Monitoring collects metrics, events, and metadata from Google Cloud Platform, Amazon Web Services (AWS), hosted uptime probes, application instrumentation, and a variety of common application components including Cassandra, Nginx, Apache Web Server, Elasticsearch and many others. Stackdriver ingests that data and generates insights via dashboards, charts, and alerts.
Access Control
Monitoring controls access to monitoring data in Workspaces using Cloud Identity and Access Management (Cloud IAM) roles and permission
In general, each REST method in an API has an associated permission, and you must have the permission to use the corresponding method. Permissions are not granted directly to users; permissions are instead granted indirectly through roles, which group multiple permissions to make managing them easier.
Roles for common combinations of permissions are predefined for you, but it is also possible to create your own combinations of permissions by creating Cloud IAM custom roles.
Below are the common predefined roles
roles/monitoring.viewer => Gives you read-only access to the Stackdriver Monitoring console and API
roles/monitoring.editor => Gives you read-write access to the Stackdriver Monitoring console and API, and lets you write monitoring data to a Workspace
roles/monitoring.admin => Gives you full access to all Monitoring features
roles/monitoring.metricWriter => Permits writing monitoring data to a Workspace; does not permit access to the Stackdriver Monitoring console. For service accounts.
Alert Policies
roles/monitoring.alertPolicyViewer => Gives you read-only access to alerting policies
roles/monitoring.alertPolicyEditor => Gives you read-write access to alerting policies
Notification Channels
roles/monitoring.notificationChannelViewer => Read only access to Notification channel
roles/monitoring.notificationChannelEditor => Gives you read-write access to notification channels
If one has Google Cloud platform roles, they are mapped to the below permissions
roles/viewer => Gives read-only access to the Stackdriver Monitoring console and the API
roles/editor => Gives read-write access to the Stackdriver Monitoring console and the API
roles/owner => Gives full access to the Stackdriver Monitoring console and the API
Custom Permissions
One can also create your own custom roles that contain specific lists of permissions.
References:
https://cloud.google.com/monitoring/docs/
No comments:
Post a Comment