Stay organized with collections
Save and categorize content based on your preferences.
Controlling access to Cloud Service Mesh in the Google Cloud console
Access to Cloud Service Mesh in the Google Cloud console is controlled by
Identity and Access Management (IAM).
To get access, a Project Owner must grant users the Project Editor or Viewer
role, or the more restrictive roles described in the following tables. For
information about how to grant roles to users, see
Granting, changing, and revoking access to resources.
Minimum read-only roles
Users with the following roles can access the Cloud Service Mesh pages for
monitoring purposes only. Users with these roles can't create or modify service
level objects (SLOs) or make changes to the GKE
infrastructure.
IAM role name
Role title
Description
Monitoring Viewer
roles/monitoring.viewer
Provides read-only access to get and list information about all
monitoring data and configurations.
Kubernetes Engine Viewer
roles/container.viewer
Provides read-only access to GKE resources. This
role is not required for GKE clusters on
Google Cloud.
Logs Viewer
roles/logging.viewer
Provides read-only access to the Diagnostics page in the service details
view. If access to this page is not needed, then this permission may be
omitted.
Service Usage Viewer
roles/serviceusage.serviceUsageViewer
Ability to inspect service states and operations for a consumer project.
Minimum write roles
Users with the following roles can create or modify SLOs in the Cloud Service Mesh
pages and create or modify alerting policies based on the SLOs. Users with
these roles can't make changes to the GKE infrastructure.
IAM role name
Role title
Description
Monitoring Editor
roles/monitoring.editor
Provides full access to information about all monitoring data and
configurations.
Kubernetes Engine Editor
roles/container.editor
Provides write permissions needed to managed GKE
resources.
Logs Editor
roles/logging.editor
Provides write permissions needed to the Diagnostics page in the service
details view.
Special cases
The following roles are required for particular mesh configurations.
IAM role name
Role title
Description
GKE Hub Viewer
roles/gkehub.viewer
Provides view access to clusters outside Google Cloud in the Google Cloud console. This role is required for users to view off-Google Cloud clusters in the mesh. Also, you will need to grant the user the cluster-admin RBAC role to allow the dashboard to query the cluster on their behalf.
Additional roles and permissions
IAM has additional roles and granular permissions if the above roles
don't meet your needs. For example, you might want to grant the Kubernetes
Engine Admin role or the Kubernetes Engine Cluster Admin role to let a user
administer your GKE infrastructure.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Controlling access to Cloud Service Mesh in the Google Cloud console\n====================================================================\n\nAccess to Cloud Service Mesh in the Google Cloud console is controlled by\n[Identity and Access Management (IAM)](/iam/docs/overview).\nTo get access, a Project Owner must grant users the Project Editor or Viewer\nrole, or the more restrictive roles described in the following tables. For\ninformation about how to grant roles to users, see\n[Granting, changing, and revoking access to resources](/iam/docs/granting-changing-revoking-access).\n\nMinimum read-only roles\n-----------------------\n\nUsers with the following roles can access the Cloud Service Mesh pages for\nmonitoring purposes only. Users with these roles can't create or modify service\nlevel objects (SLOs) or make changes to the GKE\ninfrastructure.\n\nMinimum write roles\n-------------------\n\nUsers with the following roles can create or modify SLOs in the Cloud Service Mesh\npages and create or modify alerting policies based on the SLOs. Users with\nthese roles can't make changes to the GKE infrastructure.\n\nSpecial cases\n-------------\n\nThe following roles are required for particular mesh configurations.\n\nAdditional roles and permissions\n--------------------------------\n\nIAM has additional roles and granular permissions if the above roles\ndon't meet your needs. For example, you might want to grant the Kubernetes\nEngine Admin role or the Kubernetes Engine Cluster Admin role to let a user\nadminister your GKE infrastructure.\n\nFor more information see the following:\n\n- [Understanding roles](/iam/docs/understanding-roles)\n- [Kubernetes Engine roles](/iam/docs/understanding-roles#kubernetes-engine-roles)\n- [Monitoring roles](/iam/docs/understanding-roles#monitoring-roles)\n\nWhat's next\n-----------\n\n- [Explore Cloud Service Mesh in the Google Cloud console](/service-mesh/docs/observability/explore-dashboard)\n- [Service level objectives overview](/service-mesh/docs/observability/slo-overview)"]]