本頁面由 Cloud Translation API 翻譯而成。

使用 IAM 控管存取權

如要使用監控功能，您必須具備適當的 Identity and Access Management (IAM) 權限。一般而言，API 中的每個 REST 方法都有關聯的權限。如要使用該方法，或使用依賴該方法的控制台功能，您必須具備使用對應方法的權限。權限不會直接授予使用者；而是會透過角色間接授予權限，如此可將多個權限分組，使權限管理起來更加容易：

如要瞭解存取權控管，請參閱「存取權管理相關概念」。

如要瞭解如何授予主體角色，請參閱「授予 Cloud Monitoring 存取權」。

系統已為您預先定義常見權限組合的角色。不過，您也可以建立 IAM 自訂角色，自行組合權限。

最佳做法

建議您建立 Google 群組，以便管理專案的存取權：Google Cloud

詳情請參閱「在 Google Cloud 控制台中管理群組」。
如要瞭解如何設定角色限制，請參閱設定角色授予限制。
如需完整的 IAM 角色和權限清單，請參閱身分與存取權管理基本和預先定義角色參考資料。

VPC Service Controls

如要進一步控管監控資料的存取權，請搭配使用 VPC Service Controls 和 IAM。

VPC Service Controls 為 Cloud Monitoring 提供額外的安全性，以降低資料遭到竊取的風險。您可以透過 VPC Service Controls 將指標範圍加入服務範圍，如此一來，源自服務範圍外的要求就無法存取 Cloud Monitoring 資源及服務。

如要進一步瞭解服務範圍，請參閱 VPC Service Controls 服務範圍設定說明文件。

如要瞭解 Monitoring 對 VPC Service Controls 的支援情形 (包括已知限制)，請參閱 Monitoring VPC Service Controls 說明文件。

授予 Cloud Monitoring 的存取權

如要管理主體的 IAM 角色，可以使用 Google Cloud 控制台中的「Identity and Access Management」(身分與存取權管理) 頁面，也可以使用 Google Cloud CLI。不過，Cloud Monitoring 提供簡化的介面，可讓您管理 Monitoring 專屬角色、專案層級角色，以及 Cloud Logging 和 Cloud Trace 的通用角色。

如要授予主體 Monitoring、Cloud Logging 或 Cloud Trace 的存取權，或是授予專案層級的角色，請按照下列步驟操作：

控制台

前往 Google Cloud 控制台的「Permissions」(權限) 頁面：
前往「權限」

如果您是使用搜尋列尋找這個頁面，請選取子標題為「Monitoring」的結果。

「權限」頁面不會顯示所有主體。這份清單只會列出具有專案層級角色，或是 Monitoring、Logging 或 Trace 專屬角色的主體。

您可以在這個頁面查看所有主體，這些主體的角色包含任何 Monitoring 權限。
按一下「授予存取權」。
按一下「新增主體」，然後輸入主體的使用者名稱。您可以新增多個主體。

展開「Select a role」(選取角色) ，從「By product or service」(依產品或服務) 選單中選取值，然後從「Roles」(角色) 選單中選取角色：

選取「依產品或服務劃分」	選取「角色」	說明
監控	監控檢視器	查看監控資料和設定資訊。舉例來說，具有這個角色的主體可以查看自訂資訊主頁和快訊政策。
監控	監控編輯器	查看監控資料，以及建立和編輯設定。舉例來說，具有這項角色的主體可以建立自訂資訊主頁和快訊政策。
監控	監控管理員	在 Google Cloud 控制台和 Cloud Monitoring API 中，擁有 Monitoring 的完整存取權。您可以查看監控資料、建立及編輯設定，以及修改指標範圍。
Cloud Trace	Cloud Trace 使用者	Trace 主控台的完整存取權、追蹤記錄的讀取權限，以及接收器的讀取/寫入權限。詳情請參閱「追蹤角色」。
Cloud Trace	Cloud Trace 管理員	Trace 主控台的完整存取權、追蹤記錄的讀取/寫入權限，以及接收器的讀取/寫入權限。詳情請參閱「追蹤角色」。
記錄	記錄檢視器	查看記錄檔存取權。詳情請參閱記錄檔角色。
記錄	記錄管理員	具備 Cloud Logging 所有功能的完整存取權。詳情請參閱記錄檔角色。
專案	檢視者	查看大多數 Google Cloud 資源的存取權。
專案	編輯	查看、建立、更新及刪除大部分的 Google Cloud 資源。
專案	版主	具備大多數 Google Cloud 資源的完整存取權。

選用：如要將其他角色授予相同主體，請按一下「新增其他角色」，然後重複上一個步驟。
按一下 [儲存]。

前述步驟說明如何使用 Google Cloud 控制台的「監控」頁面，授予主體特定角色。對於這些角色，這個頁面也支援編輯和刪除選項：

如要移除主體的角色，請選取主體旁的方塊，然後按一下「移除存取權」。
如要編輯主體的角色，請按一下「編輯」。更新設定後，按一下「儲存」。

gcloud

使用 gcloud projects add-iam-policy-binding 指令授予 monitoring.viewer 或 monitoring.editor 角色。

例如：

export PROJECT_ID="my-test-project"
export EMAIL_ADDRESS="myuser@gmail.com"
gcloud projects add-iam-policy-binding \
      $PROJECT_ID \
      --member="user:$EMAIL_ADDRESS" \
      --role="roles/monitoring.editor"

您可以使用 gcloud projects get-iam-policy 指令確認授予的角色：

export PROJECT_ID="my-test-project"
gcloud projects get-iam-policy $PROJECT_ID

預先定義的角色

本節列出 Cloud Monitoring 預先定義的部分 IAM 角色。

Monitoring 角色

以下角色為 Monitoring 授予一般權限：

名稱標題	具備的權限
`roles/monitoring.viewer` Monitoring 檢視者	授予在控制台和 Cloud Monitoring API 中對 Monitoring 的唯讀存取權。 Google Cloud
`roles/monitoring.editor` Monitoring 編輯者	授予控制台和 Cloud Monitoring API 的讀取/寫入權限。 Google Cloud
`roles/monitoring.admin` 監控管理員	授予控制台和 Cloud Monitoring API 的完整 Monitoring 存取權。 Google Cloud

以下角色由服務帳戶用於唯寫存取：

名稱標題	說明
`roles/monitoring.metricWriter` Monitoring 指標寫入者	這個角色適用於服務帳戶和代理程式。不允許存取主控台中的 Monitoring。 Google Cloud 允許將監控資料寫入指標範圍。

快訊政策角色

以下角色會授予快訊政策的權限：

名稱標題	說明
`roles/monitoring.alertPolicyViewer` Monitoring AlertPolicy 檢視者	具備快訊政策的唯讀存取權。
`roles/monitoring.alertPolicyEditor` Monitoring AlertPolicy 編輯者	可讀寫存取快訊政策。

資訊主頁角色

以下角色僅為資訊主頁授予權限：

名稱標題	說明
`roles/monitoring.dashboardViewer` Monitoring 資訊主頁設定檢視者	授予資訊主頁設定的唯讀存取權。
`roles/monitoring.dashboardEditor` Monitoring 資訊主頁設定編輯者	授予資訊主頁設定的讀寫存取權。

事件角色

以下角色僅為事件授予權限：

名稱標題	說明
`roles/monitoring.cloudConsoleIncidentViewer` Monitoring Cloud 控制台事件檢視者	可授予使用 Google Cloud 控制台查看事件的權限。
`roles/monitoring.cloudConsoleIncidentEditor` Monitoring Cloud 控制台事件編輯者	授權使用者透過 Google Cloud 控制台查看、確認及結案事件。

如要瞭解如何解決查看事件時發生的 IAM 權限錯誤，請參閱「無法查看事件詳細資料，因為發生權限錯誤」。

通知管道角色

以下角色僅為通知管道授予權限：

名稱標題	說明
`roles/monitoring.notificationChannelViewer` Monitoring NotificationChannel 檢視者	授予通知管道的唯讀存取權。
`roles/monitoring.notificationChannelEditor` Monitoring NotificationChannel 編輯者	授予通知管道的讀寫權限。

延後通知角色

以下角色可授予暫緩通知的權限：

名稱標題	說明
`roles/monitoring.snoozeViewer` Monitoring 暫緩檢視者	授予暫緩通知的唯讀存取權。
`roles/monitoring.snoozeEditor` Monitoring 暫緩通知編輯者	授予暫緩通知的讀寫權限。

服務監控角色

以下角色可授予管理服務的權限：

名稱標題	說明
`roles/monitoring.servicesViewer` 監控服務檢視者	授予服務的唯讀存取權。
`roles/monitoring.servicesEditor` 監控服務編輯者	授予服務的讀寫權限。

如要進一步瞭解服務監控，請參閱「SLO 監控」。

運作時間檢查設定角色

以下角色僅為運作時間檢查設定授予權限：

名稱標題	說明
`roles/monitoring.uptimeCheckConfigViewer` Monitoring 運作時間檢查設定檢視者	授予運作時間檢查設定的唯讀存取權。
`roles/monitoring.uptimeCheckConfigEditor` Monitoring 運作時間檢查設定編輯者	可讀取及寫入運作時間檢查設定。

指標範圍設定角色

以下角色授予指標範圍的一般權限：

名稱標題	說明
`roles/monitoring.metricsScopesViewer` Monitoring 指標範圍檢視者	具備指標範圍的唯讀存取權。
`roles/monitoring.metricsScopesAdmin` Monitoring 指標範圍管理員	授予指標範圍的讀寫權限。

預先定義角色的權限

本節列出指派給與 Monitoring 相關聯預先定義角色的權限。

如要進一步瞭解預先定義的角色，請參閱「IAM：角色和權限」。如需選擇最合適預先定義角色的說明，請參閱「選擇預先定義的角色」。

監控角色權限

Role Permissions

Role	Permissions
Monitoring Admin (`roles/monitoring.admin`) Provides full access to Cloud Monitoring. Lowest-level resources where you can grant this role: Project	`cloudnotifications.activities.list` `monitoring.` `monitoring.alertPolicies.create` `monitoring.alertPolicies.createTagBinding` `monitoring.alertPolicies.delete` `monitoring.alertPolicies.deleteTagBinding` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings` `monitoring.alertPolicies.update` `monitoring.dashboards.create` `monitoring.dashboards.createTagBinding` `monitoring.dashboards.delete` `monitoring.dashboards.deleteTagBinding` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings` `monitoring.dashboards.update` `monitoring.groups.create` `monitoring.groups.delete` `monitoring.groups.get` `monitoring.groups.list` `monitoring.groups.update` `monitoring.metricDescriptors.create` `monitoring.metricDescriptors.delete` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.metricsScopes.link` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.create` `monitoring.notificationChannels.delete` `monitoring.notificationChannels.get` `monitoring.notificationChannels.getVerificationCode` `monitoring.notificationChannels.list` `monitoring.notificationChannels.sendVerificationCode` `monitoring.notificationChannels.update` `monitoring.notificationChannels.verify` `monitoring.services.create` `monitoring.services.delete` `monitoring.services.get` `monitoring.services.list` `monitoring.services.update` `monitoring.slos.create` `monitoring.slos.delete` `monitoring.slos.get` `monitoring.slos.list` `monitoring.slos.update` `monitoring.snoozes.create` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.snoozes.update` `monitoring.timeSeries.create` `monitoring.timeSeries.list` `monitoring.uptimeCheckConfigs.create` `monitoring.uptimeCheckConfigs.delete` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `monitoring.uptimeCheckConfigs.update` `opsconfigmonitoring.` `opsconfigmonitoring.resourceMetadata.list` `opsconfigmonitoring.resourceMetadata.write` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.enable` `serviceusage.services.get` `stackdriver.*` `stackdriver.projects.edit` `stackdriver.projects.get` `stackdriver.resourceMetadata.list` `stackdriver.resourceMetadata.write`
Monitoring AlertPolicy Editor (`roles/monitoring.alertPolicyEditor`) Read/write access to alerting policies.	`monitoring.alertPolicies.*` `monitoring.alertPolicies.create` `monitoring.alertPolicies.createTagBinding` `monitoring.alertPolicies.delete` `monitoring.alertPolicies.deleteTagBinding` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings` `monitoring.alertPolicies.update`
Monitoring AlertPolicy Viewer (`roles/monitoring.alertPolicyViewer`) Read-only access to alerting policies.	`monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings`
Monitoring Cloud Console Incident Editor ^Beta (`roles/monitoring.cloudConsoleIncidentEditor`) Read/write access to incidents from Cloud Console.
Monitoring Cloud Console Incident Viewer ^Beta (`roles/monitoring.cloudConsoleIncidentViewer`) Read access to incidents from Cloud Console.
Monitoring Dashboard Configuration Editor (`roles/monitoring.dashboardEditor`) Read/write access to dashboard configurations.	`monitoring.dashboards.*` `monitoring.dashboards.create` `monitoring.dashboards.createTagBinding` `monitoring.dashboards.delete` `monitoring.dashboards.deleteTagBinding` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings` `monitoring.dashboards.update`
Monitoring Dashboard Configuration Viewer (`roles/monitoring.dashboardViewer`) Read-only access to dashboard configurations.	`monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings`
Monitoring Editor (`roles/monitoring.editor`) Provides full access to information about all monitoring data and configurations. Lowest-level resources where you can grant this role: Project	`cloudnotifications.activities.list` `monitoring.alertPolicies.` `monitoring.alertPolicies.create` `monitoring.alertPolicies.createTagBinding` `monitoring.alertPolicies.delete` `monitoring.alertPolicies.deleteTagBinding` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings` `monitoring.alertPolicies.update` `monitoring.dashboards.` `monitoring.dashboards.create` `monitoring.dashboards.createTagBinding` `monitoring.dashboards.delete` `monitoring.dashboards.deleteTagBinding` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings` `monitoring.dashboards.update` `monitoring.groups.` `monitoring.groups.create` `monitoring.groups.delete` `monitoring.groups.get` `monitoring.groups.list` `monitoring.groups.update` `monitoring.metricDescriptors.` `monitoring.metricDescriptors.create` `monitoring.metricDescriptors.delete` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.notificationChannelDescriptors.` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.create` `monitoring.notificationChannels.delete` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list` `monitoring.notificationChannels.sendVerificationCode` `monitoring.notificationChannels.update` `monitoring.notificationChannels.verify` `monitoring.services.` `monitoring.services.create` `monitoring.services.delete` `monitoring.services.get` `monitoring.services.list` `monitoring.services.update` `monitoring.slos.` `monitoring.slos.create` `monitoring.slos.delete` `monitoring.slos.get` `monitoring.slos.list` `monitoring.slos.update` `monitoring.snoozes.` `monitoring.snoozes.create` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.snoozes.update` `monitoring.timeSeries.` `monitoring.timeSeries.create` `monitoring.timeSeries.list` `monitoring.uptimeCheckConfigs.` `monitoring.uptimeCheckConfigs.create` `monitoring.uptimeCheckConfigs.delete` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `monitoring.uptimeCheckConfigs.update` `opsconfigmonitoring.` `opsconfigmonitoring.resourceMetadata.list` `opsconfigmonitoring.resourceMetadata.write` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.enable` `serviceusage.services.get` `stackdriver.*` `stackdriver.projects.edit` `stackdriver.projects.get` `stackdriver.resourceMetadata.list` `stackdriver.resourceMetadata.write`
Monitoring Metric Writer (`roles/monitoring.metricWriter`) Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics. Lowest-level resources where you can grant this role: Project	`monitoring.metricDescriptors.create` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.*` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.timeSeries.create`
Monitoring Metrics Scopes Admin ^Beta (`roles/monitoring.metricsScopesAdmin`) Access to add and remove monitored projects from metrics scopes.	`monitoring.metricsScopes.link` `resourcemanager.projects.get` `resourcemanager.projects.list`
Monitoring Metrics Scopes Viewer ^Beta (`roles/monitoring.metricsScopesViewer`) Read-only access to metrics scopes and their monitored projects.	`resourcemanager.projects.get` `resourcemanager.projects.list`
Monitoring NotificationChannel Editor ^Beta (`roles/monitoring.notificationChannelEditor`) Read/write access to notification channels.	`monitoring.notificationChannelDescriptors.*` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.create` `monitoring.notificationChannels.delete` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list` `monitoring.notificationChannels.sendVerificationCode` `monitoring.notificationChannels.update` `monitoring.notificationChannels.verify`
Monitoring NotificationChannel Viewer ^Beta (`roles/monitoring.notificationChannelViewer`) Read-only access to notification channels.	`monitoring.notificationChannelDescriptors.*` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list`
Monitoring Service Agent (`roles/monitoring.notificationServiceAgent`) Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project. Warning: Do not grant service agent roles to any principals except service agents.	`bigquery.jobs.create` `cloudfunctions.functions.get` `cloudtrace.traces.patch` `logging.links.list` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.*` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.timeSeries.list` `run.routes.invoke` `servicedirectory.networks.access` `servicedirectory.services.resolve` `serviceusage.services.use`
Monitoring Services Editor (`roles/monitoring.servicesEditor`) Read/write access to services.	`monitoring.services.` `monitoring.services.create` `monitoring.services.delete` `monitoring.services.get` `monitoring.services.list` `monitoring.services.update` `monitoring.slos.` `monitoring.slos.create` `monitoring.slos.delete` `monitoring.slos.get` `monitoring.slos.list` `monitoring.slos.update`
Monitoring Services Viewer (`roles/monitoring.servicesViewer`) Read-only access to services.	`monitoring.services.get` `monitoring.services.list` `monitoring.slos.get` `monitoring.slos.list`
Monitoring Snooze Editor (`roles/monitoring.snoozeEditor`)	`monitoring.snoozes.*` `monitoring.snoozes.create` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.snoozes.update`
Monitoring Snooze Viewer (`roles/monitoring.snoozeViewer`)	`monitoring.snoozes.get` `monitoring.snoozes.list`
Monitoring Uptime Check Configuration Editor ^Beta (`roles/monitoring.uptimeCheckConfigEditor`) Read/write access to uptime check configurations.	`monitoring.uptimeCheckConfigs.*` `monitoring.uptimeCheckConfigs.create` `monitoring.uptimeCheckConfigs.delete` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `monitoring.uptimeCheckConfigs.update`
Monitoring Uptime Check Configuration Viewer ^Beta (`roles/monitoring.uptimeCheckConfigViewer`) Read-only access to uptime check configurations.	`monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list`
Monitoring Viewer (`roles/monitoring.viewer`) Provides read-only access to get and list information about all monitoring data and configurations. Lowest-level resources where you can grant this role: Project	`cloudnotifications.activities.list` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings` `monitoring.groups.get` `monitoring.groups.list` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.notificationChannelDescriptors.` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list` `monitoring.services.get` `monitoring.services.list` `monitoring.slos.get` `monitoring.slos.list` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.timeSeries.list` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `opsconfigmonitoring.resourceMetadata.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `stackdriver.projects.get` `stackdriver.resourceMetadata.list`
Ops Config Monitoring Resource Metadata Viewer ^Beta (`roles/opsconfigmonitoring.resourceMetadata.viewer`) Read-only access to resource metadata.	`opsconfigmonitoring.resourceMetadata.list`
Ops Config Monitoring Resource Metadata Writer ^Beta (`roles/opsconfigmonitoring.resourceMetadata.writer`) Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.	`opsconfigmonitoring.resourceMetadata.write`
Stackdriver Accounts Editor (`roles/stackdriver.accounts.editor`) Read/write access to manage Stackdriver account structure.	`resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.enable` `serviceusage.services.get` `stackdriver.projects.*` `stackdriver.projects.edit` `stackdriver.projects.get`
Stackdriver Accounts Viewer (`roles/stackdriver.accounts.viewer`) Read-only access to get and list information about Stackdriver account structure.	`resourcemanager.projects.get` `resourcemanager.projects.list` `stackdriver.projects.get`
Stackdriver Resource Metadata Writer ^Beta (`roles/stackdriver.resourceMetadata.writer`) Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.	`stackdriver.resourceMetadata.write`

Monitoring Admin

(roles/monitoring.admin)

Provides full access to Cloud Monitoring.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.*

monitoring.alertPolicies.create
monitoring.alertPolicies.createTagBinding
monitoring.alertPolicies.delete
monitoring.alertPolicies.deleteTagBinding
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.listEffectiveTags
monitoring.alertPolicies.listTagBindings
monitoring.alertPolicies.update
monitoring.dashboards.create
monitoring.dashboards.createTagBinding
monitoring.dashboards.delete
monitoring.dashboards.deleteTagBinding
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.listEffectiveTags
monitoring.dashboards.listTagBindings
monitoring.dashboards.update
monitoring.groups.create
monitoring.groups.delete
monitoring.groups.get
monitoring.groups.list
monitoring.groups.update
monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.metricsScopes.link
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.getVerificationCode
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update
monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update
monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update
monitoring.timeSeries.create
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

opsconfigmonitoring.resourceMetadata.list
opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.*

stackdriver.projects.edit
stackdriver.projects.get
stackdriver.resourceMetadata.list
stackdriver.resourceMetadata.write

Monitoring AlertPolicy Editor

(roles/monitoring.alertPolicyEditor)

Read/write access to alerting policies.

monitoring.alertPolicies.*

monitoring.alertPolicies.create
monitoring.alertPolicies.createTagBinding
monitoring.alertPolicies.delete
monitoring.alertPolicies.deleteTagBinding
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.listEffectiveTags
monitoring.alertPolicies.listTagBindings
monitoring.alertPolicies.update

Monitoring AlertPolicy Viewer

(roles/monitoring.alertPolicyViewer)

Read-only access to alerting policies.

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.alertPolicies.listEffectiveTags

monitoring.alertPolicies.listTagBindings

Monitoring Cloud Console Incident Editor ^Beta

(roles/monitoring.cloudConsoleIncidentEditor)

Read/write access to incidents from Cloud Console.

Monitoring Cloud Console Incident Viewer ^Beta

(roles/monitoring.cloudConsoleIncidentViewer)

Read access to incidents from Cloud Console.

Monitoring Dashboard Configuration Editor

(roles/monitoring.dashboardEditor)

Read/write access to dashboard configurations.

monitoring.dashboards.*

monitoring.dashboards.create
monitoring.dashboards.createTagBinding
monitoring.dashboards.delete
monitoring.dashboards.deleteTagBinding
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.listEffectiveTags
monitoring.dashboards.listTagBindings
monitoring.dashboards.update

Monitoring Dashboard Configuration Viewer

(roles/monitoring.dashboardViewer)

Read-only access to dashboard configurations.

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.dashboards.listEffectiveTags

monitoring.dashboards.listTagBindings

Monitoring Editor

(roles/monitoring.editor)

Provides full access to information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.alertPolicies.*

monitoring.alertPolicies.create
monitoring.alertPolicies.createTagBinding
monitoring.alertPolicies.delete
monitoring.alertPolicies.deleteTagBinding
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.listEffectiveTags
monitoring.alertPolicies.listTagBindings
monitoring.alertPolicies.update

monitoring.dashboards.*

monitoring.dashboards.create
monitoring.dashboards.createTagBinding
monitoring.dashboards.delete
monitoring.dashboards.deleteTagBinding
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.listEffectiveTags
monitoring.dashboards.listTagBindings
monitoring.dashboards.update

monitoring.groups.*

monitoring.groups.create
monitoring.groups.delete
monitoring.groups.get
monitoring.groups.list
monitoring.groups.update

monitoring.metricDescriptors.*

monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

monitoring.services.*

monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update

monitoring.slos.*

monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update

monitoring.snoozes.*

monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.*

monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

opsconfigmonitoring.resourceMetadata.list
opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.*

stackdriver.projects.edit
stackdriver.projects.get
stackdriver.resourceMetadata.list
stackdriver.resourceMetadata.write

Monitoring Metric Writer

(roles/monitoring.metricWriter)

Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.

Lowest-level resources where you can grant this role:

Project

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

Monitoring Metrics Scopes Admin ^Beta

(roles/monitoring.metricsScopesAdmin)

Access to add and remove monitored projects from metrics scopes.

monitoring.metricsScopes.link

resourcemanager.projects.get

resourcemanager.projects.list

Monitoring Metrics Scopes Viewer ^Beta

(roles/monitoring.metricsScopesViewer)

Read-only access to metrics scopes and their monitored projects.

resourcemanager.projects.get

resourcemanager.projects.list

Monitoring NotificationChannel Editor ^Beta

(roles/monitoring.notificationChannelEditor)

Read/write access to notification channels.

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

Monitoring NotificationChannel Viewer ^Beta

(roles/monitoring.notificationChannelViewer)

Read-only access to notification channels.

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

Monitoring Service Agent

(roles/monitoring.notificationServiceAgent)

Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.

bigquery.jobs.create

cloudfunctions.functions.get

cloudtrace.traces.patch

logging.links.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.list

run.routes.invoke

servicedirectory.networks.access

servicedirectory.services.resolve

serviceusage.services.use

Monitoring Services Editor

(roles/monitoring.servicesEditor)

Read/write access to services.

monitoring.services.*

monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update

monitoring.slos.*

monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update

Monitoring Services Viewer

(roles/monitoring.servicesViewer)

Read-only access to services.

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

Monitoring Snooze Editor

(roles/monitoring.snoozeEditor)

monitoring.snoozes.*

monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update

Monitoring Snooze Viewer

(roles/monitoring.snoozeViewer)

monitoring.snoozes.get

monitoring.snoozes.list

Monitoring Uptime Check Configuration Editor ^Beta

(roles/monitoring.uptimeCheckConfigEditor)

Read/write access to uptime check configurations.

monitoring.uptimeCheckConfigs.*

monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

Monitoring Uptime Check Configuration Viewer ^Beta

(roles/monitoring.uptimeCheckConfigViewer)

Read-only access to uptime check configurations.

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

Monitoring Viewer

(roles/monitoring.viewer)

Provides read-only access to get and list information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.alertPolicies.listEffectiveTags

monitoring.alertPolicies.listTagBindings

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.dashboards.listEffectiveTags

monitoring.dashboards.listTagBindings

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

Ops Config Monitoring Resource Metadata Viewer ^Beta

(roles/opsconfigmonitoring.resourceMetadata.viewer)

Read-only access to resource metadata.

opsconfigmonitoring.resourceMetadata.list

Ops Config Monitoring Resource Metadata Writer ^Beta

(roles/opsconfigmonitoring.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.

opsconfigmonitoring.resourceMetadata.write

Stackdriver Accounts Editor

(roles/stackdriver.accounts.editor)

Read/write access to manage Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.projects.*

stackdriver.projects.edit
stackdriver.projects.get

Stackdriver Accounts Viewer

(roles/stackdriver.accounts.viewer)

Read-only access to get and list information about Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

Stackdriver Resource Metadata Writer ^Beta

(roles/stackdriver.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.

stackdriver.resourceMetadata.write

Google Cloud 基本角色

Google Cloud 基本角色包含下列權限：

名稱
標題具備的權限

roles/viewer
檢視者監控權限與 roles/monitoring.viewer 中的權限相同。

名稱標題	具備的權限
`roles/viewer` 檢視者	監控權限與 `roles/monitoring.viewer` 中的權限相同。
`roles/editor` 編輯者	「監控」權限與 `roles/monitoring.editor` 中的權限相同，但 `stackdriver.projects.edit` 權限除外。`roles/editor` 角色不具備 `stackdriver.projects.edit` 權限。這個角色不會授予修改指標範圍的權限。如要在使用 API 時修改指標範圍，您的角色必須包含 `monitoring.metricsScopes.link` 權限。如要在使用 Google Cloud 主控台時修改指標範圍，您的角色必須包含`monitoring.metricsScopes.link`權限，或是您必須具備`roles/monitoring.editor`角色。
`roles/owner` 擁有者	監控權限與 `roles/monitoring.admin` 中的權限相同。

roles/editor
編輯者

「監控」權限與 roles/monitoring.editor 中的權限相同，但 stackdriver.projects.edit 權限除外。roles/editor 角色不具備 stackdriver.projects.edit 權限。

這個角色不會授予修改指標範圍的權限。如要在使用 API 時修改指標範圍，您的角色必須包含 monitoring.metricsScopes.link 權限。如要在使用 Google Cloud 主控台時修改指標範圍，您的角色必須包含monitoring.metricsScopes.link權限，或是您必須具備roles/monitoring.editor角色。

roles/owner
擁有者監控權限與 roles/monitoring.admin 中的權限相同。

自訂角色

如要授予主體的權限比預先定義角色授予的權限更有限，可以建立自訂角色。舉例來說，如果您因為有資料落地或影響等級 4 (IL4) 的需求而設定 Assured Workloads，就不應使用正常運作時間檢查，因為無法保證正常運作時間檢查資料會保留在特定地理位置。如要禁止使用運作時間檢查，請建立不含任何前置字元為 monitoring.uptimeCheckConfigs 的權限。

如要建立具有 Monitoring 權限的自訂角色，請執行下列步驟：

對於只為 Monitoring API 授予權限的角色，請在「權限和預先定義的角色」一節選擇權限。
對於授予Google Cloud 主控台 Monitoring 權限的角色，請在「Monitoring roles」(Monitoring 角色) 區段選擇權限群組。
如要授予監控資料寫入權限，請在權限和預先定義的角色一節中，包含來自 roles/monitoring.metricWriter 角色的權限。

如要進一步瞭解自訂角色，請參閱瞭解身分與存取權管理自訂角色一文。

Compute Engine 存取範圍

存取範圍是為 Compute Engine VM 執行個體指定權限的傳統方法。以下存取範圍適用於 Monitoring：

存取範圍	授予的權限
https://www.googleapis.com/auth/monitoring.read	權限與 `roles/monitoring.viewer` 相同。
https://www.googleapis.com/auth/monitoring.write	權限與 `roles/monitoring.metricWriter` 相同。
https://www.googleapis.com/auth/monitoring	具備 Monitoring 的完整權限。
https://www.googleapis.com/auth/cloud-platform	具備所有已啟用之 Cloud API 的完整權限。

詳情請參閱「存取範圍」。

最佳做法。建議您為 VM 執行個體提供最強大的存取範圍 (cloud-platform)，然後使用 IAM 角色限制對特定 API 和作業的存取權。詳情請參閱服務帳戶權限一文。

使用 IAM 控管存取權 透過集合功能整理內容 你可以依據偏好儲存及分類內容。

最佳做法

VPC Service Controls

授予 Cloud Monitoring 的存取權

控制台

gcloud

預先定義的角色

Monitoring 角色

快訊政策角色

資訊主頁角色

事件角色

通知管道角色

延後通知角色

服務監控角色

運作時間檢查設定角色

指標範圍設定角色

預先定義角色的權限

監控角色權限

Monitoring Admin

Monitoring AlertPolicy Editor

Monitoring AlertPolicy Viewer

Monitoring Cloud Console Incident Editor Beta

Monitoring Cloud Console Incident Viewer Beta

Monitoring Dashboard Configuration Editor

Monitoring Dashboard Configuration Viewer

Monitoring Editor

Monitoring Metric Writer

Monitoring Metrics Scopes Admin Beta

Monitoring Metrics Scopes Viewer Beta

Monitoring NotificationChannel Editor Beta

Monitoring NotificationChannel Viewer Beta

Monitoring Service Agent

Monitoring Services Editor

Monitoring Services Viewer

Monitoring Snooze Editor

Monitoring Snooze Viewer

Monitoring Uptime Check Configuration Editor Beta

Monitoring Uptime Check Configuration Viewer Beta

Monitoring Viewer

Ops Config Monitoring Resource Metadata Viewer Beta

Ops Config Monitoring Resource Metadata Writer Beta

Stackdriver Accounts Editor

Stackdriver Accounts Viewer

Stackdriver Resource Metadata Writer Beta

Google Cloud 基本角色

自訂角色

Compute Engine 存取範圍

使用 IAM 控管存取權

Monitoring Cloud Console Incident Editor ^Beta

Monitoring Cloud Console Incident Viewer ^Beta

Monitoring Metrics Scopes Admin ^Beta

Monitoring Metrics Scopes Viewer ^Beta

Monitoring NotificationChannel Editor ^Beta

Monitoring NotificationChannel Viewer ^Beta

Monitoring Uptime Check Configuration Editor ^Beta

Monitoring Uptime Check Configuration Viewer ^Beta

Ops Config Monitoring Resource Metadata Viewer ^Beta

Ops Config Monitoring Resource Metadata Writer ^Beta

Stackdriver Resource Metadata Writer ^Beta