Control access with IAM

When you create a Google Cloud project, you are the only user on the project. By default, no other users have access to your project or its resources. Identity and Access Management (IAM) manages access to Google Cloud resources, like clusters. Permissions are assigned to IAM principals.

IAM lets you grant roles to principals. A role is a collection of permissions, and when granted to a principal, controls access to one or more Google Cloud resources. You can use the following types of roles:

  • Basic roles provide coarse permissions limited to Owner, Editor, and Viewer.
  • Pre-defined roles, provide finer-grained access than basic roles and address many common use cases.
  • Custom roles allow you to create unique combinations of permissions.

A principal can be any of the following:

  • User account
  • Service account
  • Google Workspace Google Group
  • Google Workspace domain
  • Cloud Identity domain

IAM policy types

IAM supports the following policy types:

  • Allow policies: grant roles to principals. For details, see Allow policy.
  • Deny policies: prevent principals from using specific IAM permissions regardless of the roles that those principals are granted. For details, see Deny policies.

Use deny policies to restrict specific principals from performing specific actions in your project, folder, or organization even if an IAM allow policy grants those principals a role that contains the relevant permissions.

Predefined roles

IAM provides predefined roles to grant granular access to specific Google Cloud resources and to prevent unwanted access to other resources. Google Cloud creates and maintains these roles and automatically updates their permissions as necessary, such as when Google Cloud Observability adds new features.

Predefined roles for Google Cloud Observability contain permissions for features that span multiple product areas. For this reason, you might see some permissions, like observability.scopes.get, included in predefined roles for those product areas. For example, the Logs Viewer role (roles/logging.viewer) includes the observability.scopes.get permission in addition to many logging-specific permissions.

The following table lists the predefined roles for Google Cloud Observability. For each role, the table displays the role title, description, contained permissions, and the lowest-level resource type where the roles can be granted. You can grant the predefined roles at the Google Cloud project level or, in most cases, any type higher in the resource hierarchy.

To get a list of all individual permissions contained in a role, see Getting the role metadata.

Observability roles

Role Permissions

(roles/observability.admin)

Full access to Observability resources.

observability.*

  • observability.analyticsViews.create
  • observability.analyticsViews.delete
  • observability.analyticsViews.get
  • observability.analyticsViews.list
  • observability.analyticsViews.update
  • observability.buckets.create
  • observability.buckets.delete
  • observability.buckets.get
  • observability.buckets.list
  • observability.buckets.undelete
  • observability.buckets.update
  • observability.datasets.create
  • observability.datasets.delete
  • observability.datasets.get
  • observability.datasets.list
  • observability.datasets.undelete
  • observability.datasets.update
  • observability.links.create
  • observability.links.delete
  • observability.links.get
  • observability.links.list
  • observability.links.update
  • observability.operations.cancel
  • observability.operations.delete
  • observability.operations.get
  • observability.operations.list
  • observability.scopes.get
  • observability.scopes.update
  • observability.traceScopes.create
  • observability.traceScopes.delete
  • observability.traceScopes.get
  • observability.traceScopes.list
  • observability.traceScopes.update
  • observability.views.access
  • observability.views.create
  • observability.views.delete
  • observability.views.get
  • observability.views.list
  • observability.views.update

(roles/observability.analyticsUser)

Grants permissions to use Cloud Observability Analytics.

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

observability.analyticsViews.*

  • observability.analyticsViews.create
  • observability.analyticsViews.delete
  • observability.analyticsViews.get
  • observability.analyticsViews.list
  • observability.analyticsViews.update

observability.buckets.get

observability.buckets.list

observability.datasets.get

observability.datasets.list

observability.links.get

observability.links.list

observability.operations.get

observability.operations.list

observability.scopes.get

observability.traceScopes.get

observability.traceScopes.list

observability.views.get

observability.views.list

(roles/observability.editor)

Edit access to Observability resources.

observability.analyticsViews.*

  • observability.analyticsViews.create
  • observability.analyticsViews.delete
  • observability.analyticsViews.get
  • observability.analyticsViews.list
  • observability.analyticsViews.update

observability.buckets.create

observability.buckets.get

observability.buckets.list

observability.buckets.update

observability.datasets.create

observability.datasets.get

observability.datasets.list

observability.datasets.update

observability.links.*

  • observability.links.create
  • observability.links.delete
  • observability.links.get
  • observability.links.list
  • observability.links.update

observability.operations.*

  • observability.operations.cancel
  • observability.operations.delete
  • observability.operations.get
  • observability.operations.list

observability.scopes.*

  • observability.scopes.get
  • observability.scopes.update

observability.traceScopes.*

  • observability.traceScopes.create
  • observability.traceScopes.delete
  • observability.traceScopes.get
  • observability.traceScopes.list
  • observability.traceScopes.update

observability.views.create

observability.views.delete

observability.views.get

observability.views.list

observability.views.update

(roles/observability.scopesEditor)

Grants permission to view and edit Observability, Logging, Trace, and Monitoring scopes

logging.logScopes.*

  • logging.logScopes.create
  • logging.logScopes.delete
  • logging.logScopes.get
  • logging.logScopes.list
  • logging.logScopes.update

monitoring.metricsScopes.link

observability.scopes.*

  • observability.scopes.get
  • observability.scopes.update

observability.traceScopes.*

  • observability.traceScopes.create
  • observability.traceScopes.delete
  • observability.traceScopes.get
  • observability.traceScopes.list
  • observability.traceScopes.update

(roles/observability.serviceAgent)

Grants Observability service account the ability to list, create and link datasets in the consumer project.

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.link

(roles/observability.viewAccessor)

Read only access to data defined by an Observability View.

observability.views.access

(roles/observability.viewer)

Read only access to Observability resources.

observability.analyticsViews.get

observability.analyticsViews.list

observability.buckets.get

observability.buckets.list

observability.datasets.get

observability.datasets.list

observability.links.get

observability.links.list

observability.operations.get

observability.operations.list

observability.scopes.get

observability.traceScopes.get

observability.traceScopes.list

observability.views.get

observability.views.list

Telemetry API roles

Role Permissions

(roles/telemetry.metricsWriter)

Access to write metrics.

telemetry.metrics.write

(roles/telemetry.serviceLogsWriter)

Allows an onboarded service to write log data to a destination.

telemetry.consumers.writeLogs

(roles/telemetry.serviceMetricsWriter)

Allows an onboarded service to write metrics data to a destination.

telemetry.consumers.writeMetrics

(roles/telemetry.serviceTelemetryWriter)

Allows an onboarded service to write all telemetry data to a destination.

telemetry.consumers.*

  • telemetry.consumers.writeLogs
  • telemetry.consumers.writeMetrics
  • telemetry.consumers.writeTraces

(roles/telemetry.serviceTracesWriter)

Allows an onboarded service to write trace data to a destination.

telemetry.consumers.writeTraces

(roles/telemetry.tracesWriter)

Access to write trace spans.

telemetry.traces.write

(roles/telemetry.writer)

Full access to write all telemetry data.

telemetry.metrics.write

telemetry.traces.write

What's next