Control access with IAM

When you create a Google Cloud project, you are the only user on the project. By default, no other users have access to your project or its resources. Identity and Access Management (IAM) manages access to Google Cloud resources, like clusters. Permissions are assigned to IAM principals.

IAM lets you grant roles to principals. A role is a collection of permissions, and when granted to a principal, controls access to one or more Google Cloud resources. You can use the following types of roles:

  • Basic roles provide coarse permissions limited to Owner, Editor, and Viewer.
  • Pre-defined roles, provide finer-grained access than basic roles and address many common use cases.
  • Custom roles allow you to create unique combinations of permissions.

A principal can be any of the following:

  • User account
  • Service account
  • Google Workspace Google Group
  • Google Workspace domain
  • Cloud Identity domain

IAM policy types

IAM supports the following policy types:

  • Allow policies: grant roles to principals. For details, see Allow policy.
  • Deny policies: prevent principals from using specific IAM permissions regardless of the roles that those principals are granted. For details, see Deny policies.

Use deny policies to restrict specific principals from performing specific actions in your project, folder, or organization even if an IAM allow policy grants those principals a role that contains the relevant permissions.

Predefined roles

IAM provides predefined roles to grant granular access to specific Google Cloud resources and to prevent unwanted access to other resources. Google Cloud creates and maintains these roles and automatically updates their permissions as necessary, such as when Google Cloud Observability adds new features.

Predefined roles for Google Cloud Observability contain permissions for features that span multiple product areas. For this reason, you might see some permissions, like observability.scopes.get, included in predefined roles for those product areas. For example, the Logs Viewer role (roles/logging.viewer) includes the observability.scopes.get permission in addition to many logging-specific permissions.

The following table lists the predefined roles for Google Cloud Observability. For each role, the table displays the role title, description, contained permissions, and the lowest-level resource type where the roles can be granted. You can grant the predefined roles at the Google Cloud project level or, in most cases, any type higher in the resource hierarchy.

To get a list of all individual permissions contained in a role, see Getting the role metadata.

Observability roles

Role Permissions

Observability Admin Beta

(roles/observability.admin)

Full access to Observability resources.

observability.*

  • observability.analyticsViews.create
  • observability.analyticsViews.delete
  • observability.analyticsViews.get
  • observability.analyticsViews.list
  • observability.analyticsViews.update
  • observability.buckets.create
  • observability.buckets.delete
  • observability.buckets.get
  • observability.buckets.list
  • observability.buckets.undelete
  • observability.buckets.update
  • observability.datasets.create
  • observability.datasets.delete
  • observability.datasets.get
  • observability.datasets.list
  • observability.datasets.undelete
  • observability.datasets.update
  • observability.links.create
  • observability.links.delete
  • observability.links.get
  • observability.links.list
  • observability.links.update
  • observability.operations.cancel
  • observability.operations.delete
  • observability.operations.get
  • observability.operations.list
  • observability.scopes.get
  • observability.scopes.update
  • observability.traceScopes.create
  • observability.traceScopes.delete
  • observability.traceScopes.get
  • observability.traceScopes.list
  • observability.traceScopes.update
  • observability.views.access
  • observability.views.create
  • observability.views.delete
  • observability.views.get
  • observability.views.list
  • observability.views.update

Observability Analytics User Beta

(roles/observability.analyticsUser)

Grants permissions to use Cloud Observability Analytics.

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

observability.analyticsViews.*

  • observability.analyticsViews.create
  • observability.analyticsViews.delete
  • observability.analyticsViews.get
  • observability.analyticsViews.list
  • observability.analyticsViews.update

observability.buckets.get

observability.buckets.list

observability.datasets.get

observability.datasets.list

observability.links.get

observability.links.list

observability.operations.get

observability.operations.list

observability.scopes.get

observability.traceScopes.get

observability.traceScopes.list

observability.views.get

observability.views.list

Observability Editor Beta

(roles/observability.editor)

Edit access to Observability resources.

observability.analyticsViews.*

  • observability.analyticsViews.create
  • observability.analyticsViews.delete
  • observability.analyticsViews.get
  • observability.analyticsViews.list
  • observability.analyticsViews.update

observability.buckets.create

observability.buckets.get

observability.buckets.list

observability.buckets.update

observability.datasets.create

observability.datasets.get

observability.datasets.list

observability.datasets.update

observability.links.*

  • observability.links.create
  • observability.links.delete
  • observability.links.get
  • observability.links.list
  • observability.links.update

observability.operations.*

  • observability.operations.cancel
  • observability.operations.delete
  • observability.operations.get
  • observability.operations.list

observability.scopes.*

  • observability.scopes.get
  • observability.scopes.update

observability.traceScopes.*

  • observability.traceScopes.create
  • observability.traceScopes.delete
  • observability.traceScopes.get
  • observability.traceScopes.list
  • observability.traceScopes.update

observability.views.create

observability.views.delete

observability.views.get

observability.views.list

observability.views.update

Observability Scopes Editor Beta

(roles/observability.scopesEditor)

Grants permission to view and edit Observability, Logging, Trace, and Monitoring scopes

logging.logScopes.*

  • logging.logScopes.create
  • logging.logScopes.delete
  • logging.logScopes.get
  • logging.logScopes.list
  • logging.logScopes.update

monitoring.metricsScopes.link

observability.scopes.*

  • observability.scopes.get
  • observability.scopes.update

observability.traceScopes.*

  • observability.traceScopes.create
  • observability.traceScopes.delete
  • observability.traceScopes.get
  • observability.traceScopes.list
  • observability.traceScopes.update

Observability Service Agent

(roles/observability.serviceAgent)

Grants Observability service account the ability to list, create and link datasets in the consumer project.

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.link

Observability View Accessor Beta

(roles/observability.viewAccessor)

Read only access to data defined by an Observability View.

observability.views.access

Observability Viewer Beta

(roles/observability.viewer)

Read only access to Observability resources.

observability.analyticsViews.get

observability.analyticsViews.list

observability.buckets.get

observability.buckets.list

observability.datasets.get

observability.datasets.list

observability.links.get

observability.links.list

observability.operations.get

observability.operations.list

observability.scopes.get

observability.traceScopes.get

observability.traceScopes.list

observability.views.get

observability.views.list

Telemetry API roles

Role Permissions

Consumer Admin Beta

(roles/telemetry.consumerAdmin)

Grants permission management access to consumer resources.

telemetry.consumers.getIamPolicy

telemetry.consumers.setIamPolicy

Cloud Telemetry Logs Writer Beta

(roles/telemetry.logsWriter)

Access to write logs.

telemetry.logs.write

Cloud Telemetry Metrics Writer

(roles/telemetry.metricsWriter)

Access to write metrics.

telemetry.metrics.write

Integrated Service Telemetry Logs Writer Beta

(roles/telemetry.serviceLogsWriter)

Allows an onboarded service to write log data to a destination.

telemetry.consumers.writeLogs

Integrated Service Telemetry Metrics Writer Beta

(roles/telemetry.serviceMetricsWriter)

Allows an onboarded service to write metrics data to a destination.

telemetry.consumers.writeMetrics

Integrated Service Telemetry Writer Beta

(roles/telemetry.serviceTelemetryWriter)

Allows an onboarded service to write all telemetry data to a destination.

telemetry.consumers.writeLogs

telemetry.consumers.writeMetrics

telemetry.consumers.writeTraces

Integrated Service Telemetry Traces Writer Beta

(roles/telemetry.serviceTracesWriter)

Allows an onboarded service to write trace data to a destination.

telemetry.consumers.writeTraces

Cloud Telemetry Traces Writer

(roles/telemetry.tracesWriter)

Access to write trace spans.

telemetry.traces.write

Cloud Telemetry Writer

(roles/telemetry.writer)

Full access to write all telemetry data.

telemetry.logs.write

telemetry.metrics.write

telemetry.traces.write

What's next

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025年11月24日 UTC.