Creating a Custom Role

If the pre-defined roles Project Viewer and Pub/Sub Subscriber are too broad for your use, or are otherwise unsuitable for you, you can define a new role whose access is limited according to your needs.

Warning: At minimum, your service account role must be assigned each of the Identity and Access Management (IAM) policies required for your sensor operations. Review the Required IAM Policies table to see which functions depend on which Identity and Access Management (IAM) policies.

  • Grant permissions at the project level: This allows you to select which specific projects should be monitored by the sensor. This approach is not valid for any logging at the organization level, and any functionality dependent on organization-level permissions will not be enabled.

Note: These permissions can be granted at the organization level, however if your organization is very large you may experience performance issues. In this case, (as long as you don't need the sensor to monitor all projects), you can use either of the following approaches to avoid possible throttling: