Einige oder alle Informationen auf dieser Seite gelten möglicherweise nicht für Cloud de Confiance von S3NS. Weitere Informationen finden Sie unter Unterschiede zu Google Cloud.

Diese Seite wurde von der Cloud Translation API übersetzt.

Zugriff mit IAM steuern

Für die Verwendung von Monitoring benötigen Sie die entsprechenden IAM-Berechtigungen (Identity and Access Management). Im Allgemeinen ist jeder REST-Methode in einer API eine Berechtigung zugeordnet. Wenn Sie die Methode oder eine Konsolenfunktion verwenden möchten, die auf der Methode basiert, benötigen Sie die Berechtigung zur Verwendung der entsprechenden Methode. Berechtigungen werden Nutzern nicht direkt gewährt, sondern indirekt über Rollen. In Rollen sind mehrere Berechtigungen zusammengefasst, was die Verwaltung vereinfacht:

Informationen zur Zugriffssteuerung finden Sie unter Konzepte der Zugriffsverwaltung.

Informationen zum Zuweisen von Rollen für Hauptkonten finden Sie unter Zugriff auf Projekte, Ordner und Organisationen verwalten.

Rollen für häufig verwendete Kombinationen von Berechtigungen sind für Sie vordefiniert. Sie können jedoch auch eigene Kombinationen von Berechtigungen erstellen. Dazu erstellen Sie benutzerdefinierte IAM-Rollen.

Vordefinierte Rollen

In diesem Abschnitt wird eine Teilmenge der IAM-Rollen aufgeführt, die von Cloud Monitoring vordefiniert sind.

Name Titel	Berechtigungen
`roles/monitoring.viewer` Monitoring-Betrachter	Gewährt Lesezugriff auf die Cloud Monitoring API.
`roles/monitoring.editor` Monitoring-Bearbeiter	Gewährt Lese-/Schreibzugriff auf die Cloud Monitoring API.
`roles/monitoring.admin` Monitoring-Administrator	Gewährt vollen Zugriff auf die Cloud Monitoring API.

Die folgende Rolle wird von Dienstkonten für den Schreibzugriff verwendet:

Name Titel	Beschreibung
`roles/monitoring.metricWriter` Monitoring-Messwert-Autor	Diese Rolle ist für Dienstkonten und Agents vorgesehen. Gewährt keinen Zugriff auf Monitoring in der Cloud de Confiance Console.

Berechtigungen für vordefinierte Rollen

In diesem Abschnitt werden die Berechtigungen aufgeführt, die vordefinierten Rollen zugewiesen sind, die mit Monitoring verknüpft sind.

Weitere Informationen zu vordefinierten Rollen finden Sie unter IAM: Rollen und Berechtigungen. Hilfe bei der Auswahl der am besten geeigneten vordefinierten Rollen finden Sie unter Vordefinierte Rollen auswählen.

Berechtigungen für Monitoring-Rollen

Role Permissions

Role	Permissions
Monitoring Admin (`roles/monitoring.admin`) Provides full access to Cloud Monitoring. Lowest-level resources where you can grant this role: Project	`cloudnotifications.activities.list` `monitoring.` `monitoring.alertPolicies.create` `monitoring.alertPolicies.createTagBinding` `monitoring.alertPolicies.delete` `monitoring.alertPolicies.deleteTagBinding` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings` `monitoring.alertPolicies.update` `monitoring.alerts.get` `monitoring.alerts.list` `monitoring.dashboards.create` `monitoring.dashboards.createTagBinding` `monitoring.dashboards.delete` `monitoring.dashboards.deleteTagBinding` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings` `monitoring.dashboards.update` `monitoring.groups.create` `monitoring.groups.delete` `monitoring.groups.get` `monitoring.groups.list` `monitoring.groups.update` `monitoring.metricDescriptors.create` `monitoring.metricDescriptors.delete` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.metricsScopes.link` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.create` `monitoring.notificationChannels.delete` `monitoring.notificationChannels.get` `monitoring.notificationChannels.getVerificationCode` `monitoring.notificationChannels.list` `monitoring.notificationChannels.sendVerificationCode` `monitoring.notificationChannels.update` `monitoring.notificationChannels.verify` `monitoring.services.create` `monitoring.services.delete` `monitoring.services.get` `monitoring.services.list` `monitoring.services.update` `monitoring.slos.create` `monitoring.slos.delete` `monitoring.slos.get` `monitoring.slos.list` `monitoring.slos.update` `monitoring.snoozes.create` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.snoozes.update` `monitoring.timeSeries.create` `monitoring.timeSeries.list` `monitoring.uptimeCheckConfigs.create` `monitoring.uptimeCheckConfigs.delete` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `monitoring.uptimeCheckConfigs.update` `opsconfigmonitoring.` `opsconfigmonitoring.resourceMetadata.list` `opsconfigmonitoring.resourceMetadata.write` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.consumerpolicy.` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.consumerpolicy.update` `serviceusage.effectivepolicy.get` `serviceusage.groups.` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.services.enable` `serviceusage.services.get` `serviceusage.values.test` `stackdriver.*` `stackdriver.projects.edit` `stackdriver.projects.get` `stackdriver.resourceMetadata.list` `stackdriver.resourceMetadata.write` `telemetry.metrics.write`
Monitoring AlertPolicy Editor (`roles/monitoring.alertPolicyEditor`) Read/write access to alerting policies.	`monitoring.alertPolicies.*` `monitoring.alertPolicies.create` `monitoring.alertPolicies.createTagBinding` `monitoring.alertPolicies.delete` `monitoring.alertPolicies.deleteTagBinding` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings` `monitoring.alertPolicies.update`
Monitoring AlertPolicy Viewer (`roles/monitoring.alertPolicyViewer`) Read-only access to alerting policies.	`monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings`
Monitoring Alert Viewer ^Beta (`roles/monitoring.alertViewer`) Read access to alerts.	`monitoring.alerts.*` `monitoring.alerts.get` `monitoring.alerts.list`
Monitoring Cloud Console Incident Editor ^Beta (`roles/monitoring.cloudConsoleIncidentEditor`) Read/write access to incidents from Cloud Console.	`monitoring.alerts.*` `monitoring.alerts.get` `monitoring.alerts.list`
Monitoring Cloud Console Incident Viewer ^Beta (`roles/monitoring.cloudConsoleIncidentViewer`) Read access to incidents from Cloud Console.	`monitoring.alerts.*` `monitoring.alerts.get` `monitoring.alerts.list`
Monitoring Dashboard Configuration Editor (`roles/monitoring.dashboardEditor`) Read/write access to dashboard configurations.	`monitoring.dashboards.*` `monitoring.dashboards.create` `monitoring.dashboards.createTagBinding` `monitoring.dashboards.delete` `monitoring.dashboards.deleteTagBinding` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings` `monitoring.dashboards.update`
Monitoring Dashboard Configuration Viewer (`roles/monitoring.dashboardViewer`) Read-only access to dashboard configurations.	`monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings`
Monitoring Editor (`roles/monitoring.editor`) Provides full access to information about all monitoring data and configurations. Lowest-level resources where you can grant this role: Project	`cloudnotifications.activities.list` `monitoring.alertPolicies.` `monitoring.alertPolicies.create` `monitoring.alertPolicies.createTagBinding` `monitoring.alertPolicies.delete` `monitoring.alertPolicies.deleteTagBinding` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings` `monitoring.alertPolicies.update` `monitoring.alerts.` `monitoring.alerts.get` `monitoring.alerts.list` `monitoring.dashboards.` `monitoring.dashboards.create` `monitoring.dashboards.createTagBinding` `monitoring.dashboards.delete` `monitoring.dashboards.deleteTagBinding` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings` `monitoring.dashboards.update` `monitoring.groups.` `monitoring.groups.create` `monitoring.groups.delete` `monitoring.groups.get` `monitoring.groups.list` `monitoring.groups.update` `monitoring.metricDescriptors.` `monitoring.metricDescriptors.create` `monitoring.metricDescriptors.delete` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.notificationChannelDescriptors.` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.create` `monitoring.notificationChannels.delete` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list` `monitoring.notificationChannels.sendVerificationCode` `monitoring.notificationChannels.update` `monitoring.notificationChannels.verify` `monitoring.services.` `monitoring.services.create` `monitoring.services.delete` `monitoring.services.get` `monitoring.services.list` `monitoring.services.update` `monitoring.slos.` `monitoring.slos.create` `monitoring.slos.delete` `monitoring.slos.get` `monitoring.slos.list` `monitoring.slos.update` `monitoring.snoozes.` `monitoring.snoozes.create` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.snoozes.update` `monitoring.timeSeries.` `monitoring.timeSeries.create` `monitoring.timeSeries.list` `monitoring.uptimeCheckConfigs.` `monitoring.uptimeCheckConfigs.create` `monitoring.uptimeCheckConfigs.delete` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `monitoring.uptimeCheckConfigs.update` `opsconfigmonitoring.` `opsconfigmonitoring.resourceMetadata.list` `opsconfigmonitoring.resourceMetadata.write` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.consumerpolicy.` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.consumerpolicy.update` `serviceusage.effectivepolicy.get` `serviceusage.groups.` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.services.enable` `serviceusage.services.get` `serviceusage.values.test` `stackdriver.` `stackdriver.projects.edit` `stackdriver.projects.get` `stackdriver.resourceMetadata.list` `stackdriver.resourceMetadata.write` `telemetry.metrics.write`
Monitoring Metric Writer (`roles/monitoring.metricWriter`) Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics. Lowest-level resources where you can grant this role: Project	`monitoring.metricDescriptors.create` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.*` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.timeSeries.create` `telemetry.metrics.write`
Monitoring Metrics Scopes Admin ^Beta (`roles/monitoring.metricsScopesAdmin`) Access to add and remove monitored projects from metrics scopes.	`monitoring.metricsScopes.link` `resourcemanager.projects.get` `resourcemanager.projects.list`
Monitoring Metrics Scopes Viewer ^Beta (`roles/monitoring.metricsScopesViewer`) Read-only access to metrics scopes and their monitored projects.	`resourcemanager.projects.get` `resourcemanager.projects.list`
Monitoring NotificationChannel Editor ^Beta (`roles/monitoring.notificationChannelEditor`) Read/write access to notification channels.	`monitoring.notificationChannelDescriptors.*` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.create` `monitoring.notificationChannels.delete` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list` `monitoring.notificationChannels.sendVerificationCode` `monitoring.notificationChannels.update` `monitoring.notificationChannels.verify`
Monitoring NotificationChannel Viewer ^Beta (`roles/monitoring.notificationChannelViewer`) Read-only access to notification channels.	`monitoring.notificationChannelDescriptors.*` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list`
Monitoring Service Agent (`roles/monitoring.notificationServiceAgent`) Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project. Warning: Do not grant service agent roles to any principals except service agents.	`bigquery.jobs.create` `cloudfunctions.functions.get` `cloudtrace.traces.patch` `logging.links.list` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.*` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.timeSeries.list` `run.routes.invoke` `servicedirectory.networks.access` `servicedirectory.services.resolve` `serviceusage.services.use`
Monitoring Services Editor (`roles/monitoring.servicesEditor`) Read/write access to services.	`monitoring.services.` `monitoring.services.create` `monitoring.services.delete` `monitoring.services.get` `monitoring.services.list` `monitoring.services.update` `monitoring.slos.` `monitoring.slos.create` `monitoring.slos.delete` `monitoring.slos.get` `monitoring.slos.list` `monitoring.slos.update`
Monitoring Services Viewer (`roles/monitoring.servicesViewer`) Read-only access to services.	`monitoring.services.get` `monitoring.services.list` `monitoring.slos.get` `monitoring.slos.list`
Monitoring Snooze Editor (`roles/monitoring.snoozeEditor`)	`monitoring.snoozes.*` `monitoring.snoozes.create` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.snoozes.update`
Monitoring Snooze Viewer (`roles/monitoring.snoozeViewer`)	`monitoring.snoozes.get` `monitoring.snoozes.list`
Monitoring Uptime Check Configuration Editor ^Beta (`roles/monitoring.uptimeCheckConfigEditor`) Read/write access to uptime check configurations.	`monitoring.uptimeCheckConfigs.*` `monitoring.uptimeCheckConfigs.create` `monitoring.uptimeCheckConfigs.delete` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `monitoring.uptimeCheckConfigs.update`
Monitoring Uptime Check Configuration Viewer ^Beta (`roles/monitoring.uptimeCheckConfigViewer`) Read-only access to uptime check configurations.	`monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list`
Monitoring Viewer (`roles/monitoring.viewer`) Provides read-only access to get and list information about all monitoring data and configurations. Lowest-level resources where you can grant this role: Project	`cloudnotifications.activities.list` `monitoring.alertPolicies.get` `monitoring.alertPolicies.list` `monitoring.alertPolicies.listEffectiveTags` `monitoring.alertPolicies.listTagBindings` `monitoring.alerts.` `monitoring.alerts.get` `monitoring.alerts.list` `monitoring.dashboards.get` `monitoring.dashboards.list` `monitoring.dashboards.listEffectiveTags` `monitoring.dashboards.listTagBindings` `monitoring.groups.get` `monitoring.groups.list` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.notificationChannelDescriptors.*` `monitoring.notificationChannelDescriptors.get` `monitoring.notificationChannelDescriptors.list` `monitoring.notificationChannels.get` `monitoring.notificationChannels.list` `monitoring.services.get` `monitoring.services.list` `monitoring.slos.get` `monitoring.slos.list` `monitoring.snoozes.get` `monitoring.snoozes.list` `monitoring.timeSeries.list` `monitoring.uptimeCheckConfigs.get` `monitoring.uptimeCheckConfigs.list` `opsconfigmonitoring.resourceMetadata.list` `resourcemanager.projects.get` `resourcemanager.projects.list` `stackdriver.projects.get` `stackdriver.resourceMetadata.list`
Ops Config Monitoring Resource Metadata Viewer ^Beta (`roles/opsconfigmonitoring.resourceMetadata.viewer`) Read-only access to resource metadata.	`opsconfigmonitoring.resourceMetadata.list`
Ops Config Monitoring Resource Metadata Writer ^Beta (`roles/opsconfigmonitoring.resourceMetadata.writer`) Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.	`opsconfigmonitoring.resourceMetadata.write`
Stackdriver Accounts Editor (`roles/stackdriver.accounts.editor`) Read/write access to manage Stackdriver account structure.	`resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.consumerpolicy.` `serviceusage.consumerpolicy.analyze` `serviceusage.consumerpolicy.get` `serviceusage.consumerpolicy.update` `serviceusage.effectivepolicy.get` `serviceusage.groups.` `serviceusage.groups.list` `serviceusage.groups.listExpandedMembers` `serviceusage.groups.listMembers` `serviceusage.services.enable` `serviceusage.services.get` `serviceusage.values.test` `stackdriver.projects.*` `stackdriver.projects.edit` `stackdriver.projects.get`
Stackdriver Accounts Viewer (`roles/stackdriver.accounts.viewer`) Read-only access to get and list information about Stackdriver account structure.	`resourcemanager.projects.get` `resourcemanager.projects.list` `stackdriver.projects.get`
Stackdriver Resource Metadata Writer ^Beta (`roles/stackdriver.resourceMetadata.writer`) Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.	`stackdriver.resourceMetadata.write`

Monitoring Admin

(roles/monitoring.admin)

Provides full access to Cloud Monitoring.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.*

monitoring.alertPolicies.create
monitoring.alertPolicies.createTagBinding
monitoring.alertPolicies.delete
monitoring.alertPolicies.deleteTagBinding
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.listEffectiveTags
monitoring.alertPolicies.listTagBindings
monitoring.alertPolicies.update
monitoring.alerts.get
monitoring.alerts.list
monitoring.dashboards.create
monitoring.dashboards.createTagBinding
monitoring.dashboards.delete
monitoring.dashboards.deleteTagBinding
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.listEffectiveTags
monitoring.dashboards.listTagBindings
monitoring.dashboards.update
monitoring.groups.create
monitoring.groups.delete
monitoring.groups.get
monitoring.groups.list
monitoring.groups.update
monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.metricsScopes.link
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.getVerificationCode
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update
monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update
monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update
monitoring.timeSeries.create
monitoring.timeSeries.list
monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

opsconfigmonitoring.resourceMetadata.list
opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.*

serviceusage.consumerpolicy.analyze
serviceusage.consumerpolicy.get
serviceusage.consumerpolicy.update

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.services.enable

serviceusage.services.get

serviceusage.values.test

stackdriver.*

stackdriver.projects.edit
stackdriver.projects.get
stackdriver.resourceMetadata.list
stackdriver.resourceMetadata.write

telemetry.metrics.write

Monitoring AlertPolicy Editor

(roles/monitoring.alertPolicyEditor)

Read/write access to alerting policies.

monitoring.alertPolicies.*

monitoring.alertPolicies.create
monitoring.alertPolicies.createTagBinding
monitoring.alertPolicies.delete
monitoring.alertPolicies.deleteTagBinding
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.listEffectiveTags
monitoring.alertPolicies.listTagBindings
monitoring.alertPolicies.update

Monitoring AlertPolicy Viewer

(roles/monitoring.alertPolicyViewer)

Read-only access to alerting policies.

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.alertPolicies.listEffectiveTags

monitoring.alertPolicies.listTagBindings

Monitoring Alert Viewer ^Beta

(roles/monitoring.alertViewer)

Read access to alerts.

monitoring.alerts.*

monitoring.alerts.get
monitoring.alerts.list

Monitoring Cloud Console Incident Editor ^Beta

(roles/monitoring.cloudConsoleIncidentEditor)

Read/write access to incidents from Cloud Console.

monitoring.alerts.*

monitoring.alerts.get
monitoring.alerts.list

Monitoring Cloud Console Incident Viewer ^Beta

(roles/monitoring.cloudConsoleIncidentViewer)

Read access to incidents from Cloud Console.

monitoring.alerts.*

monitoring.alerts.get
monitoring.alerts.list

Monitoring Dashboard Configuration Editor

(roles/monitoring.dashboardEditor)

Read/write access to dashboard configurations.

monitoring.dashboards.*

monitoring.dashboards.create
monitoring.dashboards.createTagBinding
monitoring.dashboards.delete
monitoring.dashboards.deleteTagBinding
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.listEffectiveTags
monitoring.dashboards.listTagBindings
monitoring.dashboards.update

Monitoring Dashboard Configuration Viewer

(roles/monitoring.dashboardViewer)

Read-only access to dashboard configurations.

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.dashboards.listEffectiveTags

monitoring.dashboards.listTagBindings

Monitoring Editor

(roles/monitoring.editor)

Provides full access to information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.alertPolicies.*

monitoring.alertPolicies.create
monitoring.alertPolicies.createTagBinding
monitoring.alertPolicies.delete
monitoring.alertPolicies.deleteTagBinding
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.listEffectiveTags
monitoring.alertPolicies.listTagBindings
monitoring.alertPolicies.update

monitoring.alerts.*

monitoring.alerts.get
monitoring.alerts.list

monitoring.dashboards.*

monitoring.dashboards.create
monitoring.dashboards.createTagBinding
monitoring.dashboards.delete
monitoring.dashboards.deleteTagBinding
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.dashboards.listEffectiveTags
monitoring.dashboards.listTagBindings
monitoring.dashboards.update

monitoring.groups.*

monitoring.groups.create
monitoring.groups.delete
monitoring.groups.get
monitoring.groups.list
monitoring.groups.update

monitoring.metricDescriptors.*

monitoring.metricDescriptors.create
monitoring.metricDescriptors.delete
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

monitoring.services.*

monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update

monitoring.slos.*

monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update

monitoring.snoozes.*

monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update

monitoring.timeSeries.*

monitoring.timeSeries.create
monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.*

monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

opsconfigmonitoring.resourceMetadata.list
opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.*

serviceusage.consumerpolicy.analyze
serviceusage.consumerpolicy.get
serviceusage.consumerpolicy.update

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.services.enable

serviceusage.services.get

serviceusage.values.test

stackdriver.*

stackdriver.projects.edit
stackdriver.projects.get
stackdriver.resourceMetadata.list
stackdriver.resourceMetadata.write

telemetry.metrics.write

Monitoring Metric Writer

(roles/monitoring.metricWriter)

Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.

Lowest-level resources where you can grant this role:

Project

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

telemetry.metrics.write

Monitoring Metrics Scopes Admin ^Beta

(roles/monitoring.metricsScopesAdmin)

Access to add and remove monitored projects from metrics scopes.

monitoring.metricsScopes.link

resourcemanager.projects.get

resourcemanager.projects.list

Monitoring Metrics Scopes Viewer ^Beta

(roles/monitoring.metricsScopesViewer)

Read-only access to metrics scopes and their monitored projects.

resourcemanager.projects.get

resourcemanager.projects.list

Monitoring NotificationChannel Editor ^Beta

(roles/monitoring.notificationChannelEditor)

Read/write access to notification channels.

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

Monitoring NotificationChannel Viewer ^Beta

(roles/monitoring.notificationChannelViewer)

Read-only access to notification channels.

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

Monitoring Service Agent

(roles/monitoring.notificationServiceAgent)

Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.

bigquery.jobs.create

cloudfunctions.functions.get

cloudtrace.traces.patch

logging.links.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.list

run.routes.invoke

servicedirectory.networks.access

servicedirectory.services.resolve

serviceusage.services.use

Monitoring Services Editor

(roles/monitoring.servicesEditor)

Read/write access to services.

monitoring.services.*

monitoring.services.create
monitoring.services.delete
monitoring.services.get
monitoring.services.list
monitoring.services.update

monitoring.slos.*

monitoring.slos.create
monitoring.slos.delete
monitoring.slos.get
monitoring.slos.list
monitoring.slos.update

Monitoring Services Viewer

(roles/monitoring.servicesViewer)

Read-only access to services.

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

Monitoring Snooze Editor

(roles/monitoring.snoozeEditor)

monitoring.snoozes.*

monitoring.snoozes.create
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.snoozes.update

Monitoring Snooze Viewer

(roles/monitoring.snoozeViewer)

monitoring.snoozes.get

monitoring.snoozes.list

Monitoring Uptime Check Configuration Editor ^Beta

(roles/monitoring.uptimeCheckConfigEditor)

Read/write access to uptime check configurations.

monitoring.uptimeCheckConfigs.*

monitoring.uptimeCheckConfigs.create
monitoring.uptimeCheckConfigs.delete
monitoring.uptimeCheckConfigs.get
monitoring.uptimeCheckConfigs.list
monitoring.uptimeCheckConfigs.update

Monitoring Uptime Check Configuration Viewer ^Beta

(roles/monitoring.uptimeCheckConfigViewer)

Read-only access to uptime check configurations.

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

Monitoring Viewer

(roles/monitoring.viewer)

Provides read-only access to get and list information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

Project

cloudnotifications.activities.list

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.alertPolicies.listEffectiveTags

monitoring.alertPolicies.listTagBindings

monitoring.alerts.*

monitoring.alerts.get
monitoring.alerts.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.dashboards.listEffectiveTags

monitoring.dashboards.listTagBindings

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

Ops Config Monitoring Resource Metadata Viewer ^Beta

(roles/opsconfigmonitoring.resourceMetadata.viewer)

Read-only access to resource metadata.

opsconfigmonitoring.resourceMetadata.list

Ops Config Monitoring Resource Metadata Writer ^Beta

(roles/opsconfigmonitoring.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.

opsconfigmonitoring.resourceMetadata.write

Stackdriver Accounts Editor

(roles/stackdriver.accounts.editor)

Read/write access to manage Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.*

serviceusage.consumerpolicy.analyze
serviceusage.consumerpolicy.get
serviceusage.consumerpolicy.update

serviceusage.effectivepolicy.get

serviceusage.groups.*

serviceusage.groups.list
serviceusage.groups.listExpandedMembers
serviceusage.groups.listMembers

serviceusage.services.enable

serviceusage.services.get

serviceusage.values.test

stackdriver.projects.*

stackdriver.projects.edit
stackdriver.projects.get

Stackdriver Accounts Viewer

(roles/stackdriver.accounts.viewer)

Read-only access to get and list information about Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

Stackdriver Resource Metadata Writer ^Beta

(roles/stackdriver.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.

stackdriver.resourceMetadata.write

Berechtigungen für das Monitoring, die in Cloud de Confiance by S3NS grundlegenden Rollen enthalten sind

Die Cloud de Confiance einfachen Rollen beinhalten die folgenden Berechtigungen:

Name Titel	Berechtigungen
`roles/viewer` Betrachter	Die Monitoring-Berechtigungen sind dieselben wie in `roles/monitoring.viewer`.
`roles/editor` Bearbeiter	Die Monitoring-Berechtigungen sind dieselben wie in `roles/monitoring.editor`, mit Ausnahme der Berechtigung `stackdriver.projects.edit`. Die Rolle `roles/editor` enthält nicht die Berechtigung `stackdriver.projects.edit`.
`roles/owner` Inhaber	Die Monitoring-Berechtigungen sind dieselben wie in `roles/monitoring.admin`.

Zugriffsbereiche für Compute Engine

Zugriffsbereiche sind die alte Methode zum Festlegen von Berechtigungen für Ihre Compute Engine-VM-Instanzen. Für Monitoring gelten die folgenden Zugriffsbereiche:

Zugriffsbereich	Gewährte Berechtigungen
https://www.googleapis.com/auth/monitoring.read	Die gleichen Berechtigungen wie in `roles/monitoring.viewer`.
https://www.googleapis.com/auth/monitoring.write	Die gleichen Berechtigungen wie in `roles/monitoring.metricWriter`.
https://www.googleapis.com/auth/monitoring	Vollzugriff auf Monitoring
https://www.googleapis.com/auth/cloud-platform	Uneingeschränkter Zugriff auf alle aktivierten Cloud APIs

Weitere Informationen finden Sie unter Zugriffsbereiche.

Best Practice: Es empfiehlt sich, Ihren VM-Instanzen den umfassendsten Zugriffsbereich (cloud-platform) zu geben und dann über IAM-Rollen den Zugriff auf bestimmte APIs und Vorgänge einzuschränken. Weitere Informationen finden Sie unter Dienstkontoberechtigungen.

Zugriff mit IAM steuern

Vordefinierte Rollen

Berechtigungen für vordefinierte Rollen

Berechtigungen für Monitoring-Rollen

Monitoring Admin

Monitoring AlertPolicy Editor

Monitoring AlertPolicy Viewer

Monitoring Alert Viewer Beta

Monitoring Cloud Console Incident Editor Beta

Monitoring Cloud Console Incident Viewer Beta

Monitoring Dashboard Configuration Editor

Monitoring Dashboard Configuration Viewer

Monitoring Editor

Monitoring Metric Writer

Monitoring Metrics Scopes Admin Beta

Monitoring Metrics Scopes Viewer Beta

Monitoring NotificationChannel Editor Beta

Monitoring NotificationChannel Viewer Beta

Monitoring Service Agent

Monitoring Services Editor

Monitoring Services Viewer

Monitoring Snooze Editor

Monitoring Snooze Viewer

Monitoring Uptime Check Configuration Editor Beta

Monitoring Uptime Check Configuration Viewer Beta

Monitoring Viewer

Ops Config Monitoring Resource Metadata Viewer Beta

Ops Config Monitoring Resource Metadata Writer Beta

Stackdriver Accounts Editor

Stackdriver Accounts Viewer

Stackdriver Resource Metadata Writer Beta

Berechtigungen für das Monitoring, die in Cloud de Confiance by S3NS grundlegenden Rollen enthalten sind

Zugriffsbereiche für Compute Engine

Monitoring Alert Viewer ^Beta

Monitoring Cloud Console Incident Editor ^Beta

Monitoring Cloud Console Incident Viewer ^Beta

Monitoring Metrics Scopes Admin ^Beta

Monitoring Metrics Scopes Viewer ^Beta

Monitoring NotificationChannel Editor ^Beta

Monitoring NotificationChannel Viewer ^Beta

Monitoring Uptime Check Configuration Editor ^Beta

Monitoring Uptime Check Configuration Viewer ^Beta

Ops Config Monitoring Resource Metadata Viewer ^Beta

Ops Config Monitoring Resource Metadata Writer ^Beta

Stackdriver Resource Metadata Writer ^Beta