שליטה בגישה באמצעות IAM

כדי להשתמש ב-Monitoring, צריכות להיות לכם הרשאות מתאימות בניהול הזהויות והרשאות הגישה (IAM). באופן כללי, לכל method של REST ב-API יש הרשאה משויכת. כדי להשתמש בשיטה, או בתכונה במסוף שמסתמכת על השיטה, צריכה להיות לכם הרשאה להשתמש בשיטה המתאימה. ההרשאות לא ניתנות ישירות למשתמשים, אלא באופן עקיף דרך תפקידים. התפקידים מקבצים כמה הרשאות כדי להקל על הניהול שלהן:

תפקידים לשילובים נפוצים של הרשאות מוגדרים מראש בשבילכם. עם זאת, אפשר גם ליצור שילובים משלכם של הרשאות על ידי יצירת תפקידים בהתאמה אישית ב-IAM.

.

תפקידים מוגדרים מראש

בקטע הזה מפורטים חלק מתפקידי ה-IAM שמוגדרים מראש על ידי Cloud Monitoring.

שם
כותרת		 כולל הרשאות
roles/monitoring.viewer
צופה במעקב 		מעניקה הרשאת קריאה בלבד ל-Cloud Monitoring API.
roles/monitoring.editor
עורך מעקב 		מעניק גישת קריאה וכתיבה ל-Cloud Monitoring API.
roles/monitoring.admin
אדמין בתפקיד מעקב 		מעניקה גישה מלאה ל-Cloud Monitoring API.

התפקיד הבא משמש חשבונות שירות לגישת כתיבה בלבד:

שם
כותרת		 תיאור
roles/monitoring.metricWriter
כתיבת מדדי מעקב

התפקיד הזה מיועד לחשבונות שירות ולסוכנים.
לא מאפשר גישה לכלי המעקב במסוף Cloud de Confiance .

הרשאות לתפקידים מוגדרים מראש

בקטע הזה מפורטות ההרשאות שמוקצות לתפקידים מוגדרים מראש שמשויכים ל-Monitoring.

מידע נוסף על תפקידים מוגדרים מראש זמין במאמר IAM: תפקידים והרשאות. לא בטוחים איזה תפקיד מוגדר מראש לתת? תוכלו להיעזר במאמר בחירת תפקידים מוגדרים מראש.

הרשאות לתפקידי מעקב

Role Permissions

(roles/monitoring.admin)

Provides full access to Cloud Monitoring.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.*

  • monitoring.alertPolicies.create
  • monitoring.alertPolicies.createTagBinding
  • monitoring.alertPolicies.delete
  • monitoring.alertPolicies.deleteTagBinding
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.alertPolicies.listEffectiveTags
  • monitoring.alertPolicies.listTagBindings
  • monitoring.alertPolicies.update
  • monitoring.alerts.get
  • monitoring.alerts.list
  • monitoring.dashboards.create
  • monitoring.dashboards.createTagBinding
  • monitoring.dashboards.delete
  • monitoring.dashboards.deleteTagBinding
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.dashboards.listEffectiveTags
  • monitoring.dashboards.listTagBindings
  • monitoring.dashboards.update
  • monitoring.groups.create
  • monitoring.groups.delete
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.groups.update
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.delete
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.metricsScopes.link
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list
  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list
  • monitoring.notificationChannels.create
  • monitoring.notificationChannels.delete
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.getVerificationCode
  • monitoring.notificationChannels.list
  • monitoring.notificationChannels.sendVerificationCode
  • monitoring.notificationChannels.update
  • monitoring.notificationChannels.verify
  • monitoring.services.create
  • monitoring.services.delete
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.services.update
  • monitoring.slos.create
  • monitoring.slos.delete
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.slos.update
  • monitoring.snoozes.create
  • monitoring.snoozes.get
  • monitoring.snoozes.list
  • monitoring.snoozes.update
  • monitoring.timeSeries.create
  • monitoring.timeSeries.list
  • monitoring.uptimeCheckConfigs.create
  • monitoring.uptimeCheckConfigs.delete
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

  • opsconfigmonitoring.resourceMetadata.list
  • opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.*

  • serviceusage.consumerpolicy.analyze
  • serviceusage.consumerpolicy.get
  • serviceusage.consumerpolicy.update

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.enable

serviceusage.services.get

serviceusage.values.test

stackdriver.*

  • stackdriver.projects.edit
  • stackdriver.projects.get
  • stackdriver.resourceMetadata.list
  • stackdriver.resourceMetadata.write

telemetry.metrics.write

(roles/monitoring.alertPolicyEditor)

Read/write access to alerting policies.

monitoring.alertPolicies.*

  • monitoring.alertPolicies.create
  • monitoring.alertPolicies.createTagBinding
  • monitoring.alertPolicies.delete
  • monitoring.alertPolicies.deleteTagBinding
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.alertPolicies.listEffectiveTags
  • monitoring.alertPolicies.listTagBindings
  • monitoring.alertPolicies.update

(roles/monitoring.alertPolicyViewer)

Read-only access to alerting policies.

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.alertPolicies.listEffectiveTags

monitoring.alertPolicies.listTagBindings

(roles/monitoring.alertViewer)

Read access to alerts.

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

(roles/monitoring.cloudConsoleIncidentEditor)

Read/write access to incidents from Cloud Console.

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

(roles/monitoring.cloudConsoleIncidentViewer)

Read access to incidents from Cloud Console.

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

(roles/monitoring.dashboardEditor)

Read/write access to dashboard configurations.

monitoring.dashboards.*

  • monitoring.dashboards.create
  • monitoring.dashboards.createTagBinding
  • monitoring.dashboards.delete
  • monitoring.dashboards.deleteTagBinding
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.dashboards.listEffectiveTags
  • monitoring.dashboards.listTagBindings
  • monitoring.dashboards.update

(roles/monitoring.dashboardViewer)

Read-only access to dashboard configurations.

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.dashboards.listEffectiveTags

monitoring.dashboards.listTagBindings

(roles/monitoring.editor)

Provides full access to information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.alertPolicies.*

  • monitoring.alertPolicies.create
  • monitoring.alertPolicies.createTagBinding
  • monitoring.alertPolicies.delete
  • monitoring.alertPolicies.deleteTagBinding
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.alertPolicies.listEffectiveTags
  • monitoring.alertPolicies.listTagBindings
  • monitoring.alertPolicies.update

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

monitoring.dashboards.*

  • monitoring.dashboards.create
  • monitoring.dashboards.createTagBinding
  • monitoring.dashboards.delete
  • monitoring.dashboards.deleteTagBinding
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.dashboards.listEffectiveTags
  • monitoring.dashboards.listTagBindings
  • monitoring.dashboards.update

monitoring.groups.*

  • monitoring.groups.create
  • monitoring.groups.delete
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.groups.update

monitoring.metricDescriptors.*

  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.delete
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

monitoring.services.*

  • monitoring.services.create
  • monitoring.services.delete
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.services.update

monitoring.slos.*

  • monitoring.slos.create
  • monitoring.slos.delete
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.slos.update

monitoring.snoozes.*

  • monitoring.snoozes.create
  • monitoring.snoozes.get
  • monitoring.snoozes.list
  • monitoring.snoozes.update

monitoring.timeSeries.*

  • monitoring.timeSeries.create
  • monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.*

  • monitoring.uptimeCheckConfigs.create
  • monitoring.uptimeCheckConfigs.delete
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

  • opsconfigmonitoring.resourceMetadata.list
  • opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.*

  • serviceusage.consumerpolicy.analyze
  • serviceusage.consumerpolicy.get
  • serviceusage.consumerpolicy.update

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.enable

serviceusage.services.get

serviceusage.values.test

stackdriver.*

  • stackdriver.projects.edit
  • stackdriver.projects.get
  • stackdriver.resourceMetadata.list
  • stackdriver.resourceMetadata.write

telemetry.metrics.write

(roles/monitoring.metricWriter)

Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.

Lowest-level resources where you can grant this role:

  • Project

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

telemetry.metrics.write

(roles/monitoring.metricsScopesAdmin)

Access to add and remove monitored projects from metrics scopes.

monitoring.metricsScopes.link

resourcemanager.projects.get

resourcemanager.projects.list

(roles/monitoring.metricsScopesViewer)

Read-only access to metrics scopes and their monitored projects.

resourcemanager.projects.get

resourcemanager.projects.list

(roles/monitoring.notificationChannelEditor)

Read/write access to notification channels.

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

(roles/monitoring.notificationChannelViewer)

Read-only access to notification channels.

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

(roles/monitoring.notificationServiceAgent)

Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.

bigquery.jobs.create

cloudfunctions.functions.get

cloudtrace.traces.patch

logging.links.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.list

observability.links.list

run.routes.invoke

servicedirectory.networks.access

servicedirectory.services.resolve

serviceusage.services.use

(roles/monitoring.servicesEditor)

Read/write access to services.

monitoring.services.*

  • monitoring.services.create
  • monitoring.services.delete
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.services.update

monitoring.slos.*

  • monitoring.slos.create
  • monitoring.slos.delete
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.slos.update

(roles/monitoring.servicesViewer)

Read-only access to services.

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

(roles/monitoring.snoozeEditor)

monitoring.snoozes.*

  • monitoring.snoozes.create
  • monitoring.snoozes.get
  • monitoring.snoozes.list
  • monitoring.snoozes.update

(roles/monitoring.snoozeViewer)

monitoring.snoozes.get

monitoring.snoozes.list

(roles/monitoring.uptimeCheckConfigEditor)

Read/write access to uptime check configurations.

monitoring.uptimeCheckConfigs.*

  • monitoring.uptimeCheckConfigs.create
  • monitoring.uptimeCheckConfigs.delete
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • monitoring.uptimeCheckConfigs.update

(roles/monitoring.uptimeCheckConfigViewer)

Read-only access to uptime check configurations.

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

(roles/monitoring.viewer)

Provides read-only access to get and list information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.alertPolicies.listEffectiveTags

monitoring.alertPolicies.listTagBindings

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.dashboards.listEffectiveTags

monitoring.dashboards.listTagBindings

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

(roles/opsconfigmonitoring.resourceMetadata.viewer)

Read-only access to resource metadata.

opsconfigmonitoring.resourceMetadata.list

(roles/opsconfigmonitoring.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.

opsconfigmonitoring.resourceMetadata.write

(roles/stackdriver.accounts.editor)

Read/write access to manage Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.*

  • serviceusage.consumerpolicy.analyze
  • serviceusage.consumerpolicy.get
  • serviceusage.consumerpolicy.update

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.enable

serviceusage.services.get

serviceusage.values.test

stackdriver.projects.*

  • stackdriver.projects.edit
  • stackdriver.projects.get

(roles/stackdriver.accounts.viewer)

Read-only access to get and list information about Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

(roles/stackdriver.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.

stackdriver.resourceMetadata.write

הרשאות מעקב שכלולות בתפקידים בסיסיים Cloud de Confiance by S3NS

Cloud de Confiance תפקידים בסיסיים כוללים את ההרשאות הבאות:

שם
כותרת		 כולל הרשאות
roles/viewer
צופה 		הרשאות המעקב זהות לאלה שמוגדרות ב-roles/monitoring.viewer.
roles/editor
עריכה

ההרשאות של המעקב זהות לאלה שמופיעות בטבלה roles/monitoring.editor, למעט ההרשאה stackdriver.projects.edit. התפקיד roles/editor לא כולל את ההרשאה stackdriver.projects.edit.
roles/owner
בעלים 		ההרשאות לניטור זהות לאלה שמופיעות ב-roles/monitoring.admin.

היקפי גישה ב-Compute Engine

היקפי גישה הם השיטה הקודמת להגדרת הרשאות למכונות וירטואליות ב-Compute Engine. היקפי הגישה הבאים חלים על מעקב:

היקף גישה הרשאות שהוענקו
https://www.googleapis.com/auth/monitoring.read אותן הרשאות כמו ב-roles/monitoring.viewer.
https://www.googleapis.com/auth/monitoring.write אותן הרשאות כמו ב-roles/monitoring.metricWriter.
https://www.googleapis.com/auth/monitoring גישה מלאה למעקב.
https://www.googleapis.com/auth/cloud-platform גישה מלאה לכל ממשקי Cloud API המופעלים.

פרטים נוספים זמינים במאמר בנושא היקפי גישה.

שיטה מומלצת. מומלץ להגדיר למכונות הווירטואליות את היקף הגישה הכי רחב (cloud-platform) ואז להשתמש בתפקידי IAM כדי להגביל את הגישה לממשקי API ולפעולות ספציפיות. פרטים נוספים מופיעים במאמר הרשאות לחשבון שירות.