iam role permission for stackdriver console log view

Question

I need to set stackdriver console view permission for set of user. Currently I have assigned them

roles/logging.viewer

role. But they cannot access the gcp console to view the stackdriver log. For now I have given them project viewer role to access the log in gcp console. Can this be done in some other way.

Answer 1

According to the documentation and as mentioned by @pradeep above, the role with the title: “Logs Viewer” if given to a user, the user is indeed granted the permissions to view the Stackdriver Logs in the GCP Logging Console View. You may verify this, as per documentation, in order to view (minimal read-only access) the Stackdriver Logs in the GCP Console, the following permissions are necessary:

• logging.logEntries.list

• logging.logs.list

• logging.logServiceIndexes.list

• logging.logServices.list

• resourcemanager.projects.get

, which are included in the aforementioned role .

I reproduced your case by visiting the “IAM & admin” section in my GCP Console. I added a new member of a gmail account. In the picture below, you may see the available options when adding a new member:

While selecting a role, I typed “log” in the “Type to filter” search field and added the role “Logs Viewer”, as you can see below:

The user with the corresponding email, which I had just added, was able to view the logs in the console by selecting the corresponding project.

Additionally, Google Groups are a convenient way to apply an access policy to a collection of users. My example though was examining one user with a gmail account.

Some additional information that you might find useful:

During my investigation, I figured out that users with the “Logs Viewer” role, will not be able to view the logs using "gcloud logging logs list" command , instead they will receive an error indicating that a permission is missing from the role. The permission needed in order to run the "gcloud logging logs list" command which is "serviceusage.services.usage" permission which is used by "Editor" and project "Owner" role and other roles. I understand this is not your issue, but I mention this as well just in case you encounter it.

There is a Public Issue Tracker about this matter to include the permission “serviceusage.services.use” in role roles/logging.viewer by default so you will not have to do it manually in the future. For now you will need to include the permission manually.

As i am not sure why your users can not view the Logs in the console, since my reproduction was successful, could you please attach a screenshot of the issue and further elaborate on the description of your question?

(for example:

• describe the steps of how you are granting the roles/logging.viewer

• does your workaround (granting project viewer) allow the users to view the Logs via Console?

• do the users or you receive an error while trying to view Logs when roles/logging.viewer was granted? )

Answer 2

If you give a user roles/logging.viewer permission then they can only view StackDriver service, they cannot access other service for example Storage.

What error do you get when giving only roles/logging.viewer ? Can you attach screenshot as well?