Configure the Google Cloud Platform service permissions¶
To gather data from buckets via Storage you must have the Viewer or Admin IAM roles in the project to create, delete, or modify a bucket. The following tables show details of the IAM roles for all inputs.
IAM roles and permissions for Google Cloud Platform inputs¶
Cloud Monitoring¶
| Role Title | Logging Permissions | Resource Type |
|---|---|---|
Monitoring Viewerroles/monitoring.viewer |
cloudnotifications.activities.list monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.list monitoring.notificationChannelDescriptors.get monitoring.notificationChannelDescriptors.list monitoring.notificationChannels.get monitoring.notificationChannels.list monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.snoozes.get monitoring.snoozes.list monitoring.timeSeries.list monitoring.uptimeCheckConfigs.get monitoring.uptimeCheckConfigs.list opsconfigmonitoring.resourceMetadata.list resourcemanager.projects.get resourcemanager.projects.list stackdriver.projects.get stackdriver.resourceMetadata.list |
Read-only access to get and list information about all monitoring data and configuration. |
Storage bucket¶
| Role Title | Logging Permissions | Resource Type |
|---|---|---|
Storage Adminroles/storage.admin |
firebase.projects.get orgpolicy.policy.get recommender.iamPolicyInsights.get recommender.iamPolicyInsights.list recommender.iamPolicyInsights.update recommender.iamPolicyRecommendations.get recommender.iamPolicyRecommendations.list recommender.iamPolicyRecommendations.update resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create storage.buckets.createTagBinding storage.buckets.delete storage.buckets.deleteTagBinding storage.buckets.enableObjectRetention storage.buckets.get storage.buckets.getIamPolicy storage.buckets.getObjectInsights storage.buckets.list storage.buckets.listEffectiveTags storage.buckets.listTagBindings storage.buckets.setIamPolicy storage.buckets.update storage.managedFolders.create storage.managedFolders.delete storage.managedFolders.get storage.managedFolders.getIamPolicy storage.managedFolders.list storage.managedFolders.setIamPolicy storage.multipartUploads.abort storage.multipartUploads.create storage.multipartUploads.list storage.multipartUploads.listParts storage.objects.create storage.objects.delete storage.objects.get storage.objects.getIamPolicy storage.objects.list storage.objects.overrideUnlockedRetention storage.objects.setIamPolicy storage.objects.setRetention storage.objects.update |
Grants full control of buckets and objects. |
Cloud Pub/Sub Based Bucket¶
| Role Title | Logging Permissions | Resource Type |
|---|---|---|
Pub/Sub Viewerroles/pubsub.viewerPub/Sub Subscriber roles/pubsub.subscribeStorage Object Viewer roles/storage.objectViewer |
pubsub.schemas.get pubsub.schemas.list pubsub.schemas.listRevisions pubsub.schemas.validate pubsub.snapshots.get pubsub.snapshots.list pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.get pubsub.topics.list resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get Serviceusage.services.list pubsub.snapshots.seek pubsub.subscriptions.consume pubsub.topics.attachSubscription storage.objects.get storage.objects.list |
View topics, subscriptions, and snapshots. Consume messages from a subscription, attach subscriptions to a topic, and seek to a snapshot. Cannot write or create GCS resources. |
Metadata/Compute Engine¶
| Role Title | Logging Permissions | Resource Type |
|---|---|---|
Compute Viewerroles/compute.viewer |
compute.acceleratorTypes.get compute.acceleratorTypes.list compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.getIamPolicy compute.backendBuckets.list compute.backendBuckets.listEffectiveTags compute.backendBuckets.listTagBindings compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.backendServices.listEffectiveTags compute.backendServices.listTagBindings compute.commitments.get compute.commitments.list compute.diskTypes.get compute.diskTypes.list compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewallPolicies.listEffectiveTags compute.firewallPolicies.listTagBindings compute.firewalls.get compute.firewalls.list compute.firewalls.listEffectiveTags compute.firewalls.listTagBindings compute.forwardingRules.get compute.forwardingRules.list compute.forwardingRules.listEffectiveTags compute.forwardingRules.listTagBindings compute.futureReservations.get compute.futureReservations.getIamPolicy compute.futureReservations.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.listEffectiveTags compute.globalForwardingRules.listTagBindings compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalNetworkEndpointGroups.listEffectiveTags compute.globalNetworkEndpointGroups.listTagBindings compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.healthChecks.listEffectiveTags compute.healthChecks.listTagBindings compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpHealthChecks.listEffectiveTags compute.httpHealthChecks.listTagBindings compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.httpsHealthChecks.listEffectiveTags compute.httpsHealthChecks.listTagBindings compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.listEffectiveTags compute.instanceGroupManagers.listTagBindings compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.instantSnapshots.get compute.instantSnapshots.getIamPolicy compute.instantSnapshots.list compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.get compute.interconnectLocations.list compute.interconnectRemoteLocations.get compute.interconnectRemoteLocations.list compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.get compute.machineTypes.list compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkAttachments.get compute.networkAttachments.getIamPolicy compute.networkAttachments.list compute.networkEdgeSecurityServices.get compute.networkEdgeSecurityServices.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networkEndpointGroups.listEffectiveTags compute.networkEndpointGroups.listTagBindings compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listEffectiveTags compute.networks.listPeeringRoutes compute.networks.listTagBindings compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.get compute.nodeTypes.list compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionBackendServices.listEffectiveTags compute.regionBackendServices.listTagBindings compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionFirewallPolicies.listEffectiveTags compute.regionFirewallPolicies.listTagBindings compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionHealthChecks.listEffectiveTags compute.regionHealthChecks.listTagBindings compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNetworkEndpointGroups.listEffectiveTags compute.regionNetworkEndpointGroups.listTagBindings compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSecurityPolicies.get compute.regionSecurityPolicies.list compute.regionSecurityPolicies.listEffectiveTags compute.regionSecurityPolicies.listTagBindings compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionSslCertificates.listEffectiveTags compute.regionSslCertificates.listTagBindings compute.regionSslPolicies.get compute.regionSslPolicies.list compute.regionSslPolicies.listAvailableFeatures compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpProxies.listEffectiveTags compute.regionTargetHttpProxies.listTagBindings compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionTargetHttpsProxies.listEffectiveTags compute.regionTargetHttpsProxies.listTagBindings compute.regionTargetTcpProxies.get compute.regionTargetTcpProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.listEffectiveTags compute.regionUrlMaps.listTagBindings compute.regionUrlMaps.validate compute.regions.get compute.regions.list compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.getIamPolicy compute.resourcePolicies.list compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute.routers.listRoutePolicies compute.routes.get compute.routes.list compute.routes.listEffectiveTags compute.routes.listTagBindings compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.securityPolicies.listEffectiveTags compute.securityPolicies.listTagBindings compute.serviceAttachments.get compute.serviceAttachments.getIamPolicy compute.serviceAttachments.list compute.snapshotSettings.get compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslCertificates.listEffectiveTags compute.sslCertificates.listTagBindings compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.sslPolicies.listEffectiveTags compute.sslPolicies.listTagBindings compute.storagePools.get compute.storagePools.getIamPolicy compute.storagePools.list compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.subnetworks.listEffectiveTags compute.subnetworks.listTagBindings compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpProxies.listEffectiveTags compute.targetHttpProxies.listTagBindings compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetHttpsProxies.listEffectiveTags compute.targetHttpsProxies.listTagBindings compute.targetInstances.get compute.targetInstances.list compute.targetInstances.listEffectiveTags compute.targetInstances.listTagBindings compute.targetPools.get compute.targetPools.list compute.targetPools.listEffectiveTags compute.targetPools.listTagBindings compute.targetSslProxies.get compute.targetSslProxies.list compute.targetSslProxies.listEffectiveTags compute.targetSslProxies.listTagBindings compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetTcpProxies.listEffectiveTags compute.targetTcpProxies.listTagBindings compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.listEffectiveTags compute.urlMaps.listTagBindings compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.get compute.zones.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Read-only access to get and list information about all Compute Engine resources, including instances, disks, and firewalls. Allows getting and listing information about disks, images, and snapshots, but does not allow reading the data stored on them. |
Cloud Pub/Sub Based Bucket¶
| Role Title | Logging Permissions | Resource Type |
|---|---|---|
Pub/Sub Viewerroles/pubsub.viewerPub/Sub Subscriber roles/pubsub.subscribeStorage Object Viewer roles/storage.objectViewer |
pubsub.schemas.get pubsub.schemas.list pubsub.schemas.listRevisions pubsub.schemas.validate pubsub.snapshots.get pubsub.snapshots.list pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.get pubsub.topics.list resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get Serviceusage.services.list pubsub.snapshots.seek pubsub.subscriptions.consume pubsub.topics.attachSubscription storage.objects.get storage.objects.list |
View topics, subscriptions, and snapshots. Consume messages from a subscription, attach subscriptions to a topic, and seek to a snapshot. Cannot write or create GCS resources. |
Metadata/Compute Engine¶
| Role Title | Logging Permissions | Resource Type |
|---|---|---|
Compute Viewerroles/compute.viewer |
compute.acceleratorTypes.get compute.acceleratorTypes.list compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.getIamPolicy compute.backendBuckets.list compute.backendBuckets.listEffectiveTags compute.backendBuckets.listTagBindings compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.backendServices.listEffectiveTags compute.backendServices.listTagBindings compute.commitments.get compute.commitments.list compute.diskTypes.get compute.diskTypes.list compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.listEffectiveTags compute.disks.listTagBindings compute.externalVpnGateways.get compute.externalVpnGateways.list compute.firewallPolicies.get compute.firewallPolicies.getIamPolicy compute.firewallPolicies.list compute.firewallPolicies.listEffectiveTags compute.firewallPolicies.listTagBindings compute.firewalls.get compute.firewalls.list compute.firewalls.listEffectiveTags compute.firewalls.listTagBindings compute.forwardingRules.get compute.forwardingRules.list compute.forwardingRules.listEffectiveTags compute.forwardingRules.listTagBindings compute.futureReservations.get compute.futureReservations.getIamPolicy compute.futureReservations.list compute.globalAddresses.get compute.globalAddresses.list compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.listEffectiveTags compute.globalForwardingRules.listTagBindings compute.globalForwardingRules.pscGet compute.globalNetworkEndpointGroups.get compute.globalNetworkEndpointGroups.list compute.globalNetworkEndpointGroups.listEffectiveTags compute.globalNetworkEndpointGroups.listTagBindings compute.globalOperations.get compute.globalOperations.getIamPolicy compute.globalOperations.list compute.globalPublicDelegatedPrefixes.get compute.globalPublicDelegatedPrefixes.list compute.healthChecks.get compute.healthChecks.list compute.healthChecks.listEffectiveTags compute.healthChecks.listTagBindings compute.httpHealthChecks.get compute.httpHealthChecks.list compute.httpHealthChecks.listEffectiveTags compute.httpHealthChecks.listTagBindings compute.httpsHealthChecks.get compute.httpsHealthChecks.list compute.httpsHealthChecks.listEffectiveTags compute.httpsHealthChecks.listTagBindings compute.images.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.list compute.images.listEffectiveTags compute.images.listTagBindings compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.listEffectiveTags compute.instanceGroupManagers.listTagBindings compute.instanceGroups.get compute.instanceGroups.list compute.instanceSettings.get compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.getScreenshot compute.instances.getSerialPortOutput compute.instances.getShieldedInstanceIdentity compute.instances.getShieldedVmIdentity compute.instances.list compute.instances.listEffectiveTags compute.instances.listReferrers compute.instances.listTagBindings compute.instantSnapshots.get compute.instantSnapshots.getIamPolicy compute.instantSnapshots.list compute.interconnectAttachments.get compute.interconnectAttachments.list compute.interconnectLocations.get compute.interconnectLocations.list compute.interconnectRemoteLocations.get compute.interconnectRemoteLocations.list compute.interconnects.get compute.interconnects.list compute.licenseCodes.get compute.licenseCodes.getIamPolicy compute.licenseCodes.list compute.licenses.get compute.licenses.getIamPolicy compute.licenses.list compute.machineImages.get compute.machineImages.getIamPolicy compute.machineImages.list compute.machineTypes.get compute.machineTypes.list compute.maintenancePolicies.get compute.maintenancePolicies.getIamPolicy compute.maintenancePolicies.list compute.networkAttachments.get compute.networkAttachments.getIamPolicy compute.networkAttachments.list compute.networkEdgeSecurityServices.get compute.networkEdgeSecurityServices.list compute.networkEndpointGroups.get compute.networkEndpointGroups.getIamPolicy compute.networkEndpointGroups.list compute.networkEndpointGroups.listEffectiveTags compute.networkEndpointGroups.listTagBindings compute.networks.get compute.networks.getEffectiveFirewalls compute.networks.getRegionEffectiveFirewalls compute.networks.list compute.networks.listEffectiveTags compute.networks.listPeeringRoutes compute.networks.listTagBindings compute.nodeGroups.get compute.nodeGroups.getIamPolicy compute.nodeGroups.list compute.nodeTemplates.get compute.nodeTemplates.getIamPolicy compute.nodeTemplates.list compute.nodeTypes.get compute.nodeTypes.list compute.organizations.listAssociations compute.packetMirrorings.get compute.packetMirrorings.list compute.projects.get compute.publicAdvertisedPrefixes.get compute.publicAdvertisedPrefixes.list compute.publicDelegatedPrefixes.get compute.publicDelegatedPrefixes.list compute.regionBackendServices.get compute.regionBackendServices.getIamPolicy compute.regionBackendServices.list compute.regionBackendServices.listEffectiveTags compute.regionBackendServices.listTagBindings compute.regionFirewallPolicies.get compute.regionFirewallPolicies.getIamPolicy compute.regionFirewallPolicies.list compute.regionFirewallPolicies.listEffectiveTags compute.regionFirewallPolicies.listTagBindings compute.regionHealthCheckServices.get compute.regionHealthCheckServices.list compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionHealthChecks.listEffectiveTags compute.regionHealthChecks.listTagBindings compute.regionNetworkEndpointGroups.get compute.regionNetworkEndpointGroups.list compute.regionNetworkEndpointGroups.listEffectiveTags compute.regionNetworkEndpointGroups.listTagBindings compute.regionNotificationEndpoints.get compute.regionNotificationEndpoints.list compute.regionOperations.get compute.regionOperations.getIamPolicy compute.regionOperations.list compute.regionSecurityPolicies.get compute.regionSecurityPolicies.list compute.regionSecurityPolicies.listEffectiveTags compute.regionSecurityPolicies.listTagBindings compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionSslCertificates.listEffectiveTags compute.regionSslCertificates.listTagBindings compute.regionSslPolicies.get compute.regionSslPolicies.list compute.regionSslPolicies.listAvailableFeatures compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpProxies.listEffectiveTags compute.regionTargetHttpProxies.listTagBindings compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionTargetHttpsProxies.listEffectiveTags compute.regionTargetHttpsProxies.listTagBindings compute.regionTargetTcpProxies.get compute.regionTargetTcpProxies.list compute.regionUrlMaps.get compute.regionUrlMaps.list compute.regionUrlMaps.listEffectiveTags compute.regionUrlMaps.listTagBindings compute.regionUrlMaps.validate compute.regions.get compute.regions.list compute.reservations.get compute.reservations.list compute.resourcePolicies.get compute.resourcePolicies.getIamPolicy compute.resourcePolicies.list compute.routers.get compute.routers.getRoutePolicy compute.routers.list compute.routers.listBgpRoutes compute.routers.listRoutePolicies compute.routes.get compute.routes.list compute.routes.listEffectiveTags compute.routes.listTagBindings compute.securityPolicies.get compute.securityPolicies.getIamPolicy compute.securityPolicies.list compute.securityPolicies.listEffectiveTags compute.securityPolicies.listTagBindings compute.serviceAttachments.get compute.serviceAttachments.getIamPolicy compute.serviceAttachments.list compute.snapshotSettings.get compute.snapshots.get compute.snapshots.getIamPolicy compute.snapshots.list compute.snapshots.listEffectiveTags compute.snapshots.listTagBindings compute.sslCertificates.get compute.sslCertificates.list compute.sslCertificates.listEffectiveTags compute.sslCertificates.listTagBindings compute.sslPolicies.get compute.sslPolicies.list compute.sslPolicies.listAvailableFeatures compute.sslPolicies.listEffectiveTags compute.sslPolicies.listTagBindings compute.storagePools.get compute.storagePools.getIamPolicy compute.storagePools.list compute.subnetworks.get compute.subnetworks.getIamPolicy compute.subnetworks.list compute.subnetworks.listEffectiveTags compute.subnetworks.listTagBindings compute.targetGrpcProxies.get compute.targetGrpcProxies.list compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpProxies.listEffectiveTags compute.targetHttpProxies.listTagBindings compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetHttpsProxies.listEffectiveTags compute.targetHttpsProxies.listTagBindings compute.targetInstances.get compute.targetInstances.list compute.targetInstances.listEffectiveTags compute.targetInstances.listTagBindings compute.targetPools.get compute.targetPools.list compute.targetPools.listEffectiveTags compute.targetPools.listTagBindings compute.targetSslProxies.get compute.targetSslProxies.list compute.targetSslProxies.listEffectiveTags compute.targetSslProxies.listTagBindings compute.targetTcpProxies.get compute.targetTcpProxies.list compute.targetTcpProxies.listEffectiveTags compute.targetTcpProxies.listTagBindings compute.targetVpnGateways.get compute.targetVpnGateways.list compute.urlMaps.get compute.urlMaps.list compute.urlMaps.listEffectiveTags compute.urlMaps.listTagBindings compute.urlMaps.validate compute.vpnGateways.get compute.vpnGateways.list compute.vpnTunnels.get compute.vpnTunnels.list compute.zoneOperations.get compute.zoneOperations.getIamPolicy compute.zoneOperations.list compute.zones.get compute.zones.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
Read-only access to get and list information about all Compute Engine resources, including instances, disks, and firewalls. Allows getting and listing information about disks, images, and snapshots, but does not allow reading the data stored on them. |
Metadata/Kubernetes¶
| Role Title | Logging Permissions | Resource Type |
|---|---|---|
Kubernetes Engine Viewerroles/container.viewerKubernetes Engine Service Agent roles/container.serviceAgent |
container.apiServices.get container.apiServices.getStatus container.apiServices.list container.auditSinks.get container.auditSinks.list container.backendConfigs.get container.backendConfigs.list container.bindings.get container.bindings.list container.certificateSigningRequests.get container.certificateSigningRequests.getStatus container.certificateSigningRequests.list container.clusterRoleBindings.get container.clusterRoleBindings.list container.clusterRoles.get container.clusterRoles.list container.clusters.connect container.clusters.get container.clusters.list container.componentStatuses.get container.componentStatuses.list container.configMaps.get container.configMaps.list container.controllerRevisions.get container.controllerRevisions.list container.cronJobs.get container.cronJobs.getStatus container.cronJobs.list container.csiDrivers.get container.csiDrivers.list container.csiNodeInfos.get container.csiNodeInfos.list container.csiNodes.get container.csiNodes.list container.customResourceDefinitions.get container.customResourceDefinitions.getStatus container.customResourceDefinitions.list container.daemonSets.get container.daemonSets.getStatus container.daemonSets.list container.deployments.get container.deployments.getScale container.deployments.getStatus container.deployments.list container.endpointSlices.get container.endpointSlices.list container.endpoints.get container.endpoints.list container.events.get container.events.list container.frontendConfigs.get container.frontendConfigs.list container.horizontalPodAutoscalers.get container.horizontalPodAutoscalers.getStatus container.horizontalPodAutoscalers.list container.ingresses.get container.ingresses.getStatus container.ingresses.list container.initializerConfigurations.get container.initializerConfigurations.list container.jobs.get container.jobs.getStatus container.jobs.list container.leases.get container.leases.list container.limitRanges.get container.limitRanges.list container.managedCertificates.get container.managedCertificates.list container.mutatingWebhookConfigurations.get container.mutatingWebhookConfigurations.list container.namespaces.get container.namespaces.getStatus container.namespaces.list container.networkPolicies.get container.networkPolicies.list container.nodes.get container.nodes.getStatus container.nodes.list container.operations.get container.operations.list container.persistentVolumeClaims.get container.persistentVolumeClaims.getStatus container.persistentVolumeClaims.list container.persistentVolumes.get container.persistentVolumes.getStatus container.persistentVolumes.list container.petSets.get container.petSets.list container.podDisruptionBudgets.get container.podDisruptionBudgets.getStatus container.podDisruptionBudgets.list container.podPresets.get container.podPresets.list container.podSecurityPolicies.get container.podSecurityPolicies.list container.podTemplates.get container.podTemplates.list container.pods.get container.pods.getStatus container.pods.list container.priorityClasses.get container.priorityClasses.list container.replicaSets.get container.replicaSets.getScale container.replicaSets.getStatus container.replicaSets.list container.replicationControllers.get container.replicationControllers.getScale container.replicationControllers.getStatus container.replicationControllers.list container.resourceQuotas.get container.resourceQuotas.getStatus container.resourceQuotas.list container.roleBindings.get container.roleBindings.list container.roles.get container.roles.list container.runtimeClasses.get container.runtimeClasses.list container.scheduledJobs.get container.scheduledJobs.list container.serviceAccounts.get container.serviceAccounts.list container.services.get container.services.getStatus container.services.list container.statefulSets.get container.statefulSets.getScale container.statefulSets.getStatus container.statefulSets.list container.storageClasses.get container.storageClasses.list container.storageStates.get container.storageStates.getStatus container.storageStates.list container.storageVersionMigrations.get container.storageVersionMigrations.getStatus container.storageVersionMigrations.list container.thirdPartyObjects.get container.thirdPartyObjects.list container.thirdPartyResources.get container.thirdPartyResources.list container.tokenReviews.create container.updateInfos.get container.updateInfos.list container.validatingWebhookConfigurations.get container.validatingWebhookConfigurations.list container.volumeAttachments.get container.volumeAttachments.getStatus container.volumeAttachments.list container.volumeSnapshotClasses.get container.volumeSnapshotClasses.list container.volumeSnapshotContents.get container.volumeSnapshotContents.getStatus container.volumeSnapshotContents.list container.volumeSnapshots.get container.volumeSnapshots.list recommender.containerDiagnosisInsights.get recommender.containerDiagnosisInsights.list recommender.containerDiagnosisRecommendations.get recommender.containerDiagnosisRecommendations.list recommender.locations.get recommender.locations.list recommender.networkAnalyzerGkeConnectivityInsights.get recommender.networkAnalyzerGkeConnectivityInsights.list recommender.networkAnalyzerGkeIpAddressInsights.get recommender.networkAnalyzerGkeIpAddressInsights.list resourcemanager.projects.get resourcemanager.projects.list |
Read-only access to Kubernetes Engine resources. |
Metadata/VPC¶
| Role Title | Logging Permissions | Resource Type |
|---|---|---|
Serverless VPC Access Viewerroles/vpcaccess.viewer |
resourcemanager.projects.get resourcemanager.projects.list vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.locations.list vpcaccess.operations.get vpcaccess.operations.list |
Viewer of all Serverless VPC Access resources |
Metadata/Cloud Storage¶
| Role Title | Logging Permissions | Resource Type |
|---|---|---|
Storage Adminroles/storage.admin |
firebase.projects.get orgpolicy.policy.get recommender.iamPolicyInsights.get recommender.iamPolicyInsights.list recommender.iamPolicyInsights.update recommender.iamPolicyRecommendations.get recommender.iamPolicyRecommendations.list recommender.iamPolicyRecommendations.update resourcemanager.projects.get resourcemanager.projects.list storage.anywhereCaches.create storage.anywhereCaches.disable storage.anywhereCaches.get storage.anywhereCaches.list storage.anywhereCaches.pause storage.anywhereCaches.resume storage.anywhereCaches.update storage.bucketOperations.cancel storage.bucketOperations.get storage.bucketOperations.list storage.buckets.create storage.buckets.createTagBinding storage.buckets.delete storage.buckets.deleteTagBinding storage.buckets.enableObjectRetention storage.buckets.get storage.buckets.getIamPolicy storage.buckets.getObjectInsights storage.buckets.list storage.buckets.listEffectiveTags storage.buckets.listTagBindings storage.buckets.restore storage.buckets.setIamPolicy storage.buckets.update storage.managedFolders.create storage.managedFolders.delete storage.managedFolders.get storage.managedFolders.getIamPolicy storage.managedFolders.list storage.managedFolders.setIamPolicy storage.multipartUploads.abort storage.multipartUploads.create storage.multipartUploads.list storage.multipartUploads.listParts storage.objects.create storage.objects.delete storage.objects.get storage.objects.getIamPolicy storage.objects.list storage.objects.overrideUnlockedRetention storage.objects.restore storage.objects.setIamPolicy storage.objects.setRetention storage.objects.update |
Grants access to view objects and their metadata, excluding ACLs. Can also list the objects in a bucket. |
BigQuery¶
| Role Title | Logging Permissions | Resource Type |
|---|---|---|
BigQuery Data Viewerroles/bigquery.dataViewer |
bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.models.export bigquery.models.getData bigquery.models.getMetadata bigquery.models.list bigquery.routines.get bigquery.routines.list bigquery.tables.createSnapshot bigquery.tables.export bigquery.tables.get bigquery.tables.getData bigquery.tables.getIamPolicy bigquery.tables.list bigquery.tables.replicateData resourcemanager.projects.get resourcemanager.projects.list |
Access to view datasets and all of their contents When applied to a project, access to run queries, create datasets, read dataset metadata, and list tables. When applied to a dataset, access to read dataset metadata and list tables within the dataset. |
BigQuery Userroles/bigquery.user |
bigquery.bireservations.get bigquery.capacityCommitments.get bigquery.capacityCommitments.list bigquery.config.get bigquery.datasets.create bigquery.datasets.get bigquery.datasets.getIamPolicy bigquery.jobs.create bigquery.jobs.list bigquery.models.list bigquery.readsessions.create bigquery.readsessions.getData bigquery.readsessions.update bigquery.reservationAssignments.list bigquery.reservationAssignments.search bigquery.reservations.get bigquery.reservations.list bigquery.routines.list bigquery.savedqueries.get bigquery.savedqueries.list bigquery.tables.list bigquery.transfers.get bigquerymigration.translation.translate resourcemanager.projects.get resourcemanager.projects.list |
Access to view datasets and all of their contents When applied to a project, access to run queries, create datasets, read dataset metadata, and list tables. When applied to a dataset, access to read dataset metadata and list tables within the dataset. |
Cloud pub/sub lite¶
| Role Title | Logging Permissions | Resource Type |
|---|---|---|
Pub/Sub Lite Viewerroles/pubsublite.viewer |
pubsublite.operations.get pubsublite.operations.list pubsublite.reservations.get pubsublite.reservations.list pubsublite.reservations.listTopics pubsublite.subscriptions.get pubsublite.subscriptions.getCursor pubsublite.subscriptions.list pubsublite.topics.get pubsublite.topics.getPartitions pubsublite.topics.list pubsublite.topics.listSubscriptions |
View topics, subscriptions and reservations Consume messages from a subscription, attach subscriptions to a topic, and seek a snapshot. Access to view all resources/projects |
Pub/Sub Lite Subscriberroles/pubsublite.subscriber |
pubsublite.locations.openKafkaStream pubsublite.operations.get pubsublite.subscriptions.getCursor pubsublite.subscriptions.seek pubsublite.subscriptions.setCursor pubsublite.subscriptions.subscribe pubsublite.topics.computeHeadCursor pubsublite.topics.computeMessageStats pubsublite.topics.computeTimeCursor pubsublite.topics.getPartitions pubsublite.topics.subscribe |
View topics, subscriptions and reservations Consume messages from a subscription, attach subscriptions to a topic, and seek a snapshot. Access to view all resources/projects |
Serverless VPC Access Viewerroles/vpcaccess.viewer |
Resourcemanager.projects.get vpcaccess.connectors.get vpcaccess.connectors.list vpcaccess.locations.list vpcaccess.operations.get vpcaccess.operations.list |
View topics, subscriptions and reservations Consume messages from a subscription, attach subscriptions to a topic, and seek a snapshot. Access to view all resources/projects |
Cloud pub/sub¶
| Role Title | Logging Permissions | Resource Type |
|---|---|---|
Pub/Sub Viewerroles/pubsub.viewer |
pubsub.schemas.get pubsub.schemas.list pubsub.schemas.listRevisions pubsub.schemas.validate pubsub.snapshots.get pubsub.snapshots.list pubsub.subscriptions.get pubsub.subscriptions.list pubsub.topics.get pubsub.topics.list resourcemanager.projects.get serviceusage.quotas.get serviceusage.services.get serviceusage.services.list |
View topics, subscriptions, and snapshots. Consume messages from a subscription, attach subscriptions to a topic, and seek to a snapshot. |
Pub/Sub Subscriberroles/pubsub.subscribe |
pubsub.snapshots.seek pubsub.subscriptions.consume pubsub.topics.attachSubscription |
View topics, subscriptions, and snapshots. Consume messages from a subscription, attach subscriptions to a topic, and seek to a snapshot. |
Configure billing export to Google Cloud Platform¶
To get your daily usage and cost estimates data in Splunk Add-on for Google Cloud Platform, you must enable billing export data in your Google Cloud Platform instance using your Google login credentials. For more details, see the Export Billing Data to a File topic in the Google Cloud documentation.
Configure log export to Google Cloud Pub/Sub¶
To gather data from activity logs via the Pub/Sub API, use your Google
credentials to configure log export to Cloud Pub/Sub in your Google
Developers Console. You must also have the Owner or the
Logging/Logs Configuration Writer IAM roles in the project to create,
delete, or modify a sink. See the following details of IAM roles:
| Role Title | Logging Permissions | Resource Type |
|---|---|---|
Ownerroles/owner |
roles/editor logging permissions logging.privateLogEntries.list logging.sinks.{create, delete, update} |
project |
Logs Configuration Writerroles/logging.configWriter |
logging.exclusions.{list, create, get, update, delete} logging.logMetrics.{list, create, get, update, delete} logging.logs.list logging.logServiceIndexes.list logging.logServices.list logging.sinks.{list, create, get, update, delete} resourcemanager.projects.get |
project, organization, folder, billing account |
For more information, see the Configure and manage sinks topic in the Google Cloud documentation.