So now that we've covered IAM roles in general, let's take a quick look at all the specific IAM permissions and roles that apply to monitoring in GCP.

As I mentioned earlier, each of the monitoring API methods requires certain IAM permissions. The image you see on your screen shows just a portion of all of the different permissions that are available and to which monitoring API methods they apply to. The complete list of API permissions that apply to monitoring can be found at the URL that you see on your screen.

The list of console permissions that are necessary for monitoring is not terribly large. As you can see on your screen, full read-only access to monitoring requires the set of permissions that is included in the roles monitoring viewer role. While read-write access in the console requires the set of permissions that is included in the roles monitoring editor role.

The permission set included in the monitoring admin role provides full access to the console. Each of the three roles, including viewer editor and admin, consists of numerous underlying permissions. I mentioned this earlier, the image on your screen shows all the included permissions for the monitoring viewer role.

Now, I show this to demonstrate what goes on underneath each of the predefined roles. I'd show you a screenshot of the monitoring editor permissions, but the list is just too large. Instead, what you can do is visit the URL on your screen to see the complete list of underlying permissions. The underlying permissions for the monitoring admin role are shown on screen now.

So you can see why the permissions for accessing monitoring in GCP are contained in a handful of predefined roles. Managing these individual permissions in a one-off fashion would prove to be difficult at best.

While project owners, editors, and default service accounts for both compute engine and app engine will already have the required permissions for monitoring, there will obviously be times when you need to grant IAM roles to other users who need certain access to monitoring.

What I wanna do here real quickly, is show you how you can use the Cloud Console to grant monitoring permissions through role assignments.

Now, on the screen here, I'm logged into my Google Cloud platform and I'm sitting in my Google Auth Project. What I'm going to do here is modify the roles for the Thomas Mitchell account, so that he becomes a monitoring editor.

So from this project page here, what I do to make this happen is under here, under identity and security, if I hover over access here, we'll see the IAM option. We'll go ahead and select IAM. And then what we'll do here, is we see the Thomas J. Mitchell account, what we'll do is edit this member.

We can see we already have the owner role here, because it's my project, but just to demonstrate what we're doing here, we'll add another role here and we'll make Tom a monitoring editor. And to do that, we simply click, add another role and then in the dropdown, we have the different types.

Now we could filter for monitoring or we can just scroll down here. We see monitoring and then in monitoring, we can see all of the different IAM roles associated with monitoring. What we'll do here is make Tom a monitoring editor and we'll save it. And that's it.

I mean, it's not difficult, but it does make sense to understand, to know how to assign these roles for when the time comes if you're asked a question about it or if it's something you have to do in production.

So with that, we'll call it a wrap and I'll see you in the next lesson.