使用 IAM 控制访问权限

Google Cloud 提供 Identity and Access Management (IAM),可让您授予对特定 Google Cloud 资源的细化访问权限,并防止对其他资源进行不必要的访问。本页面介绍了 Cloud Trace 的 IAM 角色。

最佳做法

为方便排查问题,我们建议为可能需要查看项目中的轨迹数据的所有用户、群组和网域授予该项目的 Cloud Trace User 角色 (roles/cloudtrace.user)。此角色可向主要人员授予查看轨迹数据所需的权限。

权限和预定义角色

IAM 角色包含权限,可以分配给用户、组和服务账号。

Cloud Trace 角色

下表列出了 Cloud Trace 的预定义角色以及这些角色的权限:

Role Permissions

(roles/cloudtrace.admin)

Provides full access to the Trace console and read-write access to traces.

Lowest-level resources where you can grant this role:

  • Project

cloudtrace.*

  • cloudtrace.insights.get
  • cloudtrace.insights.list
  • cloudtrace.stats.get
  • cloudtrace.tasks.create
  • cloudtrace.tasks.delete
  • cloudtrace.tasks.get
  • cloudtrace.tasks.list
  • cloudtrace.traceScopes.create
  • cloudtrace.traceScopes.delete
  • cloudtrace.traceScopes.get
  • cloudtrace.traceScopes.list
  • cloudtrace.traceScopes.update
  • cloudtrace.traces.get
  • cloudtrace.traces.list
  • cloudtrace.traces.patch

observability.scopes.get

observability.traceScopes.*

  • observability.traceScopes.create
  • observability.traceScopes.delete
  • observability.traceScopes.get
  • observability.traceScopes.list
  • observability.traceScopes.update

resourcemanager.projects.get

resourcemanager.projects.list

telemetry.traces.write

(roles/cloudtrace.agent)

For service accounts. Provides ability to write traces by sending the data to Stackdriver Trace.

Lowest-level resources where you can grant this role:

  • Project

cloudtrace.traces.patch

telemetry.traces.write

(roles/cloudtrace.user)

Provides full access to the Trace console and read access to traces.

Lowest-level resources where you can grant this role:

  • Project

cloudtrace.insights.*

  • cloudtrace.insights.get
  • cloudtrace.insights.list

cloudtrace.stats.get

cloudtrace.tasks.*

  • cloudtrace.tasks.create
  • cloudtrace.tasks.delete
  • cloudtrace.tasks.get
  • cloudtrace.tasks.list

cloudtrace.traceScopes.*

  • cloudtrace.traceScopes.create
  • cloudtrace.traceScopes.delete
  • cloudtrace.traceScopes.get
  • cloudtrace.traceScopes.list
  • cloudtrace.traceScopes.update

cloudtrace.traces.get

cloudtrace.traces.list

observability.scopes.get

observability.traceScopes.*

  • observability.traceScopes.create
  • observability.traceScopes.delete
  • observability.traceScopes.get
  • observability.traceScopes.list
  • observability.traceScopes.update

resourcemanager.projects.get

resourcemanager.projects.list

Telemetry API 角色

下表列出了 Telemetry (OTLP) API 的预定义角色,以及这些角色的权限:

Role Permissions

(roles/telemetry.metricsWriter)

Access to write metrics.

telemetry.metrics.write

(roles/telemetry.serviceLogsWriter)

Allows an onboarded service to write log data to a destination.

telemetry.consumers.writeLogs

(roles/telemetry.serviceMetricsWriter)

Allows an onboarded service to write metrics data to a destination.

telemetry.consumers.writeMetrics

(roles/telemetry.serviceTelemetryWriter)

Allows an onboarded service to write all telemetry data to a destination.

telemetry.consumers.*

  • telemetry.consumers.writeLogs
  • telemetry.consumers.writeMetrics
  • telemetry.consumers.writeTraces

(roles/telemetry.serviceTracesWriter)

Allows an onboarded service to write trace data to a destination.

telemetry.consumers.writeTraces

(roles/telemetry.tracesWriter)

Access to write trace spans.

telemetry.traces.write

(roles/telemetry.writer)

Full access to write all telemetry data.

telemetry.metrics.write

telemetry.traces.write

创建自定义角色

如需创建包含 Cloud Trace 权限的自定义角色,请执行以下操作:

  • 如需使角色仅能授予 Cloud Trace API 权限,请选择该 API 方法所需的权限。
  • 如需使角色能够授予 Cloud Trace API 和控制台的权限,请从预定义的 Cloud Trace 角色中选择权限组。
  • 如需授予向跟踪记录写入数据的权限,请在 Cloud Trace Agent (roles/cloudtrace.agent) 角色中添加权限。

如需详细了解自定义角色,请参阅创建和管理自定义角色

API 方法的权限

如需了解执行 API 调用所需的权限,请参阅 Cloud Trace API 参考文档: