Logging Permissions and Roles
Start course

This course looks at logging and monitoring access control on Google Cloud Platform. We start by looking at monitoring IAM, and you'll also learn about the IAM permissions and roles that apply specifically to monitoring. A demonstration from the GCP cloud console will show you how to grant monitoring permissions through role assignments.

Then we'll move on to monitoring access control via VPC Service Controls as well as covering cloud logging access control. We’ll start with an overview, before taking a closer look at specific IAM roles and permissions that are used to grant access to Cloud Logging. Finally, we'll look at Logs Explorer permissions and show which permissions you need to export logs.

Learning Objectives

  • Get a solid understanding of monitoring and logging access control on GCP
  • Learn about the IAM permissions and roles for monitoring
  • Learn how to monitor access control using VPC Service Controls
  • Understand the roles and permissions used to grant access to cloud logging
  • Learn Logs Explorer permissions for exporting logs

Intended Audience

This course is intended for anyone who wants to learn how to configure logging and monitoring access control on the GCP platform.


To get the most out of this course, you should have some experience of using GCP, as well as knowledge of IAM principles.


As I mentioned earlier, certain permissions and roles are required before using Cloud Logging. In the previous lesson, we touched on the roles that are available. Now, let’s take a quick look at all of the underlying permissions that are granted when each role is assigned. Now, I’m not going to expect you to memorize all these, nor is Google, for that matter. However, it is important to at least understand these for context.

On the screen is a table that shows the logging permission that are assigned when someone is assigned the Logs Viewer role. Notice in this screenshot, that these permissions are typically used to manage projects, the organization, folders, and billing accounts.

This next screenshot here shows the permissions assigned with the Private Logs Viewer and the Logs Writer roles. These permissions are also used to manage projects, organizations, folders, and billing accounts.

What you see on the screen now are the permissions that the Logs Configuration Writer role provides. These permissions are used to manage projects, organizations, folders, and billing accounts.

The Logs Bucket Writer and Logs View Accessor permission sets are shown on the screen now.

As we move along here, let’s take a look at the underlying permissions that get assigned when someone is assigned the Logging Admin role.

The last three roles I want to touch on here are the Viewer role, the Editor role, and the Owner role.

Notice, here, that all three of these permission sets are typically used when working with projects, organizations, and folders.

As far as API permissions go, there are different permissions that are necessary to use the Logging API. It’s a long list, so I’m not going to show a screenshot here. Instead, bounce out to the link on your screen to view them.

Now, like I said, you aren’t expected to memorize this stuff. However, understanding these underlying permissions will prove useful when the time comes where you need to maybe create a custom role.


About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.