An Overview of Monitoring IAM
An Overview of Monitoring IAM

This course looks at logging and monitoring access control on Google Cloud Platform. We start by looking at monitoring IAM, and you'll also learn about the IAM permissions and roles that apply specifically to monitoring. A demonstration from the GCP cloud console will show you how to grant monitoring permissions through role assignments.

Then we'll move on to monitoring access control via VPC Service Controls as well as covering cloud logging access control. We’ll start with an overview, before taking a closer look at specific IAM roles and permissions that are used to grant access to Cloud Logging. Finally, we'll look at Logs Explorer permissions and show which permissions you need to export logs.

Learning Objectives

  • Get a solid understanding of monitoring and logging access control on GCP
  • Learn about the IAM permissions and roles for monitoring
  • Learn how to monitor access control using VPC Service Controls
  • Understand the roles and permissions used to grant access to cloud logging
  • Learn Logs Explorer permissions for exporting logs

Intended Audience

This course is intended for anyone who wants to learn how to configure logging and monitoring access control on the GCP platform.


To get the most out of this course, you should have some experience of using GCP, as well as knowledge of IAM principles.


Before you can begin using Monitoring, you first need to be assigned the necessary permissions on the Workspace – and that’s what we are going to talk a little bit about here.

Now, generally speaking, every REST method within an API will have its own associated permission that you must possess in order to use that particular method. Since these necessary permissions aren’t granted directly to users, you need to grant them through the assignment of roles. These roles, or groups of permissions, then allow those users to leverage Monitoring.

GCP offers several predefined roles that grant the most common permission combinations for those who need to access Monitoring. The key predefined roles that you need to be concerned about include Monitoring Viewer, Monitoring Editor, Monitoring Admin, and Monitoring Metric Writer – and these roles grant the general permissions that are needed for Monitoring.

The Monitoring Viewer role provides read-only access to Monitoring in both the Google Cloud Console and via API. Monitoring Editor provides read-write access to Monitoring in the Cloud Console and also allows you to create a Workspace. Monitoring Admin provides full access to Monitoring in the Google Cloud Console and also allows you to create a Workspace. The Monitoring Metric Writer role is used specifically by service accounts for write-only access. It allows the writing of monitoring data to a Workspace. However, it does NOT allow access to Monitoring in the Cloud Console.

In addition to the key Monitoring roles that are predefined, GCP also makes several other types of predefined roles available as well. 

Alert Policies roles are used to grant permissions only for alert policies, while the Dashboard roles grant permissions only for dashboards. Notification Channel and Service Monitoring roles grant access for notification channels and for managing services, respectively. The Uptime-Check Configurations roles grant access only for uptime-check configurations.

Each of these additional types of predefined role groupings includes a role that offers read-only access and a role that offers read-write access. For example, the Service Monitoring roles include a Monitoring Services Viewer and a Monitoring Services Editor. This same configuration applies to the other role groupings that I’ve mentioned here.

Now, the Google Cloud roles are roles that grant access to many different services and resources within Google Cloud, including Monitoring. These roles include Project Viewer, Project Editor, and Project Owner. As you would expect, the viewer role provides read-only access to Monitoring in the Cloud Console and API, while the editor role provides read-write access to Monitoring in both the Cloud Console and API. However, while it doesn’t allow you to create Workspaces, it DOES allow you to use an existing Workspace. Project Owner, as you would expect, offers full access to Monitoring in the Cloud Console and API. It also allows you to create a Workspace.


I should also mention before we wrap up this lesson here, that you can also create custom roles when the predefined roles don’t provide specific access that you need.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.