Es posible que parte o toda la información de esta página no se aplique a Trusted Cloud by S3NS. Para obtener más información, consulta las diferencias con Google Cloud.

Esta página se ha traducido con Cloud Translation API.

Controlar el acceso con la gestión de identidades y accesos

Para usar Monitoring, debes tener los permisos de Gestión de Identidades y Accesos (IAM) adecuados. Por lo general, cada método REST de una API tiene un permiso asociado. Para usar el método o una función de la consola que dependa de él, debes tener permiso para usar el método correspondiente. Los permisos no se conceden directamente a los usuarios, sino indirectamente a través de roles, que agrupan varios permisos para facilitar su gestión:

Para obtener información sobre el control de acceso, consulta Conceptos relacionados con la gestión de accesos.

Para obtener información sobre cómo conceder roles a principales, consulta el artículo Gestionar el acceso a proyectos, carpetas y organizaciones.

Los roles de las combinaciones de permisos habituales ya están predefinidos. Sin embargo, también puedes crear tus propias combinaciones de permisos creando roles personalizados de gestión de identidades y accesos.

Funciones predefinidas

En esta sección se muestra un subconjunto de los roles de gestión de identidades y accesos predefinidos por Cloud Monitoring.

Nombre Título	Incluye permisos
`roles/monitoring.viewer` Lector de Monitoring	Concede acceso de solo lectura a la API Cloud Monitoring.
`roles/monitoring.editor` Editor de Monitoring	Concede acceso de lectura y escritura a la API de Cloud Monitoring.
`roles/monitoring.admin` Administrador de Monitoring	Concede acceso completo a la API de Cloud Monitoring.

Las cuentas de servicio usan el siguiente rol para tener acceso de solo escritura:

Nombre Título	Descripción
`roles/monitoring.metricWriter` Editor de las métricas de monitorización	Este rol es para cuentas de servicio y agentes. No permite acceder a Monitoring en la Trusted Cloud consola.

Permisos de los roles predefinidos

En esta sección se enumeran los permisos asignados a los roles predefinidos asociados a Monitoring.

Para obtener más información sobre los roles predefinidos, consulta Gestión de identidades y accesos: roles y permisos. Para obtener ayuda a la hora de elegir los roles predefinidos más adecuados, consulta el artículo Elegir roles predefinidos.

Permisos de los roles de Monitoring

Role Permissions

Role	Permissions
Monitoring Admin (`roles/monitoring.admin`) Provides full access to Cloud Monitoring. Lowest-level resources where you can grant this role: Project	`cloudnotifications.activities.list` `monitoring.` `monitoring.alertPolicies.create` `monitoring.alertPolicies.createTagBinding` `monitoring.alertPolicies.delete` `monitoring.alertPolicies.deleteTagBinding` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings` `monitoring.alertPolicies.update` `monitoring.alerts.get` `monitoring.alerts.list` `monitoring.dashboards.create` `monitoring.dashboards.createTagBinding` `monitoring.dashboards.delete` `monitoring.dashboards.deleteTagBinding` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings` `monitoring.dashboards.update` `monitoring.groups.create` `monitoring.groups.delete` `monitoring.groups.get` `monitoring.groups.list` `monitoring.groups.update` `monitoring.metricDescriptors.create` `monitoring.metricDescriptors.delete` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.metricsScopes.link` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.create` `monitoring.notificationChannels.delete` `monitoring.notificationChannels.get` `monitoring.notificationChannels.getVerificationCode` `monitoring.notificationChannels.list` `monitoring.notificationChannels.sendVerificationCode` `monitoring.notificationChannels.update` `monitoring.notificationChannels.verify` `monitoring.services.create` `monitoring.services.delete` `monitoring.services.get` `monitoring.services.list` `monitoring.services.update` `monitoring.slos.create` `monitoring.slos.delete` `monitoring.slos.get` `monitoring.slos.list` `monitoring.slos.update` `monitoring.snoozes.create` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.snoozes.update` `monitoring.timeSeries.create` `monitoring.timeSeries.list` `monitoring.uptimeCheckConfigs.create` `monitoring.uptimeCheckConfigs.delete` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `monitoring.uptimeCheckConfigs.update` `opsconfigmonitoring.` `opsconfigmonitoring.resourceMetadata.list` `opsconfigmonitoring.resourceMetadata.write` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.enable` `serviceusage.services.get` `stackdriver.*` `stackdriver.projects.edit` `stackdriver.projects.get` `stackdriver.resourceMetadata.list` `stackdriver.resourceMetadata.write` `telemetry.metrics.write`
Monitoring AlertPolicy Editor (`roles/monitoring.alertPolicyEditor`) Read/write access to alerting policies.	`monitoring.alertPolicies.*` `monitoring.alertPolicies.create` `monitoring.alertPolicies.createTagBinding` `monitoring.alertPolicies.delete` `monitoring.alertPolicies.deleteTagBinding` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings` `monitoring.alertPolicies.update`
Monitoring AlertPolicy Viewer (`roles/monitoring.alertPolicyViewer`) Read-only access to alerting policies.	`monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings`
Monitoring Alert Viewer ^Beta (`roles/monitoring.alertViewer`) Read access to alerts.	`monitoring.alerts.*` `monitoring.alerts.get` `monitoring.alerts.list`
Monitoring Cloud Console Incident Editor ^Beta (`roles/monitoring.cloudConsoleIncidentEditor`) Read/write access to incidents from Cloud Console.	`monitoring.alerts.*` `monitoring.alerts.get` `monitoring.alerts.list`
Monitoring Cloud Console Incident Viewer ^Beta (`roles/monitoring.cloudConsoleIncidentViewer`) Read access to incidents from Cloud Console.	`monitoring.alerts.*` `monitoring.alerts.get` `monitoring.alerts.list`
Monitoring Dashboard Configuration Editor (`roles/monitoring.dashboardEditor`) Read/write access to dashboard configurations.	`monitoring.dashboards.*` `monitoring.dashboards.create` `monitoring.dashboards.createTagBinding` `monitoring.dashboards.delete` `monitoring.dashboards.deleteTagBinding` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings` `monitoring.dashboards.update`
Monitoring Dashboard Configuration Viewer (`roles/monitoring.dashboardViewer`) Read-only access to dashboard configurations.	`monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings`
Monitoring Editor (`roles/monitoring.editor`) Provides full access to information about all monitoring data and configurations. Lowest-level resources where you can grant this role: Project	`cloudnotifications.activities.list` `monitoring.alertPolicies.` `monitoring.alertPolicies.create` `monitoring.alertPolicies.createTagBinding` `monitoring.alertPolicies.delete` `monitoring.alertPolicies.deleteTagBinding` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings` `monitoring.alertPolicies.update` `monitoring.alerts.` `monitoring.alerts.get` `monitoring.alerts.list` `monitoring.dashboards.` `monitoring.dashboards.create` `monitoring.dashboards.createTagBinding` `monitoring.dashboards.delete` `monitoring.dashboards.deleteTagBinding` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings` `monitoring.dashboards.update` `monitoring.groups.` `monitoring.groups.create` `monitoring.groups.delete` `monitoring.groups.get` `monitoring.groups.list` `monitoring.groups.update` `monitoring.metricDescriptors.` `monitoring.metricDescriptors.create` `monitoring.metricDescriptors.delete` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.notificationChannelDescriptors.` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.create` `monitoring.notificationChannels.delete` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list` `monitoring.notificationChannels.sendVerificationCode` `monitoring.notificationChannels.update` `monitoring.notificationChannels.verify` `monitoring.services.` `monitoring.services.create` `monitoring.services.delete` `monitoring.services.get` `monitoring.services.list` `monitoring.services.update` `monitoring.slos.` `monitoring.slos.create` `monitoring.slos.delete` `monitoring.slos.get` `monitoring.slos.list` `monitoring.slos.update` `monitoring.snoozes.` `monitoring.snoozes.create` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.snoozes.update` `monitoring.timeSeries.` `monitoring.timeSeries.create` `monitoring.timeSeries.list` `monitoring.uptimeCheckConfigs.` `monitoring.uptimeCheckConfigs.create` `monitoring.uptimeCheckConfigs.delete` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `monitoring.uptimeCheckConfigs.update` `opsconfigmonitoring.` `opsconfigmonitoring.resourceMetadata.list` `opsconfigmonitoring.resourceMetadata.write` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.enable` `serviceusage.services.get` `stackdriver.` `stackdriver.projects.edit` `stackdriver.projects.get` `stackdriver.resourceMetadata.list` `stackdriver.resourceMetadata.write` `telemetry.metrics.write`
Monitoring Metric Writer (`roles/monitoring.metricWriter`) Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics. Lowest-level resources where you can grant this role: Project	`monitoring.metricDescriptors.create` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.*` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.timeSeries.create` `telemetry.metrics.write`
Monitoring Metrics Scopes Admin ^Beta (`roles/monitoring.metricsScopesAdmin`) Access to add and remove monitored projects from metrics scopes.	`monitoring.metricsScopes.link` `resourcemanager.projects.get` `resourcemanager.projects.list`
Monitoring Metrics Scopes Viewer ^Beta (`roles/monitoring.metricsScopesViewer`) Read-only access to metrics scopes and their monitored projects.	`resourcemanager.projects.get` `resourcemanager.projects.list`
Monitoring NotificationChannel Editor ^Beta (`roles/monitoring.notificationChannelEditor`) Read/write access to notification channels.	`monitoring.notificationChannelDescriptors.*` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.create` `monitoring.notificationChannels.delete` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list` `monitoring.notificationChannels.sendVerificationCode` `monitoring.notificationChannels.update` `monitoring.notificationChannels.verify`
Monitoring NotificationChannel Viewer ^Beta (`roles/monitoring.notificationChannelViewer`) Read-only access to notification channels.	`monitoring.notificationChannelDescriptors.*` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list`
Monitoring Service Agent (`roles/monitoring.notificationServiceAgent`) Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project. Warning: Do not grant service agent roles to any principals except service agents.	`bigquery.jobs.create` `cloudfunctions.functions.get` `cloudtrace.traces.patch` `logging.links.list` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.*` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.timeSeries.list` `run.routes.invoke` `servicedirectory.networks.access` `servicedirectory.services.resolve` `serviceusage.services.use`
Monitoring Services Editor (`roles/monitoring.servicesEditor`) Read/write access to services.	`monitoring.services.` `monitoring.services.create` `monitoring.services.delete` `monitoring.services.get` `monitoring.services.list` `monitoring.services.update` `monitoring.slos.` `monitoring.slos.create` `monitoring.slos.delete` `monitoring.slos.get` `monitoring.slos.list` `monitoring.slos.update`
Monitoring Services Viewer (`roles/monitoring.servicesViewer`) Read-only access to services.	`monitoring.services.get` `monitoring.services.list` `monitoring.slos.get` `monitoring.slos.list`
Monitoring Snooze Editor (`roles/monitoring.snoozeEditor`)	`monitoring.snoozes.*` `monitoring.snoozes.create` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.snoozes.update`
Monitoring Snooze Viewer (`roles/monitoring.snoozeViewer`)	`monitoring.snoozes.get` `monitoring.snoozes.list`
Monitoring Uptime Check Configuration Editor ^Beta (`roles/monitoring.uptimeCheckConfigEditor`) Read/write access to uptime check configurations.	`monitoring.uptimeCheckConfigs.*` `monitoring.uptimeCheckConfigs.create` `monitoring.uptimeCheckConfigs.delete` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `monitoring.uptimeCheckConfigs.update`
Monitoring Uptime Check Configuration Viewer ^Beta (`roles/monitoring.uptimeCheckConfigViewer`) Read-only access to uptime check configurations.	`monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list`
Monitoring Viewer (`roles/monitoring.viewer`) Provides read-only access to get and list information about all monitoring data and configurations. Lowest-level resources where you can grant this role: Project	`cloudnotifications.activities.list` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings` `monitoring.alerts.` `monitoring.alerts.get` `monitoring.alerts.list` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings` `monitoring.groups.get` `monitoring.groups.list` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.notificationChannelDescriptors.*` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list` `monitoring.services.get` `monitoring.services.list` `monitoring.slos.get` `monitoring.slos.list` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.timeSeries.list` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `opsconfigmonitoring.resourceMetadata.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `stackdriver.projects.get` `stackdriver.resourceMetadata.list`
Ops Config Monitoring Resource Metadata Viewer ^Beta (`roles/opsconfigmonitoring.resourceMetadata.viewer`) Read-only access to resource metadata.	`opsconfigmonitoring.resourceMetadata.list`
Ops Config Monitoring Resource Metadata Writer ^Beta (`roles/opsconfigmonitoring.resourceMetadata.writer`) Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.	`opsconfigmonitoring.resourceMetadata.write`
Stackdriver Accounts Editor (`roles/stackdriver.accounts.editor`) Read/write access to manage Stackdriver account structure.	`resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.enable` `serviceusage.services.get` `stackdriver.projects.*` `stackdriver.projects.edit` `stackdriver.projects.get`
Stackdriver Accounts Viewer (`roles/stackdriver.accounts.viewer`) Read-only access to get and list information about Stackdriver account structure.	`resourcemanager.projects.get` `resourcemanager.projects.list` `stackdriver.projects.get`
Stackdriver Resource Metadata Writer ^Beta (`roles/stackdriver.resourceMetadata.writer`) Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.	`stackdriver.resourceMetadata.write`

Monitoring Admin

(roles/monitoring.admin)

Provides full access to Cloud Monitoring.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.*

monitoring.alertPolicies.create
monitoring.alertPolicies.createTagBinding
monitoring.alertPolicies.delete
monitoring.alertPolicies.deleteTagBinding
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.listEffectiveTags
monitoring.alertPolicies.listTagBindings
monitoring.alertPolicies.update
monitoring.alerts.get
monitoring.alerts.list
monitoring.dashboards.create
monitoring.dashboards.createTagBinding
monitoring.dashboards.delete
monitoring.dashboards.deleteTagBinding
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.listEffectiveTags
monitoring.dashboards.listTagBindings
monitoring.dashboards.update
monitoring.groups.create
monitoring.groups.delete
monitoring.groups.get
monitoring.groups.list
monitoring.groups.update
monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.metricsScopes.link
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.getVerificationCode
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update
monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update
monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update
monitoring.timeSeries.create
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

opsconfigmonitoring.resourceMetadata.list
opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.*

stackdriver.projects.edit
stackdriver.projects.get
stackdriver.resourceMetadata.list
stackdriver.resourceMetadata.write

telemetry.metrics.write

Monitoring AlertPolicy Editor

(roles/monitoring.alertPolicyEditor)

Read/write access to alerting policies.

monitoring.alertPolicies.*

monitoring.alertPolicies.create
monitoring.alertPolicies.createTagBinding
monitoring.alertPolicies.delete
monitoring.alertPolicies.deleteTagBinding
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.listEffectiveTags
monitoring.alertPolicies.listTagBindings
monitoring.alertPolicies.update

Monitoring AlertPolicy Viewer

(roles/monitoring.alertPolicyViewer)

Read-only access to alerting policies.

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.alertPolicies.listEffectiveTags

monitoring.alertPolicies.listTagBindings

Monitoring Alert Viewer ^Beta

(roles/monitoring.alertViewer)

Read access to alerts.

monitoring.alerts.*

monitoring.alerts.get
monitoring.alerts.list

Monitoring Cloud Console Incident Editor ^Beta

(roles/monitoring.cloudConsoleIncidentEditor)

Read/write access to incidents from Cloud Console.

monitoring.alerts.*

monitoring.alerts.get
monitoring.alerts.list

Monitoring Cloud Console Incident Viewer ^Beta

(roles/monitoring.cloudConsoleIncidentViewer)

Read access to incidents from Cloud Console.

monitoring.alerts.*

monitoring.alerts.get
monitoring.alerts.list

Monitoring Dashboard Configuration Editor

(roles/monitoring.dashboardEditor)

Read/write access to dashboard configurations.

monitoring.dashboards.*

monitoring.dashboards.create
monitoring.dashboards.createTagBinding
monitoring.dashboards.delete
monitoring.dashboards.deleteTagBinding
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.listEffectiveTags
monitoring.dashboards.listTagBindings
monitoring.dashboards.update

Monitoring Dashboard Configuration Viewer

(roles/monitoring.dashboardViewer)

Read-only access to dashboard configurations.

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.dashboards.listEffectiveTags

monitoring.dashboards.listTagBindings

Monitoring Editor

(roles/monitoring.editor)

Provides full access to information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.alertPolicies.*

monitoring.alertPolicies.create
monitoring.alertPolicies.createTagBinding
monitoring.alertPolicies.delete
monitoring.alertPolicies.deleteTagBinding
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.listEffectiveTags
monitoring.alertPolicies.listTagBindings
monitoring.alertPolicies.update

monitoring.alerts.*

monitoring.alerts.get
monitoring.alerts.list

monitoring.dashboards.*

monitoring.dashboards.create
monitoring.dashboards.createTagBinding
monitoring.dashboards.delete
monitoring.dashboards.deleteTagBinding
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.listEffectiveTags
monitoring.dashboards.listTagBindings
monitoring.dashboards.update

monitoring.groups.*

monitoring.groups.create
monitoring.groups.delete
monitoring.groups.get
monitoring.groups.list
monitoring.groups.update

monitoring.metricDescriptors.*

monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

monitoring.services.*

monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update

monitoring.slos.*

monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update

monitoring.snoozes.*

monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.*

monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

opsconfigmonitoring.resourceMetadata.list
opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.*

stackdriver.projects.edit
stackdriver.projects.get
stackdriver.resourceMetadata.list
stackdriver.resourceMetadata.write

telemetry.metrics.write

Monitoring Metric Writer

(roles/monitoring.metricWriter)

Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.

Lowest-level resources where you can grant this role:

Project

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

telemetry.metrics.write

Monitoring Metrics Scopes Admin ^Beta

(roles/monitoring.metricsScopesAdmin)

Access to add and remove monitored projects from metrics scopes.

monitoring.metricsScopes.link

resourcemanager.projects.get

resourcemanager.projects.list

Monitoring Metrics Scopes Viewer ^Beta

(roles/monitoring.metricsScopesViewer)

Read-only access to metrics scopes and their monitored projects.

resourcemanager.projects.get

resourcemanager.projects.list

Monitoring NotificationChannel Editor ^Beta

(roles/monitoring.notificationChannelEditor)

Read/write access to notification channels.

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

Monitoring NotificationChannel Viewer ^Beta

(roles/monitoring.notificationChannelViewer)

Read-only access to notification channels.

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

Monitoring Service Agent

(roles/monitoring.notificationServiceAgent)

Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.

bigquery.jobs.create

cloudfunctions.functions.get

cloudtrace.traces.patch

logging.links.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.list

run.routes.invoke

servicedirectory.networks.access

servicedirectory.services.resolve

serviceusage.services.use

Monitoring Services Editor

(roles/monitoring.servicesEditor)

Read/write access to services.

monitoring.services.*

monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update

monitoring.slos.*

monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update

Monitoring Services Viewer

(roles/monitoring.servicesViewer)

Read-only access to services.

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

Monitoring Snooze Editor

(roles/monitoring.snoozeEditor)

monitoring.snoozes.*

monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update

Monitoring Snooze Viewer

(roles/monitoring.snoozeViewer)

monitoring.snoozes.get

monitoring.snoozes.list

Monitoring Uptime Check Configuration Editor ^Beta

(roles/monitoring.uptimeCheckConfigEditor)

Read/write access to uptime check configurations.

monitoring.uptimeCheckConfigs.*

monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

Monitoring Uptime Check Configuration Viewer ^Beta

(roles/monitoring.uptimeCheckConfigViewer)

Read-only access to uptime check configurations.

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

Monitoring Viewer

(roles/monitoring.viewer)

Provides read-only access to get and list information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.alertPolicies.listEffectiveTags

monitoring.alertPolicies.listTagBindings

monitoring.alerts.*

monitoring.alerts.get
monitoring.alerts.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.dashboards.listEffectiveTags

monitoring.dashboards.listTagBindings

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

Ops Config Monitoring Resource Metadata Viewer ^Beta

(roles/opsconfigmonitoring.resourceMetadata.viewer)

Read-only access to resource metadata.

opsconfigmonitoring.resourceMetadata.list

Ops Config Monitoring Resource Metadata Writer ^Beta

(roles/opsconfigmonitoring.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.

opsconfigmonitoring.resourceMetadata.write

Stackdriver Accounts Editor

(roles/stackdriver.accounts.editor)

Read/write access to manage Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.enable

serviceusage.services.get

stackdriver.projects.*

stackdriver.projects.edit
stackdriver.projects.get

Stackdriver Accounts Viewer

(roles/stackdriver.accounts.viewer)

Read-only access to get and list information about Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

Stackdriver Resource Metadata Writer ^Beta

(roles/stackdriver.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.

stackdriver.resourceMetadata.write

Permisos de monitorización incluidos en los roles básicos Trusted Cloud by S3NS

Los Trusted Cloud roles básicos incluyen los siguientes permisos:

Nombre Título	Incluye permisos
`roles/viewer` Espectador	Los permisos de monitorización son los mismos que los de `roles/monitoring.viewer`.
`roles/editor` Editor	Los permisos de monitorización son los mismos que los de `roles/monitoring.editor`, con la excepción del permiso `stackdriver.projects.edit`. El rol `roles/editor` no incluye el permiso `stackdriver.projects.edit`.
`roles/owner` Propietario	Los permisos de monitorización son los mismos que los de `roles/monitoring.admin`.

Ámbitos de acceso de Compute Engine

Los permisos de acceso son el método antiguo de especificar los permisos de tus instancias de VM de Compute Engine. Los siguientes ámbitos de acceso se aplican a la monitorización:

Permiso de acceso	Permisos concedidos
https://www.googleapis.com/auth/monitoring.read	Los mismos permisos que en `roles/monitoring.viewer`.
https://www.googleapis.com/auth/monitoring.write	Los mismos permisos que en `roles/monitoring.metricWriter`.
https://www.googleapis.com/auth/monitoring	Acceso completo a la monitorización.
https://www.googleapis.com/auth/cloud-platform	Acceso completo a todas las APIs de Cloud habilitadas.

Consulta más información en el artículo Permisos de acceso.

Práctica recomendada: Te recomendamos que asignes a tus instancias de VM el permiso de acceso más potente (cloud-platform) y, a continuación, uses roles de gestión de identidades y accesos para restringir el acceso a APIs y operaciones específicas. Consulta más información en el artículo Permisos de cuentas de servicio.

Controlar el acceso con la gestión de identidades y accesos

Funciones predefinidas

Permisos de los roles predefinidos

Permisos de los roles de Monitoring

Monitoring Admin

Monitoring AlertPolicy Editor

Monitoring AlertPolicy Viewer

Monitoring Alert Viewer Beta

Monitoring Cloud Console Incident Editor Beta

Monitoring Cloud Console Incident Viewer Beta

Monitoring Dashboard Configuration Editor

Monitoring Dashboard Configuration Viewer

Monitoring Editor

Monitoring Metric Writer

Monitoring Metrics Scopes Admin Beta

Monitoring Metrics Scopes Viewer Beta

Monitoring NotificationChannel Editor Beta

Monitoring NotificationChannel Viewer Beta

Monitoring Service Agent

Monitoring Services Editor

Monitoring Services Viewer

Monitoring Snooze Editor

Monitoring Snooze Viewer

Monitoring Uptime Check Configuration Editor Beta

Monitoring Uptime Check Configuration Viewer Beta

Monitoring Viewer

Ops Config Monitoring Resource Metadata Viewer Beta

Ops Config Monitoring Resource Metadata Writer Beta

Stackdriver Accounts Editor

Stackdriver Accounts Viewer

Stackdriver Resource Metadata Writer Beta

Permisos de monitorización incluidos en los roles básicos Trusted Cloud by S3NS

Ámbitos de acceso de Compute Engine

Monitoring Alert Viewer ^Beta

Monitoring Cloud Console Incident Editor ^Beta

Monitoring Cloud Console Incident Viewer ^Beta

Monitoring Metrics Scopes Admin ^Beta

Monitoring Metrics Scopes Viewer ^Beta

Monitoring NotificationChannel Editor ^Beta

Monitoring NotificationChannel Viewer ^Beta

Monitoring Uptime Check Configuration Editor ^Beta

Monitoring Uptime Check Configuration Viewer ^Beta

Ops Config Monitoring Resource Metadata Viewer ^Beta

Ops Config Monitoring Resource Metadata Writer ^Beta

Stackdriver Resource Metadata Writer ^Beta