Reputation: 1697
How to provide access to log explorer only
My development team relies on the log explorer in GCP to monitor and troubleshoot our cloud run instances. We would like some individuals in support role to be able to see these logs as well. How can we give someone access to the log explorer only and no other part of the GCP?
I think in general the idea is to create a role that has restricted access (i.e. only read log explorer logs) and assign that to new team members. I don't know the exact steps required for this. I'm also not sure if GCP already has a more straight forward or better way to solve this.
Upvotes: 1
Views: 757
Answers (1)
Reputation: 40296
See roles/logging.Viewer on Logging: Access Control with IAM.
I think (!?) it is the minimal predefined role (you could go lower with a custom role but this may be unnecessary and add complexity).
NOTE By necessity it includes e.g. the ability to get/list Projects
resourcemanager.projects.[get|list]because this is a pre-requisite in being able to enumerage a project's logs.
The page includes instructions on Granting roles.
I encourage you to prove to yourselves that the above works as you expect (e.g. create another type of project resource and confirm that your log viewers are unable to access it).
Upvotes: 2
Related Questions
- How can a Google Cloud Logging user be limited to view logs from a specific deployment?
- How to get info about Gcloud logs similar to logs explorer?
- How to show filtered logs on GCP Monitoring Dashboard
- Dialogflow Google Cloud permissions to change logging settings
- Google Cloud Logging Authentication / permissions
- GCP Logging - read only logs that are not exported to any sink
- How to disable logs for whole cluster in gce
- Limit access to Google Cloud Platform Console
- Enabling web server access logs for a Google Cloud Storage bucket
- Enabling Google Cloud Logging