Controlar el acceso con la gestión de identidades y accesos

Para usar Monitoring, debes tener los permisos de Gestión de Identidades y Accesos (IAM) adecuados. Por lo general, cada método REST de una API tiene un permiso asociado. Para usar el método o una función de la consola que dependa de él, debes tener permiso para usar el método correspondiente. Los permisos no se conceden directamente a los usuarios, sino de forma indirecta a través de los roles, que agrupan varios permisos para facilitar su gestión:

Los roles de las combinaciones de permisos habituales ya están predefinidos. Sin embargo, también puedes crear tus propias combinaciones de permisos creando roles personalizados de gestión de identidades y accesos.

Funciones predefinidas

En esta sección se muestra un subconjunto de roles de gestión de identidades y accesos predefinidos por Cloud Monitoring.

Nombre
Título		 Incluye permisos
roles/monitoring.viewer
Lector de Monitoring 		Concede acceso de solo lectura a la API Cloud Monitoring.
roles/monitoring.editor
Editor de Monitoring 		Concede acceso de lectura y escritura a la API de Cloud Monitoring.
roles/monitoring.admin
Administrador de Monitoring 		Concede acceso completo a la API de Cloud Monitoring.

Las cuentas de servicio usan el siguiente rol para tener acceso de solo escritura:

Nombre
Título		 Descripción
roles/monitoring.metricWriter
Editor de las métricas de monitorización

Este rol es para cuentas de servicio y agentes.
No permite acceder a Monitoring en la Cloud de Confiance consola.

Permisos de los roles predefinidos

En esta sección se enumeran los permisos asignados a los roles predefinidos asociados a Monitoring.

Para obtener más información sobre los roles predefinidos, consulta Gestión de identidades y accesos: roles y permisos. Para obtener ayuda a la hora de elegir los roles predefinidos más adecuados, consulta el artículo Elegir roles predefinidos.

Permisos de los roles de Monitoring

Role Permissions

(roles/monitoring.admin)

Provides full access to Cloud Monitoring.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.*

  • monitoring.alertPolicies.create
  • monitoring.alertPolicies.createTagBinding
  • monitoring.alertPolicies.delete
  • monitoring.alertPolicies.deleteTagBinding
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.alertPolicies.listEffectiveTags
  • monitoring.alertPolicies.listTagBindings
  • monitoring.alertPolicies.update
  • monitoring.alerts.get
  • monitoring.alerts.list
  • monitoring.dashboards.create
  • monitoring.dashboards.createTagBinding
  • monitoring.dashboards.delete
  • monitoring.dashboards.deleteTagBinding
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.dashboards.listEffectiveTags
  • monitoring.dashboards.listTagBindings
  • monitoring.dashboards.update
  • monitoring.groups.create
  • monitoring.groups.delete
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.groups.update
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.delete
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.metricsScopes.link
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list
  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list
  • monitoring.notificationChannels.create
  • monitoring.notificationChannels.delete
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.getVerificationCode
  • monitoring.notificationChannels.list
  • monitoring.notificationChannels.sendVerificationCode
  • monitoring.notificationChannels.update
  • monitoring.notificationChannels.verify
  • monitoring.services.create
  • monitoring.services.delete
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.services.update
  • monitoring.slos.create
  • monitoring.slos.delete
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.slos.update
  • monitoring.snoozes.create
  • monitoring.snoozes.get
  • monitoring.snoozes.list
  • monitoring.snoozes.update
  • monitoring.timeSeries.create
  • monitoring.timeSeries.list
  • monitoring.uptimeCheckConfigs.create
  • monitoring.uptimeCheckConfigs.delete
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

  • opsconfigmonitoring.resourceMetadata.list
  • opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.*

  • serviceusage.consumerpolicy.analyze
  • serviceusage.consumerpolicy.get
  • serviceusage.consumerpolicy.update

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.enable

serviceusage.services.get

serviceusage.values.test

stackdriver.*

  • stackdriver.projects.edit
  • stackdriver.projects.get
  • stackdriver.resourceMetadata.list
  • stackdriver.resourceMetadata.write

(roles/monitoring.editor)

Provides full access to information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.alertPolicies.*

  • monitoring.alertPolicies.create
  • monitoring.alertPolicies.createTagBinding
  • monitoring.alertPolicies.delete
  • monitoring.alertPolicies.deleteTagBinding
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.alertPolicies.listEffectiveTags
  • monitoring.alertPolicies.listTagBindings
  • monitoring.alertPolicies.update

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

monitoring.dashboards.*

  • monitoring.dashboards.create
  • monitoring.dashboards.createTagBinding
  • monitoring.dashboards.delete
  • monitoring.dashboards.deleteTagBinding
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.dashboards.listEffectiveTags
  • monitoring.dashboards.listTagBindings
  • monitoring.dashboards.update

monitoring.groups.*

  • monitoring.groups.create
  • monitoring.groups.delete
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.groups.update

monitoring.metricDescriptors.*

  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.delete
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

monitoring.services.*

  • monitoring.services.create
  • monitoring.services.delete
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.services.update

monitoring.slos.*

  • monitoring.slos.create
  • monitoring.slos.delete
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.slos.update

monitoring.snoozes.*

  • monitoring.snoozes.create
  • monitoring.snoozes.get
  • monitoring.snoozes.list
  • monitoring.snoozes.update

monitoring.timeSeries.*

  • monitoring.timeSeries.create
  • monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.*

  • monitoring.uptimeCheckConfigs.create
  • monitoring.uptimeCheckConfigs.delete
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

  • opsconfigmonitoring.resourceMetadata.list
  • opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.*

  • serviceusage.consumerpolicy.analyze
  • serviceusage.consumerpolicy.get
  • serviceusage.consumerpolicy.update

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.enable

serviceusage.services.get

serviceusage.values.test

stackdriver.*

  • stackdriver.projects.edit
  • stackdriver.projects.get
  • stackdriver.resourceMetadata.list
  • stackdriver.resourceMetadata.write

(roles/monitoring.metricWriter)

Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.

Lowest-level resources where you can grant this role:

  • Project

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

(roles/monitoring.viewer)

Provides read-only access to get and list information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.alertPolicies.listEffectiveTags

monitoring.alertPolicies.listTagBindings

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.dashboards.listEffectiveTags

monitoring.dashboards.listTagBindings

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

(roles/opsconfigmonitoring.admin)

Admin role for opsconfigmonitoring

opsconfigmonitoring.*

  • opsconfigmonitoring.resourceMetadata.list
  • opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

(roles/opsconfigmonitoring.viewer)

Viewer role for opsconfigmonitoring

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/stackdriver.admin)

Admin role for stackdriver

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.*

  • stackdriver.projects.edit
  • stackdriver.projects.get
  • stackdriver.resourceMetadata.list
  • stackdriver.resourceMetadata.write

(roles/stackdriver.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.

stackdriver.resourceMetadata.write

(roles/stackdriver.viewer)

Viewer role for stackdriver

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

(roles/monitoring.alertPolicyEditor)

Read/write access to alerting policies.

monitoring.alertPolicies.*

  • monitoring.alertPolicies.create
  • monitoring.alertPolicies.createTagBinding
  • monitoring.alertPolicies.delete
  • monitoring.alertPolicies.deleteTagBinding
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.alertPolicies.listEffectiveTags
  • monitoring.alertPolicies.listTagBindings
  • monitoring.alertPolicies.update

(roles/monitoring.alertPolicyViewer)

Read-only access to alerting policies.

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.alertPolicies.listEffectiveTags

monitoring.alertPolicies.listTagBindings

(roles/monitoring.alertViewer)

Read access to alerts.

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

(roles/monitoring.cloudConsoleIncidentEditor)

Read/write access to incidents from Cloud Console.

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

(roles/monitoring.cloudConsoleIncidentViewer)

Read access to incidents from Cloud Console.

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

(roles/monitoring.dashboardEditor)

Read/write access to dashboard configurations.

monitoring.dashboards.*

  • monitoring.dashboards.create
  • monitoring.dashboards.createTagBinding
  • monitoring.dashboards.delete
  • monitoring.dashboards.deleteTagBinding
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.dashboards.listEffectiveTags
  • monitoring.dashboards.listTagBindings
  • monitoring.dashboards.update

(roles/monitoring.dashboardViewer)

Read-only access to dashboard configurations.

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.dashboards.listEffectiveTags

monitoring.dashboards.listTagBindings

(roles/monitoring.metricsScopesAdmin)

Access to add and remove monitored projects from metrics scopes.

monitoring.metricsScopes.link

resourcemanager.projects.get

resourcemanager.projects.list

(roles/monitoring.metricsScopesViewer)

Read-only access to metrics scopes and their monitored projects.

resourcemanager.projects.get

resourcemanager.projects.list

(roles/monitoring.notificationChannelEditor)

Read/write access to notification channels.

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

(roles/monitoring.notificationChannelViewer)

Read-only access to notification channels.

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

(roles/monitoring.servicesEditor)

Read/write access to services.

monitoring.services.*

  • monitoring.services.create
  • monitoring.services.delete
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.services.update

monitoring.slos.*

  • monitoring.slos.create
  • monitoring.slos.delete
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.slos.update

(roles/monitoring.servicesViewer)

Read-only access to services.

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

(roles/monitoring.snoozeEditor)

monitoring.snoozes.*

  • monitoring.snoozes.create
  • monitoring.snoozes.get
  • monitoring.snoozes.list
  • monitoring.snoozes.update

(roles/monitoring.snoozeViewer)

monitoring.snoozes.get

monitoring.snoozes.list

(roles/monitoring.uptimeCheckConfigEditor)

Read/write access to uptime check configurations.

monitoring.uptimeCheckConfigs.*

  • monitoring.uptimeCheckConfigs.create
  • monitoring.uptimeCheckConfigs.delete
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • monitoring.uptimeCheckConfigs.update

(roles/monitoring.uptimeCheckConfigViewer)

Read-only access to uptime check configurations.

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

(roles/opsconfigmonitoring.resourceMetadata.viewer)

Read-only access to resource metadata.

opsconfigmonitoring.resourceMetadata.list

(roles/opsconfigmonitoring.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.

opsconfigmonitoring.resourceMetadata.write

(roles/stackdriver.accounts.editor)

Read/write access to manage Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.*

  • serviceusage.consumerpolicy.analyze
  • serviceusage.consumerpolicy.get
  • serviceusage.consumerpolicy.update

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.enable

serviceusage.services.get

serviceusage.values.test

stackdriver.projects.*

  • stackdriver.projects.edit
  • stackdriver.projects.get

(roles/stackdriver.accounts.viewer)

Read-only access to get and list information about Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

Service agent roles

Service agent roles should only be granted to service agents.

Role Permissions

(roles/monitoring.notificationServiceAgent)

Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.

bigquery.jobs.create

cloudfunctions.functions.get

cloudtrace.traces.patch

logging.links.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.update

monitoring.timeSeries.list

observability.links.list

run.routes.invoke

servicedirectory.networks.access

servicedirectory.services.resolve

serviceusage.services.use

Permisos de monitorización incluidos en los roles básicos Cloud de Confiance by S3NS

Los Cloud de Confiance roles básicos incluyen los siguientes permisos:

Nombre
Título		 Incluye permisos
roles/viewer
Visor 		Los permisos de monitorización son los mismos que los de roles/monitoring.viewer.
roles/editor
Editor

Los permisos de monitorización son los mismos que los de roles/monitoring.editor, con la excepción del permiso stackdriver.projects.edit. El rol roles/editor no incluye el permiso stackdriver.projects.edit.
roles/owner
Propietario 		Los permisos de monitorización son los mismos que los de roles/monitoring.admin.

Ámbitos de acceso de Compute Engine

Los permisos de acceso son el método antiguo de especificar los permisos de tus instancias de VM de Compute Engine. Los siguientes ámbitos de acceso se aplican a la monitorización:

Permiso de acceso Permisos concedidos
https://www.googleapis.com/auth/monitoring.read Los mismos permisos que en roles/monitoring.viewer.
https://www.googleapis.com/auth/monitoring.write Los mismos permisos que en roles/monitoring.metricWriter.
https://www.googleapis.com/auth/monitoring Acceso completo a la monitorización.
https://www.googleapis.com/auth/cloud-platform Acceso completo a todas las APIs de Cloud habilitadas.

Consulta más información en el artículo Permisos de acceso.

Práctica recomendada: Te recomendamos que asignes a tus instancias de VM el permiso de acceso más potente (cloud-platform) y, a continuación, uses roles de gestión de identidades y accesos para restringir el acceso a APIs y operaciones específicas. Consulta más información en el artículo Permisos de cuentas de servicio.