Before you can begin using Monitoring, you first need to be assigned the necessary permissions on the Workspace – and that’s what we are going to talk a little bit about here.

Now, generally speaking, every REST method within an API will have its own associated permission that you must possess in order to use that particular method. Since these necessary permissions aren’t granted directly to users, you need to grant them through the assignment of roles. These roles, or groups of permissions, then allow those users to leverage Monitoring.

GCP offers several predefined roles that grant the most common permission combinations for those who need to access Monitoring. The key predefined roles that you need to be concerned about include Monitoring Viewer, Monitoring Editor, Monitoring Admin, and Monitoring Metric Writer – and these roles grant the general permissions that are needed for Monitoring.

The Monitoring Viewer role provides read-only access to Monitoring in both the Google Cloud Console and via API. Monitoring Editor provides read-write access to Monitoring in the Cloud Console and also allows you to create a Workspace. Monitoring Admin provides full access to Monitoring in the Google Cloud Console and also allows you to create a Workspace. The Monitoring Metric Writer role is used specifically by service accounts for write-only access. It allows the writing of monitoring data to a Workspace. However, it does NOT allow access to Monitoring in the Cloud Console.

In addition to the key Monitoring roles that are predefined, GCP also makes several other types of predefined roles available as well.

Alert Policies roles are used to grant permissions only for alert policies, while the Dashboard roles grant permissions only for dashboards. Notification Channel and Service Monitoring roles grant access for notification channels and for managing services, respectively. The Uptime-Check Configurations roles grant access only for uptime-check configurations.

Each of these additional types of predefined role groupings includes a role that offers read-only access and a role that offers read-write access. For example, the Service Monitoring roles include a Monitoring Services Viewer and a Monitoring Services Editor. This same configuration applies to the other role groupings that I’ve mentioned here.

Now, the Google Cloud roles are roles that grant access to many different services and resources within Google Cloud, including Monitoring. These roles include Project Viewer, Project Editor, and Project Owner. As you would expect, the viewer role provides read-only access to Monitoring in the Cloud Console and API, while the editor role provides read-write access to Monitoring in both the Cloud Console and API. However, while it doesn’t allow you to create Workspaces, it DOES allow you to use an existing Workspace. Project Owner, as you would expect, offers full access to Monitoring in the Cloud Console and API. It also allows you to create a Workspace.

I should also mention before we wrap up this lesson here, that you can also create custom roles when the predefined roles don’t provide specific access that you need.