Permissions and Roles
Permissions and Roles

This course looks at logging and monitoring access control on Google Cloud Platform. We start by looking at monitoring IAM, and you'll also learn about the IAM permissions and roles that apply specifically to monitoring. A demonstration from the GCP cloud console will show you how to grant monitoring permissions through role assignments.

Then we'll move on to monitoring access control via VPC Service Controls as well as covering cloud logging access control. We’ll start with an overview, before taking a closer look at specific IAM roles and permissions that are used to grant access to Cloud Logging. Finally, we'll look at Logs Explorer permissions and show which permissions you need to export logs.

Learning Objectives

  • Get a solid understanding of monitoring and logging access control on GCP
  • Learn about the IAM permissions and roles for monitoring
  • Learn how to monitor access control using VPC Service Controls
  • Understand the roles and permissions used to grant access to cloud logging
  • Learn Logs Explorer permissions for exporting logs

Intended Audience

This course is intended for anyone who wants to learn how to configure logging and monitoring access control on the GCP platform.


To get the most out of this course, you should have some experience of using GCP, as well as knowledge of IAM principles.


So now that we've covered IAM roles in general, let's take a quick look at all the specific IAM permissions and roles that apply to monitoring in GCP.

As I mentioned earlier, each of the monitoring API methods requires certain IAM permissions. The image you see on your screen shows just a portion of all of the different permissions that are available and to which monitoring API methods they apply to. The complete list of API permissions that apply to monitoring can be found at the URL that you see on your screen.

The list of console permissions that are necessary for monitoring is not terribly large. As you can see on your screen, full read-only access to monitoring requires the set of permissions that is included in the roles monitoring viewer role. While read-write access in the console requires the set of permissions that is included in the roles monitoring editor role.

The permission set included in the monitoring admin role provides full access to the console. Each of the three roles, including viewer editor and admin, consists of numerous underlying permissions. I mentioned this earlier, the image on your screen shows all the included permissions for the monitoring viewer role.

Now, I show this to demonstrate what goes on underneath each of the predefined roles. I'd show you a screenshot of the monitoring editor permissions, but the list is just too large. Instead, what you can do is visit the URL on your screen to see the complete list of underlying permissions. The underlying permissions for the monitoring admin role are shown on screen now.

So you can see why the permissions for accessing monitoring in GCP are contained in a handful of predefined roles. Managing these individual permissions in a one-off fashion would prove to be difficult at best.

While project owners, editors, and default service accounts for both compute engine and app engine will already have the required permissions for monitoring, there will obviously be times when you need to grant IAM roles to other users who need certain access to monitoring.

What I wanna do here real quickly, is show you how you can use the Cloud Console to grant monitoring permissions through role assignments.

Now, on the screen here, I'm logged into my Google Cloud platform and I'm sitting in my Google Auth Project. What I'm going to do here is modify the roles for the Thomas Mitchell account, so that he becomes a monitoring editor.

So from this project page here, what I do to make this happen is under here, under identity and security, if I hover over access here, we'll see the IAM option. We'll go ahead and select IAM. And then what we'll do here, is we see the Thomas J. Mitchell account, what we'll do is edit this member.

We can see we already have the owner role here, because it's my project, but just to demonstrate what we're doing here, we'll add another role here and we'll make Tom a monitoring editor. And to do that, we simply click, add another role and then in the dropdown, we have the different types.

Now we could filter for monitoring or we can just scroll down here. We see monitoring and then in monitoring, we can see all of the different IAM roles associated with monitoring. What we'll do here is make Tom a monitoring editor and we'll save it. And that's it.

I mean, it's not difficult, but it does make sense to understand, to know how to assign these roles for when the time comes if you're asked a question about it or if it's something you have to do in production.

So with that, we'll call it a wrap and I'll see you in the next lesson.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.