Control access with IAM

When you create a Google Cloud project, you are the only user on the project. By default, no other users have access to your project or its resources. Identity and Access Management (IAM) manages access to Google Cloud resources, like clusters. Permissions are assigned to IAM principals.

IAM lets you grant roles to principals. A role is a collection of permissions, and when granted to a principal, controls access to one or more Google Cloud resources. You can use the following types of roles:

Basic roles provide coarse permissions limited to Owner, Editor, and Viewer.
Pre-defined roles, provide finer-grained access than basic roles and address many common use cases.
Custom roles allow you to create unique combinations of permissions.

A principal can be any of the following:

User account
Service account
Google Workspace Google Group
Google Workspace domain
Cloud Identity domain

IAM policy types

IAM supports the following policy types:

Allow policies: grant roles to principals. For details, see Allow policy.
Deny policies: prevent principals from using specific IAM permissions regardless of the roles that those principals are granted. For details, see Deny policies.

Use deny policies to restrict specific principals from performing specific actions in your project, folder, or organization even if an IAM allow policy grants those principals a role that contains the relevant permissions.

Predefined roles

IAM provides predefined roles to grant granular access to specific Google Cloud resources and to prevent unwanted access to other resources. Google Cloud creates and maintains these roles and automatically updates their permissions as necessary, such as when Google Cloud Observability adds new features.

Predefined roles for Google Cloud Observability contain permissions for features that span multiple product areas. For this reason, you might see some permissions, like observability.scopes.get, included in predefined roles for those product areas. For example, the Logs Viewer role (roles/logging.viewer) includes the observability.scopes.get permission in addition to many logging-specific permissions.

The following table lists the predefined roles for Google Cloud Observability. For each role, the table displays the role title, description, contained permissions, and the lowest-level resource type where the roles can be granted. You can grant the predefined roles at the Google Cloud project level or, in most cases, any type higher in the resource hierarchy.

To get a list of all individual permissions contained in a role, see Getting the role metadata.

Observability roles

Role Permissions

Role	Permissions
Observability Admin ^Beta (`roles/observability.admin`) Full access to Observability resources.	`observability.*` `observability.analyticsViews.create` `observability.analyticsViews.delete` `observability.analyticsViews.get` `observability.analyticsViews.list` `observability.analyticsViews.update` `observability.buckets.create` `observability.buckets.delete` `observability.buckets.get` `observability.buckets.list` `observability.buckets.undelete` `observability.buckets.update` `observability.datasets.create` `observability.datasets.delete` `observability.datasets.get` `observability.datasets.list` `observability.datasets.undelete` `observability.datasets.update` `observability.links.create` `observability.links.delete` `observability.links.get` `observability.links.list` `observability.links.update` `observability.operations.cancel` `observability.operations.delete` `observability.operations.get` `observability.operations.list` `observability.scopes.get` `observability.scopes.update` `observability.views.access` `observability.views.create` `observability.views.delete` `observability.views.get` `observability.views.list` `observability.views.update`
Observability Analytics User ^Beta (`roles/observability.analyticsUser`) Grants permissions to use Cloud Observability Analytics.	`logging.queries.getShared` `logging.queries.listShared` `logging.queries.usePrivate` `observability.analyticsViews.*` `observability.analyticsViews.create` `observability.analyticsViews.delete` `observability.analyticsViews.get` `observability.analyticsViews.list` `observability.analyticsViews.update` `observability.buckets.get` `observability.buckets.list` `observability.datasets.get` `observability.datasets.list` `observability.links.get` `observability.links.list` `observability.operations.get` `observability.operations.list` `observability.scopes.get` `observability.views.get` `observability.views.list`
Observability Editor ^Beta (`roles/observability.editor`) Edit access to Observability resources.	`observability.analyticsViews.` `observability.analyticsViews.create` `observability.analyticsViews.delete` `observability.analyticsViews.get` `observability.analyticsViews.list` `observability.analyticsViews.update` `observability.buckets.create` `observability.buckets.get` `observability.buckets.list` `observability.buckets.update` `observability.datasets.create` `observability.datasets.get` `observability.datasets.list` `observability.datasets.update` `observability.links.` `observability.links.create` `observability.links.delete` `observability.links.get` `observability.links.list` `observability.links.update` `observability.operations.` `observability.operations.cancel` `observability.operations.delete` `observability.operations.get` `observability.operations.list` `observability.scopes.` `observability.scopes.get` `observability.scopes.update` `observability.views.create` `observability.views.delete` `observability.views.get` `observability.views.list` `observability.views.update`
Observability Scopes Editor ^Beta (`roles/observability.scopesEditor`) Grants permission to view and edit Observability, Logging, Trace, and Monitoring scopes	`logging.logScopes.` `logging.logScopes.create` `logging.logScopes.delete` `logging.logScopes.get` `logging.logScopes.list` `logging.logScopes.update` `monitoring.metricsScopes.link` `observability.scopes.` `observability.scopes.get` `observability.scopes.update`
Observability Service Agent (`roles/observability.serviceAgent`) Grants Observability service account the ability to list, create and link datasets in the consumer project. Warning: Do not grant service agent roles to any principals except service agents.	`bigquery.datasets.create` `bigquery.datasets.get` `bigquery.datasets.link`
Observability View Accessor ^Beta (`roles/observability.viewAccessor`) Read only access to data defined by an Observability View.	`observability.views.access`
Observability Viewer ^Beta (`roles/observability.viewer`) Read only access to Observability resources.	`observability.analyticsViews.get` `observability.analyticsViews.list` `observability.buckets.get` `observability.buckets.list` `observability.datasets.get` `observability.datasets.list` `observability.links.get` `observability.links.list` `observability.operations.get` `observability.operations.list` `observability.scopes.get` `observability.views.get` `observability.views.list`

Observability Admin ^Beta

(roles/observability.admin)

Full access to Observability resources.

observability.*

observability.analyticsViews.create
observability.analyticsViews.delete
observability.analyticsViews.get
observability.analyticsViews.list
observability.analyticsViews.update
observability.buckets.create
observability.buckets.delete
observability.buckets.get
observability.buckets.list
observability.buckets.undelete
observability.buckets.update
observability.datasets.create
observability.datasets.delete
observability.datasets.get
observability.datasets.list
observability.datasets.undelete
observability.datasets.update
observability.links.create
observability.links.delete
observability.links.get
observability.links.list
observability.links.update
observability.operations.cancel
observability.operations.delete
observability.operations.get
observability.operations.list
observability.scopes.get
observability.scopes.update
observability.views.access
observability.views.create
observability.views.delete
observability.views.get
observability.views.list
observability.views.update

Observability Analytics User ^Beta

(roles/observability.analyticsUser)

Grants permissions to use Cloud Observability Analytics.

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

observability.analyticsViews.*

observability.analyticsViews.create
observability.analyticsViews.delete
observability.analyticsViews.get
observability.analyticsViews.list
observability.analyticsViews.update

observability.buckets.get

observability.buckets.list

observability.datasets.get

observability.datasets.list

observability.links.get

observability.links.list

observability.operations.get

observability.operations.list

observability.scopes.get

observability.views.get

observability.views.list

Observability Editor ^Beta

(roles/observability.editor)

Edit access to Observability resources.

observability.analyticsViews.*

observability.analyticsViews.create
observability.analyticsViews.delete
observability.analyticsViews.get
observability.analyticsViews.list
observability.analyticsViews.update

observability.buckets.create

observability.buckets.get

observability.buckets.list

observability.buckets.update

observability.datasets.create

observability.datasets.get

observability.datasets.list

observability.datasets.update

observability.links.*

observability.links.create
observability.links.delete
observability.links.get
observability.links.list
observability.links.update

observability.operations.*

observability.operations.cancel
observability.operations.delete
observability.operations.get
observability.operations.list

observability.scopes.*

observability.scopes.get
observability.scopes.update

observability.views.create

observability.views.delete

observability.views.get

observability.views.list

observability.views.update

Observability Scopes Editor ^Beta

(roles/observability.scopesEditor)

Grants permission to view and edit Observability, Logging, Trace, and Monitoring scopes

logging.logScopes.*

logging.logScopes.create
logging.logScopes.delete
logging.logScopes.get
logging.logScopes.list
logging.logScopes.update

monitoring.metricsScopes.link

observability.scopes.*

observability.scopes.get
observability.scopes.update

Observability Service Agent

(roles/observability.serviceAgent)

Grants Observability service account the ability to list, create and link datasets in the consumer project.

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.link

Observability View Accessor ^Beta

(roles/observability.viewAccessor)

Read only access to data defined by an Observability View.

observability.views.access

Observability Viewer ^Beta

(roles/observability.viewer)

Read only access to Observability resources.

observability.analyticsViews.get

observability.analyticsViews.list

observability.buckets.get

observability.buckets.list

observability.datasets.get

observability.datasets.list

observability.links.get

observability.links.list

observability.operations.get

observability.operations.list

observability.scopes.get

observability.views.get

observability.views.list

Telemetry API roles

Role	Permissions
Cloud Telemetry Metrics Writer (`roles/telemetry.metricsWriter`) Access to write metrics.	`telemetry.metrics.write`
Integrated Service Telemetry Logs Writer ^Beta (`roles/telemetry.serviceLogsWriter`) Allows an onboarded service to write log data to a destination.	`telemetry.consumers.writeLogs`
Integrated Service Telemetry Metrics Writer ^Beta (`roles/telemetry.serviceMetricsWriter`) Allows an onboarded service to write metrics data to a destination.	`telemetry.consumers.writeMetrics`
Integrated Service Telemetry Writer ^Beta (`roles/telemetry.serviceTelemetryWriter`) Allows an onboarded service to write all telemetry data to a destination.	`telemetry.consumers.*` `telemetry.consumers.writeLogs` `telemetry.consumers.writeMetrics` `telemetry.consumers.writeTraces`
Integrated Service Telemetry Traces Writer ^Beta (`roles/telemetry.serviceTracesWriter`) Allows an onboarded service to write trace data to a destination.	`telemetry.consumers.writeTraces`
Cloud Telemetry Traces Writer (`roles/telemetry.tracesWriter`) Access to write trace spans.	`telemetry.traces.write`
Cloud Telemetry Writer (`roles/telemetry.writer`) Full access to write all telemetry data.	`telemetry.metrics.write` `telemetry.traces.write`

Control access with IAM Stay organized with collections Save and categorize content based on your preferences.

IAM policy types

Predefined roles

Observability roles

Observability Admin Beta

Observability Analytics User Beta

Observability Editor Beta

Observability Scopes Editor Beta

Observability Service Agent

Observability View Accessor Beta

Observability Viewer Beta

Telemetry API roles

Cloud Telemetry Metrics Writer

Integrated Service Telemetry Logs Writer Beta

Integrated Service Telemetry Metrics Writer Beta

Integrated Service Telemetry Writer Beta

Integrated Service Telemetry Traces Writer Beta

Cloud Telemetry Traces Writer

Cloud Telemetry Writer

What's next

Control access with IAM

Observability Admin ^Beta

Observability Analytics User ^Beta

Observability Editor ^Beta

Observability Scopes Editor ^Beta

Observability View Accessor ^Beta

Observability Viewer ^Beta

Integrated Service Telemetry Logs Writer ^Beta

Integrated Service Telemetry Metrics Writer ^Beta

Integrated Service Telemetry Writer ^Beta

Integrated Service Telemetry Traces Writer ^Beta