Control access with IAM
Stay organized with collections
Save and categorize content based on your preferences.
When you create a Google Cloud project, you are the only user on the project. By
default, no other users have access to your project or its resources.
Identity and Access Management (IAM) manages access to Google Cloud resources, like
clusters. Permissions are assigned to IAM principals.
IAM lets you grant roles to
principals. A role is a
collection of permissions, and when granted to a principal, controls access to
one or more Google Cloud resources. You
can use the following types of roles:
Basic roles provide coarse permissions
limited to Owner, Editor, and Viewer.
Pre-defined roles,
provide finer-grained access than basic roles and address many common use
cases.
Custom roles allow you to create
unique combinations of permissions.
A principal can be any of the following:
User account
Service account
Google Workspace Google Group
Google Workspace domain
Cloud Identity domain
IAM policy types
IAM supports the following policy types:
Allow policies: grant roles to principals. For details, see
Allow policy.
Deny policies: prevent principals from using specific IAM
permissions regardless of the roles that those principals are granted. For
details, see Deny policies.
Use deny policies to restrict specific principals from performing specific
actions in your project, folder, or organization even if an IAM
allow policy grants those principals a role that contains the relevant
permissions.
Predefined roles
IAM provides predefined roles to grant granular access to
specific Google Cloud resources and to prevent unwanted access to other
resources. Google Cloud creates and maintains these roles and automatically
updates their permissions as necessary, such as when Google Cloud Observability adds
new features.
Predefined roles for Google Cloud Observability contain permissions for features that
span multiple product areas. For this reason, you might see some permissions,
like observability.scopes.get, included in predefined roles for those
product areas. For example, the Logs Viewer role (roles/logging.viewer)
includes the observability.scopes.get permission in addition to many
logging-specific permissions.
The following table lists the predefined roles for Google Cloud Observability. For
each role, the table displays the role title, description, contained
permissions, and the lowest-level resource type where the roles can be granted.
You can grant the predefined roles at the Google Cloud project level or, in
most cases, any type higher in the
resource hierarchy.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-10-24 UTC."],[],[]]