Controlar o acesso com o IAM

Para usar o Monitoring, é preciso ter as permissões apropriadas do Identity and Access Management (IAM). Em geral, cada método REST em uma API tem uma permissão associada. Para usar o método ou um recurso do console que depende dele, você precisa ter a permissão para usar o método correspondente. As permissões não são concedidas diretamente aos usuários. Em vez disso, elas são concedidas indiretamente por meio de papéis, que agrupam várias permissões para facilitar o gerenciamento delas:

Os papéis para combinações comuns de permissões já estão predefinidos para você. No entanto, também é possível criar suas próprias combinações de permissões gerando papéis personalizados do IAM.

Papéis predefinidos

Esta seção lista um subconjunto de papéis do IAM predefinidos pelo Cloud Monitoring.

Nome
Cargo		 Inclui as permissões
roles/monitoring.viewer
Visualizador do Monitoring		 Concede acesso somente leitura à API Cloud Monitoring.
roles/monitoring.editor
Editor do Monitoring		 Concede acesso de leitura e gravação à API Cloud Monitoring.
roles/monitoring.admin
Administrador do Monitoring		 Concede acesso total à API Cloud Monitoring.

O papel a seguir é usado pelas contas de serviço para acesso somente de gravação:

Nome
Cargo		 Descrição
roles/monitoring.metricWriter
Gravador de métricas do Monitoring

Esse papel é para contas de serviço e agentes.
Não permite acesso ao Monitoring no console do Cloud de Confiance .

Permissões para papéis predefinidos

Nesta seção, listamos as permissões atribuídas a papéis predefinidos associados ao Monitoring.

Para mais informações sobre papéis predefinidos, consulte IAM: papéis e permissões. Para receber ajuda para escolher os papéis predefinidos mais apropriados, consulte Escolher papéis predefinidos.

Permissões para papéis do Monitoring

Role Permissions

(roles/monitoring.admin)

Provides full access to Cloud Monitoring.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.*

  • monitoring.alertPolicies.create
  • monitoring.alertPolicies.createTagBinding
  • monitoring.alertPolicies.delete
  • monitoring.alertPolicies.deleteTagBinding
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.alertPolicies.listEffectiveTags
  • monitoring.alertPolicies.listTagBindings
  • monitoring.alertPolicies.update
  • monitoring.alerts.get
  • monitoring.alerts.list
  • monitoring.dashboards.create
  • monitoring.dashboards.createTagBinding
  • monitoring.dashboards.delete
  • monitoring.dashboards.deleteTagBinding
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.dashboards.listEffectiveTags
  • monitoring.dashboards.listTagBindings
  • monitoring.dashboards.update
  • monitoring.groups.create
  • monitoring.groups.delete
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.groups.update
  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.delete
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list
  • monitoring.metricsScopes.link
  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list
  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list
  • monitoring.notificationChannels.create
  • monitoring.notificationChannels.delete
  • monitoring.notificationChannels.get
  • monitoring.notificationChannels.getVerificationCode
  • monitoring.notificationChannels.list
  • monitoring.notificationChannels.sendVerificationCode
  • monitoring.notificationChannels.update
  • monitoring.notificationChannels.verify
  • monitoring.services.create
  • monitoring.services.delete
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.services.update
  • monitoring.slos.create
  • monitoring.slos.delete
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.slos.update
  • monitoring.snoozes.create
  • monitoring.snoozes.get
  • monitoring.snoozes.list
  • monitoring.snoozes.update
  • monitoring.timeSeries.create
  • monitoring.timeSeries.list
  • monitoring.uptimeCheckConfigs.create
  • monitoring.uptimeCheckConfigs.delete
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

  • opsconfigmonitoring.resourceMetadata.list
  • opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.*

  • serviceusage.consumerpolicy.analyze
  • serviceusage.consumerpolicy.get
  • serviceusage.consumerpolicy.update

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.enable

serviceusage.services.get

serviceusage.values.test

stackdriver.*

  • stackdriver.projects.edit
  • stackdriver.projects.get
  • stackdriver.resourceMetadata.list
  • stackdriver.resourceMetadata.write

telemetry.metrics.write

(roles/monitoring.alertPolicyEditor)

Read/write access to alerting policies.

monitoring.alertPolicies.*

  • monitoring.alertPolicies.create
  • monitoring.alertPolicies.createTagBinding
  • monitoring.alertPolicies.delete
  • monitoring.alertPolicies.deleteTagBinding
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.alertPolicies.listEffectiveTags
  • monitoring.alertPolicies.listTagBindings
  • monitoring.alertPolicies.update

(roles/monitoring.alertPolicyViewer)

Read-only access to alerting policies.

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.alertPolicies.listEffectiveTags

monitoring.alertPolicies.listTagBindings

(roles/monitoring.alertViewer)

Read access to alerts.

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

(roles/monitoring.cloudConsoleIncidentEditor)

Read/write access to incidents from Cloud Console.

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

(roles/monitoring.cloudConsoleIncidentViewer)

Read access to incidents from Cloud Console.

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

(roles/monitoring.dashboardEditor)

Read/write access to dashboard configurations.

monitoring.dashboards.*

  • monitoring.dashboards.create
  • monitoring.dashboards.createTagBinding
  • monitoring.dashboards.delete
  • monitoring.dashboards.deleteTagBinding
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.dashboards.listEffectiveTags
  • monitoring.dashboards.listTagBindings
  • monitoring.dashboards.update

(roles/monitoring.dashboardViewer)

Read-only access to dashboard configurations.

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.dashboards.listEffectiveTags

monitoring.dashboards.listTagBindings

(roles/monitoring.editor)

Provides full access to information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.alertPolicies.*

  • monitoring.alertPolicies.create
  • monitoring.alertPolicies.createTagBinding
  • monitoring.alertPolicies.delete
  • monitoring.alertPolicies.deleteTagBinding
  • monitoring.alertPolicies.get
  • monitoring.alertPolicies.list
  • monitoring.alertPolicies.listEffectiveTags
  • monitoring.alertPolicies.listTagBindings
  • monitoring.alertPolicies.update

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

monitoring.dashboards.*

  • monitoring.dashboards.create
  • monitoring.dashboards.createTagBinding
  • monitoring.dashboards.delete
  • monitoring.dashboards.deleteTagBinding
  • monitoring.dashboards.get
  • monitoring.dashboards.list
  • monitoring.dashboards.listEffectiveTags
  • monitoring.dashboards.listTagBindings
  • monitoring.dashboards.update

monitoring.groups.*

  • monitoring.groups.create
  • monitoring.groups.delete
  • monitoring.groups.get
  • monitoring.groups.list
  • monitoring.groups.update

monitoring.metricDescriptors.*

  • monitoring.metricDescriptors.create
  • monitoring.metricDescriptors.delete
  • monitoring.metricDescriptors.get
  • monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

monitoring.services.*

  • monitoring.services.create
  • monitoring.services.delete
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.services.update

monitoring.slos.*

  • monitoring.slos.create
  • monitoring.slos.delete
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.slos.update

monitoring.snoozes.*

  • monitoring.snoozes.create
  • monitoring.snoozes.get
  • monitoring.snoozes.list
  • monitoring.snoozes.update

monitoring.timeSeries.*

  • monitoring.timeSeries.create
  • monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.*

  • monitoring.uptimeCheckConfigs.create
  • monitoring.uptimeCheckConfigs.delete
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • monitoring.uptimeCheckConfigs.update

opsconfigmonitoring.*

  • opsconfigmonitoring.resourceMetadata.list
  • opsconfigmonitoring.resourceMetadata.write

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.*

  • serviceusage.consumerpolicy.analyze
  • serviceusage.consumerpolicy.get
  • serviceusage.consumerpolicy.update

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.enable

serviceusage.services.get

serviceusage.values.test

stackdriver.*

  • stackdriver.projects.edit
  • stackdriver.projects.get
  • stackdriver.resourceMetadata.list
  • stackdriver.resourceMetadata.write

telemetry.metrics.write

(roles/monitoring.metricWriter)

Provides write-only access to metrics. This provides exactly the permissions needed by the Cloud Monitoring agent and other systems that send metrics.

Lowest-level resources where you can grant this role:

  • Project

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

telemetry.metrics.write

(roles/monitoring.metricsScopesAdmin)

Access to add and remove monitored projects from metrics scopes.

monitoring.metricsScopes.link

resourcemanager.projects.get

resourcemanager.projects.list

(roles/monitoring.metricsScopesViewer)

Read-only access to metrics scopes and their monitored projects.

resourcemanager.projects.get

resourcemanager.projects.list

(roles/monitoring.notificationChannelEditor)

Read/write access to notification channels.

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.create

monitoring.notificationChannels.delete

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.notificationChannels.sendVerificationCode

monitoring.notificationChannels.update

monitoring.notificationChannels.verify

(roles/monitoring.notificationChannelViewer)

Read-only access to notification channels.

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

(roles/monitoring.notificationServiceAgent)

Grants permissions to deliver notifications directly to resources within the target project, such as delivering to Pub/Sub topics within the project.

bigquery.jobs.create

cloudfunctions.functions.get

cloudtrace.traces.patch

logging.links.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.list

run.routes.invoke

servicedirectory.networks.access

servicedirectory.services.resolve

serviceusage.services.use

(roles/monitoring.servicesEditor)

Read/write access to services.

monitoring.services.*

  • monitoring.services.create
  • monitoring.services.delete
  • monitoring.services.get
  • monitoring.services.list
  • monitoring.services.update

monitoring.slos.*

  • monitoring.slos.create
  • monitoring.slos.delete
  • monitoring.slos.get
  • monitoring.slos.list
  • monitoring.slos.update

(roles/monitoring.servicesViewer)

Read-only access to services.

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

(roles/monitoring.snoozeEditor)

monitoring.snoozes.*

  • monitoring.snoozes.create
  • monitoring.snoozes.get
  • monitoring.snoozes.list
  • monitoring.snoozes.update

(roles/monitoring.snoozeViewer)

monitoring.snoozes.get

monitoring.snoozes.list

(roles/monitoring.uptimeCheckConfigEditor)

Read/write access to uptime check configurations.

monitoring.uptimeCheckConfigs.*

  • monitoring.uptimeCheckConfigs.create
  • monitoring.uptimeCheckConfigs.delete
  • monitoring.uptimeCheckConfigs.get
  • monitoring.uptimeCheckConfigs.list
  • monitoring.uptimeCheckConfigs.update

(roles/monitoring.uptimeCheckConfigViewer)

Read-only access to uptime check configurations.

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

(roles/monitoring.viewer)

Provides read-only access to get and list information about all monitoring data and configurations.

Lowest-level resources where you can grant this role:

  • Project

cloudnotifications.activities.list

monitoring.alertPolicies.get

monitoring.alertPolicies.list

monitoring.alertPolicies.listEffectiveTags

monitoring.alertPolicies.listTagBindings

monitoring.alerts.*

  • monitoring.alerts.get
  • monitoring.alerts.list

monitoring.dashboards.get

monitoring.dashboards.list

monitoring.dashboards.listEffectiveTags

monitoring.dashboards.listTagBindings

monitoring.groups.get

monitoring.groups.list

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

  • monitoring.monitoredResourceDescriptors.get
  • monitoring.monitoredResourceDescriptors.list

monitoring.notificationChannelDescriptors.*

  • monitoring.notificationChannelDescriptors.get
  • monitoring.notificationChannelDescriptors.list

monitoring.notificationChannels.get

monitoring.notificationChannels.list

monitoring.services.get

monitoring.services.list

monitoring.slos.get

monitoring.slos.list

monitoring.snoozes.get

monitoring.snoozes.list

monitoring.timeSeries.list

monitoring.uptimeCheckConfigs.get

monitoring.uptimeCheckConfigs.list

opsconfigmonitoring.resourceMetadata.list

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

stackdriver.resourceMetadata.list

(roles/opsconfigmonitoring.resourceMetadata.viewer)

Read-only access to resource metadata.

opsconfigmonitoring.resourceMetadata.list

(roles/opsconfigmonitoring.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Ops Config Monitoring metadata agent and other systems that send metadata.

opsconfigmonitoring.resourceMetadata.write

(roles/stackdriver.accounts.editor)

Read/write access to manage Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.consumerpolicy.*

  • serviceusage.consumerpolicy.analyze
  • serviceusage.consumerpolicy.get
  • serviceusage.consumerpolicy.update

serviceusage.effectivepolicy.get

serviceusage.groups.*

  • serviceusage.groups.list
  • serviceusage.groups.listExpandedMembers
  • serviceusage.groups.listMembers

serviceusage.services.enable

serviceusage.services.get

serviceusage.values.test

stackdriver.projects.*

  • stackdriver.projects.edit
  • stackdriver.projects.get

(roles/stackdriver.accounts.viewer)

Read-only access to get and list information about Stackdriver account structure.

resourcemanager.projects.get

resourcemanager.projects.list

stackdriver.projects.get

(roles/stackdriver.resourceMetadata.writer)

Write-only access to resource metadata. This provides exactly the permissions needed by the Stackdriver metadata agent and other systems that send metadata.

stackdriver.resourceMetadata.write

Permissões do Monitoring incluídas em papéis básicos do Cloud de Confiance by S3NS

Os Cloud de Confiance papéis básicos incluem as seguintes permissões:

Nome
Cargo		 Inclui as permissões
roles/viewer
Leitor 		As permissões do Monitoring são iguais às de roles/monitoring.viewer.
roles/editor
Editor

As permissões do Monitoring são iguais às de roles/monitoring.editor, com exceção da permissão stackdriver.projects.edit. O papel roles/editor não inclui a permissão stackdriver.projects.edit.
roles/owner
Proprietário 		As permissões do Monitoring são iguais às de roles/monitoring.admin.

Escopos de acesso do Compute Engine

Os escopos de acesso são o método legado de especificar permissões para as instâncias de VM do Compute Engine. Os escopos de acesso a seguir se aplicam ao Monitoring:

Escopo de acesso Permissões concedidas
https://www.googleapis.com/auth/monitoring.read As mesmas permissões de roles/monitoring.viewer.
https://www.googleapis.com/auth/monitoring.write As mesmas permissões de roles/monitoring.metricWriter.
https://www.googleapis.com/auth/monitoring Acesso completo ao Monitoring.
https://www.googleapis.com/auth/cloud-platform Acesso completo a todas as APIs do Cloud ativadas.

Para mais detalhes, consulte Escopos de acesso.

Prática recomendada. Uma prática recomendada é fornecer às instâncias de VM o escopo de acesso mais avançado, cloud-platform. Além disso, use os papéis do IAM para restringir o acesso a APIs e operações específicas. Para mais detalhes, consulte Permissões da conta de serviço.