring.admin)

Provides full access to Cloud Monitoring.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.*

  • monitoring.alertPolicies.create
  • monitoring.alertPolicies.delete
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.alertPolicies.update
  • monitoring.dashboards.create
  • monitoring.dashboards.delete
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.dashboards.update
  • monitoring.groups.create
  • monitoring.groups.delete
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.groups.update
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.delete
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.metricsScopes.link
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list
  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list
  • monitoring.notificationChannels.create
  • monitoring.notificationChannels.delete
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.getVerificationCode
  • monitoring.notificationChannels.list
  • monitoring.notificationChannels.sendVerificationCode
  • monitoring.notificationChannels.update
  • monitoring.notificationChannels.verify
  • monitoring.services.create
  • monitoring.services.delete
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.services.update
  • monitoring.slos.create
  • monitoring.slos.delete
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.slos.update
  • monitoring.snoozes.create
  • monitoring.snoozes.get
  • monitoring.snoozes.list
  • monitoring.snoozes.update
  • monitoring.timeSeries.create
  • monitoring.timeSeries.list
  • monitoring.uptimeCheckConfigs.create
  • monitoring.uptimeCheckConfigs.delete
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

  • opsconfigmonitoring.resourceMetadata.list
  • opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.*

  • stackdriver.projects.edit
  • stackdriver.projects.get
  • stackdriver.resourceMetadata.list
  • stackdriver.resourceMetadata.write

(roles/monitoring.alertPolicyEditor)

Read/write access to alerting policies.

monitoring.alertPolicies.*

  • monitoring.alertPolicies.create
  • monitoring.alertPolicies.delete
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.alertPolicies.update

(roles/monitoring.alertPolicyViewer)

Read-only access to alerting policies.

monitoring.alertPolicies.get

monitoring.alertPolicies.list

(roles/monitoring.cloudConsoleIncidentEditor)

Read/write access to incidents from Cloud Console.

(roles/monitoring.cloudConsoleIncidentViewer)

Read access to incidents from Cloud Console.

(roles/monitoring.dashboardEditor)

Read/write access to dashboard configurations.

monitoring.dashboards.*

  • monitoring.dashboards.create
  • monitoring.dashboards.delete
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.dashboards.update

(roles/monitoring.dashboardViewer)

Read-only access to dashboard configurations.

monitoring.dashboards.get

monitoring.dashboards.list

(roles/monitoring.editor)

Provides full access to information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.alertPolicies.*

  • monitoring.alertPolicies.create
  • monitoring.alertPolicies.delete
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.alertPolicies.update

monitoring.dashboards.*

  • monitoring.dashboards.create
  • monitoring.dashboards.delete
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.dashboards.update

monitoring.groups.*

  • monitoring.groups.create
  • monitoring.groups.delete
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.groups.update

monitoring.metricDescriptors.*

  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.delete
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

monitoring.services.*

  • monitoring.services.create
  • monitoring.services.delete
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.services.update

monitoring.slos.*

  • monitoring.slos.create
  • monitoring.slos.delete
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.slos.update

monitoring.snoozes.*

  • monitoring.snoozes.create
  • monitoring.snoozes.get
  • monitoring.snoozes.list
  • monitoring.snoozes.update

monitoring.timeSeries.*

  • monitoring.timeSeries.create
  • monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.*

  • monitoring.uptimeCheckConfigs.create
  • monitoring.uptimeCheckConfigs.delete
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

  • opsconfigmonitoring.resourceMetadata.list
  • opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.*

  • stackdriver.projects.edit
  • stackdriver.projects.get
  • stackdriver.resourceMetadata.list
  • stackdriver.resourceMetadata.write

(roles/monitoring.metricWriter)

Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.

Lowest-level resources where you can grant this role:

  • Project

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

(roles/monitoring.metricsScopesAdmin)

Access to add and remove monitored projects from metrics scopes.

monitoring.metricsScopes.link

resourcemanager.projects.get

resourcemanager.projects.list

(roles/monitoring.metricsScopesViewer)

Read-only access to metrics scopes and their monitored projects.

resourcemanager.projects.get

resourcemanager.projects.list

(roles/monitoring.notificationChannelEditor)

Read/write access to notification channels.

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

(roles/monitoring.notificationChannelViewer)

Read-only access to notification channels.

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

(roles/monitoring.servicesEditor)

Read/write access to services.

monitoring.services.*

  • monitoring.services.create
  • monitoring.services.delete
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.services.update

monitoring.slos.*

  • monitoring.slos.create
  • monitoring.slos.delete
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.slos.update

(roles/monitoring.servicesViewer)

Read-only access to services.

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

(roles/monitoring.snoozeEditor)

monitoring.snoozes.*

  • monitoring.snoozes.create
  • monitoring.snoozes.get
  • monitoring.snoozes.list
  • monitoring.snoozes.update

(roles/monitoring.snoozeViewer)

monitoring.snoozes.get

monitoring.snoozes.list

(roles/monitoring.uptimeCheckConfigEditor)

Read/write access to uptime check configurations.

monitoring.uptimeCheckConfigs.*

  • monitoring.uptimeCheckConfigs.create
  • monitoring.uptimeCheckConfigs.delete
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • monitoring.uptimeCheckConfigs.update

(roles/monitoring.uptimeCheckConfigViewer)

Read-only access to uptime check configurations.

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

(roles/monitoring.viewer)

Provides read-only access to get and list information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

Ops Config Monitoring 角色的权限

Role Permissions

(roles/opsconfigmonitoring.resourceMetadata.viewer)

Read-only access to resource metadata.

opsconfigmonitoring.resourceMetadata.list

(roles/opsconfigmonitoring.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.

opsconfigmonitoring.resourceMetadata.write

Stackdriver 角色的权限

Role Permissions

(roles/stackdriver.accounts.editor)

Read/write access to manage Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.projects.*

  • stackdriver.projects.edit
  • stackdriver.projects.get

(roles/stackdriver.accounts.viewer)

Read-only access to get and list information about Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

(roles/stackdriver.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.

stackdriver.resourceMetadata.write

Google Cloud 角色包含的 Monitoring 权限

Google Cloud 角色具备以下权限:

名称
职位		 具有的权限
roles/viewer
Viewer 		Monitoring 权限与 roles/monitoring.viewer 的权限相同。
roles/editor
Editor

Monitoring 权限与 roles/monitoring.editor 的权限相同,但 stackdriver.projects.edit 权限除外。 角色 roles/editor 不包含 stackdriver.projects.edit 权限。

此角色不授予修改指标范围的权限。 如需在使用该 API 时修改指标范围,您的角色必须包含 monitoring.metricsScopes.link 权限。 如需在使用 Google Cloud 控制台时修改指标范围,您的角色必须包含 monitoring.metricsScopes.link 权限,或者您必须具有 roles/monitoring.editor 角色。
roles/owner
Owner 		Monitoring 权限与 roles/monitoring.admin 的权限相同。

自定义角色

如果您想向主账号授予一组比预定义角色授予的权限更为有限的权限,则可以创建自定义角色。例如,如果您因数据驻留或影响级别 4 (IL4) 要求而设置了 Assured Workloads,则不应使用正常运行情况检查,因为无法保证正常运行情况检查数据会保留在特定地理位置。如需禁止使用拨测,请创建一个不包含任何权限且前缀为 monitoring.uptimeCheckConfigs 的角色。

要创建具备 Monitoring 权限的自定义角色,请执行以下操作:

  • 对于仅授予 Monitoring API 权限的角色,请从权限和预定义角色部分的权限中进行选择。

  • 对于授予 Google Cloud 控制台中 Monitoring 权限的角色,请从 Monitoring 角色部分的权限组中进行选择。

  • 如需授予写入监控数据的权限,请在权限和预定义角色部分中添加 roles/monitoring.metricWriter 角色的权限。

如需详细了解自定义角色,请转到了解 IAM 自定义角色

Compute Engine 访问权限范围

访问权限范围是为 Compute Engine 虚拟机实例指定权限的传统方法。以下访问权限范围适用于 Monitoring:

访问权限范围 授予的权限
https://www.googleapis.com/auth/monitoring.read 权限与 roles/monitoring.viewer 相同。
https://www.googleapis.com/auth/monitoring.write 权限与 roles/monitoring.metricWriter 相同。
https://www.googleapis.com/auth/monitoring 拥有 Monitoring 的完整访问权限。
https://www.googleapis.com/auth/cloud-platform 拥有所有已启用 Cloud API 的完整访问权限。

如需了解详情,请转到访问权限范围

最佳做法。 合理的做法是为虚拟机实例提供最强大的访问权限范围 (cloud-platform),然后使用 IAM 角色限制对特定 API 和操作的访问权限。如需了解详情,请转到服务账号权限