Google uses AI technology to translate content into your preferred language. AI translations can contain errors.
使用 IAM 控制访问权限
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
Google Cloud 提供 Identity and Access Management (IAM),可让您授予对特定 Google Cloud 资源的细化访问权限,并防止对其他资源进行不必要的访问。本页面介绍了 Cloud Trace 的 IAM 角色。
最佳做法
为方便排查问题,我们建议为可能需要查看项目中的轨迹数据的所有用户、群组和网域授予该项目的 Cloud Trace User 角色 (roles/cloudtrace.user)。此角色可向主要人员授予查看轨迹数据所需的权限。
权限和预定义角色
IAM 角色包含权限,可以分配给用户、组和服务账号。
Cloud Trace 角色
下表列出了 Cloud Trace 的预定义角色以及这些角色的权限:
| Role |
Permissions |
Cloud Trace Admin
(roles/cloudtrace.admin)
Provides full access to the Trace console and read-write access to traces.
Lowest-level resources where you can grant this role:
|
cloudtrace.*
cloudtrace.insights.getcloudtrace.insights.listcloudtrace.stats.getcloudtrace.tasks.createcloudtrace.tasks.deletecloudtrace.tasks.getcloudtrace.tasks.listcloudtrace.traceScopes.createcloudtrace.traceScopes.deletecloudtrace.traceScopes.getcloudtrace.traceScopes.listcloudtrace.traceScopes.updatecloudtrace.traces.getcloudtrace.traces.listcloudtrace.traces.patch
observability.scopes.get
observability.traceScopes.*
observability.traceScopes.createobservability.traceScopes.deleteobservability.traceScopes.getobservability.traceScopes.listobservability.traceScopes.update
resourcemanager.projects.get
resourcemanager.projects.list
telemetry.traces.write
|
Cloud Trace User
(roles/cloudtrace.user)
Provides full access to the Trace console and read access to traces.
Lowest-level resources where you can grant this role:
|
cloudtrace.insights.*
cloudtrace.insights.getcloudtrace.insights.list
cloudtrace.stats.get
cloudtrace.tasks.*
cloudtrace.tasks.createcloudtrace.tasks.deletecloudtrace.tasks.getcloudtrace.tasks.list
cloudtrace.traceScopes.*
cloudtrace.traceScopes.createcloudtrace.traceScopes.deletecloudtrace.traceScopes.getcloudtrace.traceScopes.listcloudtrace.traceScopes.update
cloudtrace.traces.get
cloudtrace.traces.list
observability.scopes.get
observability.traceScopes.*
observability.traceScopes.createobservability.traceScopes.deleteobservability.traceScopes.getobservability.traceScopes.listobservability.traceScopes.update
resourcemanager.projects.get
resourcemanager.projects.list
|
Cloud Trace Agent
(roles/cloudtrace.agent)
For service accounts. Provides ability to write traces by sending the data
to Stackdriver Trace.
Lowest-level resources where you can grant this role:
|
cloudtrace.traces.patch
telemetry.traces.write
|
Telemetry API 角色
下表列出了 Telemetry (OTLP) API 的预定义角色,以及这些角色的权限:
| Role |
Permissions |
Telemetry Admin
(roles/telemetry.admin)
Admin role for telemetry
|
resourcemanager.projects.get
resourcemanager.projects.list
telemetry.*
telemetry.consumers.getIamPolicytelemetry.consumers.setIamPolicytelemetry.consumers.writeLogstelemetry.consumers.writeMetricstelemetry.consumers.writeTracestelemetry.traces.write
|
Telemetry Editor
(roles/telemetry.editor)
Editor role for telemetry
|
resourcemanager.projects.get
resourcemanager.projects.list
telemetry.traces.write
|
Consumer Admin
Beta
(roles/telemetry.consumerAdmin)
Grants permission management access to consumer resources.
|
telemetry.consumers.getIamPolicy
telemetry.consumers.setIamPolicy
|
Cloud Telemetry Logs Writer
Beta
(roles/telemetry.logsWriter)
Access to write logs.
|
logging.logEntries.create
|
Cloud Telemetry Metrics Writer
(roles/telemetry.metricsWriter)
Access to write metrics.
|
monitoring.timeSeries.create
|
Integrated Service Telemetry Logs Writer
Beta
(roles/telemetry.serviceLogsWriter)
Allows an onboarded service to write log data to a destination.
|
telemetry.consumers.writeLogs
|
Integrated Service Telemetry Metrics Writer
Beta
(roles/telemetry.serviceMetricsWriter)
Allows an onboarded service to write metrics data to a destination.
|
telemetry.consumers.writeMetrics
|
Integrated Service Telemetry Writer
Beta
(roles/telemetry.serviceTelemetryWriter)
Allows an onboarded service to write all telemetry data to a destination.
|
telemetry.consumers.writeLogs
telemetry.consumers.writeMetrics
telemetry.consumers.writeTraces
|
Integrated Service Telemetry Traces Writer
Beta
(roles/telemetry.serviceTracesWriter)
Allows an onboarded service to write trace data to a destination.
|
telemetry.consumers.writeTraces
|
Cloud Telemetry Traces Writer
(roles/telemetry.tracesWriter)
Access to write trace spans.
|
telemetry.traces.write
|
Cloud Telemetry Writer
(roles/telemetry.writer)
Full access to write all telemetry data.
|
logging.logEntries.create
monitoring.timeSeries.create
telemetry.traces.write
|
创建自定义角色
如需创建包含 Cloud Trace 权限的自定义角色,请执行以下操作:
- 如需使角色仅能授予 Cloud Trace API 权限,请选择该 API 方法所需的权限。
- 如需使角色能够授予 Cloud Trace API 和控制台的权限,请从预定义的 Cloud Trace 角色中选择权限组。
- 如需授予向跟踪记录写入数据的权限,请在 Cloud Trace Agent (
roles/cloudtrace.agent) 角色中添加权限。
如需详细了解自定义角色,请参阅创建和管理自定义角色。
API 方法的权限
如需了解执行 API 调用所需的权限,请参阅 Cloud Trace API 参考文档:
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2026-05-12。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2026-05-12。"],[],[]]
