Dialogflow Google Cloud permissions to change logging settings

Question

What permission does a Google Cloud user account need in IAM to change the logging settings of an agent in Dialogflow Console? The user now has Dialogflow API Administrator but cannot change the settings as I can do:

My customer has very strict permission policies so I only want to give permission when they are really needed.

Also, is there a comprehensive list of all GCP permissions (eg dialogflow.agent.update) and what they really mean? From my experience, I could not say what a user with this permission can or can't do.

Answer 1

If you want to have any access and control over log related stuff you should be looking at Logging API IAM roles. Here's a copy of the IAM roles for Logging API:

• roles/logging.viewer (Logs Viewer) gives you read-only access to all features of Logging, except Access Transparency logs and Data Access audit logs.
• roles/logging.privateLogViewer (Private Logs Viewer) includes roles/logging.viewer, plus the ability to read Access Transparency logs and Data Access audit logs.
• roles/logging.logWriter (Logs Writer) can be granted to service accounts to give applications just enough permissions to write logs. This role does not grant viewing permissions.
• roles/logging.configWriter (Logs Configuration Writer) gives you the permissions to create logs-based metrics and exclusions and to export sinks. To use the Logs Viewer (console) for these actions, add roles/logging.viewer.
• roles/logging.admin (Logging Admin) grants you all permissions related to Logging.
• roles/viewer (Project Viewer) is the same as roles/logging.viewer. The role gives you read-only access to all Logging features except for Access Transparency logs and Data Access audit logs.
• roles/editor (Project Editor) includes the permissions of roles/logging.viewer, plus permissions to write log entries, delete logs, and create logs-based metrics. The role does not let you create export sinks or read Access Transparency logs or Data Access audit logs.
• roles/owner (Project Owner) gives you full access to Logging, including Access Transparency logs and Data Access audit logs.
  

You can refer to this link for more detailed roles and permissions on logs. Note that according to the doc you can give permissions to even very specific features which can help you in your issue with your client. It is also possible to create custom roles. As for the comprehensive list of roles on GCP, on GCP console go to IAM & Admin under navigation menu and you can see Roles under IAM & Admin menu. There you can locate Dialogflow and see different roles associated to it.

Answer 2

Through trial & error I couldn't find another role than roles/owner that can change the logging options for a Dialogflow agent. I also could not find the exact permission that controls this option.

Answer 3

Saw that this was not resolved and even though it's a year later. This came up recently within my team. Google's official stance was just use project owner to view these settings but that wouldn't work in a company following least privileges. With that in mind we've worked out the specific permissions required for seeing the logging options for a Dialogflow.

After confirming with Google engineers the permissions required for viewing the log settings in the agent general settings are:

• dialogflow.agents.update (for API)
• resourcemanager.projects.delete (for Console)

You can either create a custom role with those permissions or utilize both roles Dialogflow Console Agent Editor and Project Deleter to get the permissions. Hopefully this helps anyone else that runs into this logging problem. Small note, these permissions will also allow the person to delete the agent.