Cloud Logging roles and permissions

This page lists the IAM roles and permissions for Cloud Logging. Tosearch through all roles and permissions, see therole andpermission index.

Cloud Logging roles

Role Permissions

Role	Permissions
Logging Admin (`roles/logging.admin`) Provides all permissions necessary to use all features of Cloud Logging. Lowest-level resources where you can grant this role: Project	`logging.buckets.copyLogEntries` `logging.buckets.create` `logging.buckets.createTagBinding` `logging.buckets.delete` `logging.buckets.deleteTagBinding` `logging.buckets.get` `logging.buckets.list` `logging.buckets.listEffectiveTags` `logging.buckets.listTagBindings` `logging.buckets.undelete` `logging.buckets.update` `logging.exclusions.` `logging.exclusions.create` `logging.exclusions.delete` `logging.exclusions.get` `logging.exclusions.list` `logging.exclusions.update` `logging.fields.access` `logging.links.` `logging.links.create` `logging.links.delete` `logging.links.get` `logging.links.list` `logging.locations.` `logging.locations.get` `logging.locations.list` `logging.logEntries.` `logging.logEntries.create` `logging.logEntries.download` `logging.logEntries.list` `logging.logEntries.route` `logging.logMetrics.` `logging.logMetrics.create` `logging.logMetrics.delete` `logging.logMetrics.get` `logging.logMetrics.list` `logging.logMetrics.update` `logging.logScopes.` `logging.logScopes.create` `logging.logScopes.delete` `logging.logScopes.get` `logging.logScopes.list` `logging.logScopes.update` `logging.logServiceIndexes.list` `logging.logServices.list` `logging.logs.` `logging.logs.delete` `logging.logs.list` `logging.notificationRules.` `logging.notificationRules.create` `logging.notificationRules.delete` `logging.notificationRules.get` `logging.notificationRules.list` `logging.notificationRules.update` `logging.operations.` `logging.operations.cancel` `logging.operations.get` `logging.operations.list` `logging.privateLogEntries.list` `logging.queries.` `logging.queries.deleteShared` `logging.queries.getShared` `logging.queries.listShared` `logging.queries.share` `logging.queries.updateShared` `logging.queries.usePrivate` `logging.settings.` `logging.settings.get` `logging.settings.update` `logging.sinks.` `logging.sinks.create` `logging.sinks.delete` `logging.sinks.get` `logging.sinks.list` `logging.sinks.update` `logging.sqlAlerts.` `logging.sqlAlerts.create` `logging.sqlAlerts.update` `logging.usage.get` `logging.views.` `logging.views.access` `logging.views.create` `logging.views.delete` `logging.views.get` `logging.views.getIamPolicy` `logging.views.list` `logging.views.listLogs` `logging.views.listResourceKeys` `logging.views.listResourceValues` `logging.views.setIamPolicy` `logging.views.update` `observability.scopes.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Logs Bucket Writer (`roles/logging.bucketWriter`) Ability to write logs to a log bucket. Lowest-level resources where you can grant this role: Project	`logging.buckets.write`
Logs Configuration Writer (`roles/logging.configWriter`) Provides permissions to read and write the configurations of logs-basedmetrics and sinks for exporting logs. Lowest-level resources where you can grant this role: Project	`logging.buckets.create` `logging.buckets.createTagBinding` `logging.buckets.delete` `logging.buckets.deleteTagBinding` `logging.buckets.get` `logging.buckets.list` `logging.buckets.listEffectiveTags` `logging.buckets.listTagBindings` `logging.buckets.undelete` `logging.buckets.update` `logging.exclusions.` `logging.exclusions.create` `logging.exclusions.delete` `logging.exclusions.get` `logging.exclusions.list` `logging.exclusions.update` `logging.links.` `logging.links.create` `logging.links.delete` `logging.links.get` `logging.links.list` `logging.locations.` `logging.locations.get` `logging.locations.list` `logging.logMetrics.` `logging.logMetrics.create` `logging.logMetrics.delete` `logging.logMetrics.get` `logging.logMetrics.list` `logging.logMetrics.update` `logging.logScopes.` `logging.logScopes.create` `logging.logScopes.delete` `logging.logScopes.get` `logging.logScopes.list` `logging.logScopes.update` `logging.logServiceIndexes.list` `logging.logServices.list` `logging.logs.list` `logging.notificationRules.` `logging.notificationRules.create` `logging.notificationRules.delete` `logging.notificationRules.get` `logging.notificationRules.list` `logging.notificationRules.update` `logging.operations.` `logging.operations.cancel` `logging.operations.get` `logging.operations.list` `logging.settings.` `logging.settings.get` `logging.settings.update` `logging.sinks.` `logging.sinks.create` `logging.sinks.delete` `logging.sinks.get` `logging.sinks.list` `logging.sinks.update` `logging.sqlAlerts.` `logging.sqlAlerts.create` `logging.sqlAlerts.update` `logging.views.create` `logging.views.delete` `logging.views.get` `logging.views.getIamPolicy` `logging.views.list` `logging.views.update` `observability.scopes.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Log Field Accessor (`roles/logging.fieldAccessor`) Ability to read restricted fields in a log bucket. Lowest-level resources where you can grant this role: Project	`logging.fields.access`
Log Link Accessor (`roles/logging.linkViewer`) Ability to see links for a bucket.	`logging.links.get` `logging.links.list`
Logs Writer (`roles/logging.logWriter`) Provides the permissions to write log entries. Lowest-level resources where you can grant this role: Project	`logging.logEntries.create` `logging.logEntries.route`
Private Logs Viewer (`roles/logging.privateLogViewer`) Provides permissions of the Logs Viewer role and in addition, providesread-only access to log entries in private logs. Lowest-level resources where you can grant this role: Project	`logging.buckets.get` `logging.buckets.list` `logging.exclusions.get` `logging.exclusions.list` `logging.links.get` `logging.links.list` `logging.locations.*` `logging.locations.get` `logging.locations.list` `logging.logEntries.list` `logging.logMetrics.get` `logging.logMetrics.list` `logging.logServiceIndexes.list` `logging.logServices.list` `logging.logs.list` `logging.operations.get` `logging.operations.list` `logging.privateLogEntries.list` `logging.queries.getShared` `logging.queries.listShared` `logging.queries.usePrivate` `logging.sinks.get` `logging.sinks.list` `logging.usage.get` `logging.views.access` `logging.views.get` `logging.views.list` `observability.scopes.get` `resourcemanager.projects.get`
Cloud Logging Service Agent (`roles/logging.serviceAgent`) Grants a Cloud Logging Service Account the ability to create and link datasets. Warning: Do not grant service agent roles to any principals except service agents.	`bigquery.datasets.create` `bigquery.datasets.get` `bigquery.datasets.link`
SQL Alert Writer^Beta (`roles/logging.sqlAlertWriter`) Ability to write SQL Alerts.	`logging.sqlAlerts.*` `logging.sqlAlerts.create` `logging.sqlAlerts.update`
Logs View Accessor (`roles/logging.viewAccessor`) Ability to read logs in a view. Lowest-level resources where you can grant this role: Project	`logging.logEntries.download` `logging.views.access` `logging.views.listLogs` `logging.views.listResourceKeys` `logging.views.listResourceValues`
Logs Viewer (`roles/logging.viewer`) Provides access to view logs. Lowest-level resources where you can grant this role: Project	`logging.buckets.get` `logging.buckets.list` `logging.exclusions.get` `logging.exclusions.list` `logging.links.get` `logging.links.list` `logging.locations.*` `logging.locations.get` `logging.locations.list` `logging.logEntries.list` `logging.logMetrics.get` `logging.logMetrics.list` `logging.logScopes.get` `logging.logScopes.list` `logging.logServiceIndexes.list` `logging.logServices.list` `logging.logs.list` `logging.operations.get` `logging.operations.list` `logging.queries.getShared` `logging.queries.listShared` `logging.queries.usePrivate` `logging.sinks.get` `logging.sinks.list` `logging.usage.get` `logging.views.get` `logging.views.list` `observability.scopes.get` `resourcemanager.projects.get`

Logging Admin

(roles/logging.admin)

Provides all permissions necessary to use all features of Cloud Logging.

Lowest-level resources where you can grant this role:

Project

logging.buckets.copyLogEntries

logging.buckets.create

logging.buckets.createTagBinding

logging.buckets.delete

logging.buckets.deleteTagBinding

logging.buckets.get

logging.buckets.list

logging.buckets.listEffectiveTags

logging.buckets.listTagBindings

logging.buckets.undelete

logging.buckets.update

logging.exclusions.*

logging.exclusions.create
logging.exclusions.delete
logging.exclusions.get
logging.exclusions.list
logging.exclusions.update

logging.fields.access

logging.links.*

logging.links.create
logging.links.delete
logging.links.get
logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.*

logging.logEntries.create
logging.logEntries.download
logging.logEntries.list
logging.logEntries.route

logging.logMetrics.*

logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.list
logging.logMetrics.update

logging.logScopes.*

logging.logScopes.create
logging.logScopes.delete
logging.logScopes.get
logging.logScopes.list
logging.logScopes.update

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.*

logging.logs.delete
logging.logs.list

logging.notificationRules.*

logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update

logging.operations.*

logging.operations.cancel
logging.operations.get
logging.operations.list

logging.privateLogEntries.list

logging.queries.*

logging.queries.deleteShared
logging.queries.getShared
logging.queries.listShared
logging.queries.share
logging.queries.updateShared
logging.queries.usePrivate

logging.settings.*

logging.settings.get
logging.settings.update

logging.sinks.*

logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update

logging.sqlAlerts.*

logging.sqlAlerts.create
logging.sqlAlerts.update

logging.usage.get

logging.views.*

logging.views.access
logging.views.create
logging.views.delete
logging.views.get
logging.views.getIamPolicy
logging.views.list
logging.views.listLogs
logging.views.listResourceKeys
logging.views.listResourceValues
logging.views.setIamPolicy
logging.views.update

observability.scopes.get

resourcemanager.projects.get

resourcemanager.projects.list

Logs Bucket Writer

(roles/logging.bucketWriter)

Ability to write logs to a log bucket.

Lowest-level resources where you can grant this role:

Project

logging.buckets.write

Logs Configuration Writer

(roles/logging.configWriter)

Provides permissions to read and write the configurations of logs-basedmetrics and sinks for exporting logs.

Lowest-level resources where you can grant this role:

Project

logging.buckets.create

logging.buckets.createTagBinding

logging.buckets.delete

logging.buckets.deleteTagBinding

logging.buckets.get

logging.buckets.list

logging.buckets.listEffectiveTags

logging.buckets.listTagBindings

logging.buckets.undelete

logging.buckets.update

logging.exclusions.*

logging.exclusions.create
logging.exclusions.delete
logging.exclusions.get
logging.exclusions.list
logging.exclusions.update

logging.links.*

logging.links.create
logging.links.delete
logging.links.get
logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logMetrics.*

logging.logMetrics.create
logging.logMetrics.delete
logging.logMetrics.get
logging.logMetrics.list
logging.logMetrics.update

logging.logScopes.*

logging.logScopes.create
logging.logScopes.delete
logging.logScopes.get
logging.logScopes.list
logging.logScopes.update

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.notificationRules.*

logging.notificationRules.create
logging.notificationRules.delete
logging.notificationRules.get
logging.notificationRules.list
logging.notificationRules.update

logging.operations.*

logging.operations.cancel
logging.operations.get
logging.operations.list

logging.settings.*

logging.settings.get
logging.settings.update

logging.sinks.*

logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update

logging.sqlAlerts.*

logging.sqlAlerts.create
logging.sqlAlerts.update

logging.views.create

logging.views.delete

logging.views.get

logging.views.getIamPolicy

logging.views.list

logging.views.update

observability.scopes.get

resourcemanager.projects.get

resourcemanager.projects.list

Log Field Accessor

(roles/logging.fieldAccessor)

Ability to read restricted fields in a log bucket.

Lowest-level resources where you can grant this role:

Project

logging.fields.access

Log Link Accessor

(roles/logging.linkViewer)

Ability to see links for a bucket.

logging.links.get

logging.links.list

Logs Writer

(roles/logging.logWriter)

Provides the permissions to write log entries.

Lowest-level resources where you can grant this role:

Project

logging.logEntries.create

logging.logEntries.route

Private Logs Viewer

(roles/logging.privateLogViewer)

Provides permissions of the Logs Viewer role and in addition, providesread-only access to log entries in private logs.

Lowest-level resources where you can grant this role:

Project

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.privateLogEntries.list

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.access

logging.views.get

logging.views.list

observability.scopes.get

resourcemanager.projects.get

Cloud Logging Service Agent

(roles/logging.serviceAgent)

Grants a Cloud Logging Service Account the ability to create and link datasets.

Warning: Do not grant service agent roles to any principals except service agents.

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.link

SQL Alert Writer^Beta

(roles/logging.sqlAlertWriter)

Ability to write SQL Alerts.

logging.sqlAlerts.*

logging.sqlAlerts.create
logging.sqlAlerts.update

Logs View Accessor

(roles/logging.viewAccessor)

Ability to read logs in a view.

Lowest-level resources where you can grant this role:

Project

logging.logEntries.download

logging.views.access

logging.views.listLogs

logging.views.listResourceKeys

logging.views.listResourceValues

Logs Viewer

(roles/logging.viewer)

Provides access to view logs.

Lowest-level resources where you can grant this role:

Project

logging.buckets.get

logging.buckets.list

logging.exclusions.get

logging.exclusions.list

logging.links.get

logging.links.list

logging.locations.*

logging.locations.get
logging.locations.list

logging.logEntries.list

logging.logMetrics.get

logging.logMetrics.list

logging.logScopes.get

logging.logScopes.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.operations.get

logging.operations.list

logging.queries.getShared

logging.queries.listShared

logging.queries.usePrivate

logging.sinks.get

logging.sinks.list

logging.usage.get

logging.views.get

logging.views.list

observability.scopes.get

resourcemanager.projects.get

Cloud Logging permissions

Permission	Included in roles
`logging.buckets.copyLogEntries`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`)
`logging.buckets.create`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Apigee Service Agent (`roles/apigee.serviceAgent`)
`logging.buckets.createTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Tag User (`roles/resourcemanager.tagUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.buckets.delete`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.buckets.deleteTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Tag User (`roles/resourcemanager.tagUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.buckets.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Apigee Service Agent (`roles/apigee.serviceAgent`)
`logging.buckets.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Apigee Service Agent (`roles/apigee.serviceAgent`)
`logging.buckets.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.buckets.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.buckets.undelete`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.buckets.update`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.buckets.write`	Logs Bucket Writer (`roles/logging.bucketWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Logging Service Agent (`roles/cloudbuild.loggingServiceAgent`)
`logging.exclusions.create`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.exclusions.delete`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.exclusions.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.exclusions.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.exclusions.update`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.fields.access`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Log Field Accessor (`roles/logging.fieldAccessor`)
`logging.links.create`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.links.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.links.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Log Link Accessor (`roles/logging.linkViewer`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.links.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Log Link Accessor (`roles/logging.linkViewer`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Monitoring Service Agent (`roles/monitoring.notificationServiceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logEntries.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Deploy Runner (`roles/clouddeploy.jobRunner`) Composer Worker (`roles/composer.worker`) Confidential Space Workload User (`roles/confidentialcomputing.workloadUser`) Cloud Infrastructure Manager Agent (`roles/config.agent`) Kubernetes Engine Default Node Service Account (`roles/container.defaultNodeServiceAccount`) Dataflow Worker (`roles/dataflow.worker`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Dataproc Worker (`roles/dataproc.worker`) Developer Connect Insights Config Agent (`roles/developerconnect.insightsAgent`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Anthos Multi-cloud Telemetry Writer (`roles/gkemulticloud.telemetryWriter`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Writer (`roles/logging.logWriter`) Cloud Run Builder (`roles/run.builder`) Storage Transfer Agent (`roles/storagetransfer.transferAgent`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Extension Service Agent (`roles/aiplatform.extensionServiceAgent`) Vertex AI Notebook Service Agent (`roles/aiplatform.notebookServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Reasoning Engine Service Agent (`roles/aiplatform.reasoningEngineServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Telemetry Service Agent (`roles/aiplatform.telemetryServiceAgent`) Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) Apigee Service Agent (`roles/apigee.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) BigQuery Connection Service Agent (`roles/bigqueryconnection.serviceAgent`) BigQuery Data Transfer Service Agent (`roles/bigquerydatatransfer.serviceAgent`) Customer Engagement Suite Service Agent (`roles/ces.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Gemini for Google Cloud Service Agent (`roles/cloudaicompanion.serviceAgent`) Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud Deploy Service Agent (`roles/clouddeploy.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud IoT Core Service Agent (`roles/cloudiot.serviceAgent`) Cloud Scheduler Service Agent (`roles/cloudscheduler.serviceAgent`) Cloud Tasks Service Agent (`roles/cloudtasks.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Compute Engine Service Agent (`roles/compute.serviceAgent`) Kubernetes Engine Default Node Service Agent (`roles/container.defaultNodeServiceAgent`) [Deprecated] Kubernetes Engine Node Service Agent (`roles/container.nodeServiceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Resource Manager Node Service Agent (`roles/dataprocrm.nodeServiceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) Edge Container Cluster Service Agent (`roles/edgecontainer.clusterServiceAgent`) Firebase Machine Learning Service Agent (`roles/firebaseml.serviceAgent`) Anthos Multi-Cloud Container Service Agent (`roles/gkemulticloud.containerServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Mesh Data Plane Service Agent (`roles/meshdataplane.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) RMA Service Agent (`roles/rapidmigrationassessment.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Cloud Spanner API Service Agent (`roles/spanner.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Serverless VPC Access Service Agent (`roles/vpcaccess.serviceAgent`) Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`)
`logging.logEntries.download`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs View Accessor (`roles/logging.viewAccessor`)
`logging.logEntries.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Billing Account Administrator (`roles/billing.admin`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Cloud Hub Operator (`roles/cloudhub.operator`) Composer Worker (`roles/composer.worker`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Firebase Admin (`roles/firebase.admin`) Firebase Develop Admin (`roles/firebase.developAdmin`) Firebase Develop Viewer (`roles/firebase.developViewer`) Firebase Viewer (`roles/firebase.viewer`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`) Secured Landing Zone Service Agent (`roles/securedlandingzone.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Vertex AI Telemetry Service Agent (`roles/aiplatform.telemetryServiceAgent`)
`logging.logEntries.route`	Owner (`roles/owner`) Editor (`roles/editor`) Composer Worker (`roles/composer.worker`) Dataflow Worker (`roles/dataflow.worker`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Dataproc Worker (`roles/dataproc.worker`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Anthos Multi-cloud Telemetry Writer (`roles/gkemulticloud.telemetryWriter`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Writer (`roles/logging.logWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Extension Custom Code Service Agent (`roles/aiplatform.extensionCustomCodeServiceAgent`) Vertex AI Extension Service Agent (`roles/aiplatform.extensionServiceAgent`) Vertex AI Notebook Service Agent (`roles/aiplatform.notebookServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Reasoning Engine Service Agent (`roles/aiplatform.reasoningEngineServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Telemetry Service Agent (`roles/aiplatform.telemetryServiceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) BigQuery Connection Service Agent (`roles/bigqueryconnection.serviceAgent`) BigQuery Data Transfer Service Agent (`roles/bigquerydatatransfer.serviceAgent`) Customer Engagement Suite Service Agent (`roles/ces.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Gemini for Google Cloud Service Agent (`roles/cloudaicompanion.serviceAgent`) Infrastructure Manager Service Agent (`roles/cloudconfig.serviceAgent`) Cloud IoT Core Service Agent (`roles/cloudiot.serviceAgent`) Cloud Scheduler Service Agent (`roles/cloudscheduler.serviceAgent`) Cloud TPU V2 API Service Agent (`roles/cloudtpu.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataproc Resource Manager Node Service Agent (`roles/dataprocrm.nodeServiceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Firebase Machine Learning Service Agent (`roles/firebaseml.serviceAgent`) Anthos Multi-Cloud Container Service Agent (`roles/gkemulticloud.containerServiceAgent`) Mesh Managed Control Plane Service Agent (`roles/meshcontrolplane.serviceAgent`) Mesh Data Plane Service Agent (`roles/meshdataplane.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`)
`logging.logMetrics.create`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Serverless VPC Access Service Agent (`roles/vpcaccess.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`)
`logging.logMetrics.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Serverless VPC Access Service Agent (`roles/vpcaccess.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`)
`logging.logMetrics.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Serverless VPC Access Service Agent (`roles/vpcaccess.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`)
`logging.logMetrics.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logMetrics.update`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Serverless VPC Access Service Agent (`roles/vpcaccess.serviceAgent`) App Engine flexible environment Service Agent (`roles/appengineflex.serviceAgent`)
`logging.logScopes.create`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Observability Scopes Editor (`roles/observability.scopesEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logScopes.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Observability Scopes Editor (`roles/observability.scopesEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logScopes.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Logs Viewer (`roles/logging.viewer`) Observability Scopes Editor (`roles/observability.scopesEditor`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logScopes.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Logs Viewer (`roles/logging.viewer`) Observability Scopes Editor (`roles/observability.scopesEditor`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logScopes.update`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Observability Scopes Editor (`roles/observability.scopesEditor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logServiceIndexes.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Billing Account Administrator (`roles/billing.admin`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logServices.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Billing Account Administrator (`roles/billing.admin`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.logs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`)
`logging.logs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Billing Account Administrator (`roles/billing.admin`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.notificationRules.create`	Owner (`roles/owner`) Editor (`roles/editor`) Error Reporting Admin (`roles/errorreporting.admin`) Error Reporting User (`roles/errorreporting.user`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.notificationRules.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Error Reporting Admin (`roles/errorreporting.admin`) Error Reporting User (`roles/errorreporting.user`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.notificationRules.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Error Reporting Admin (`roles/errorreporting.admin`) Error Reporting User (`roles/errorreporting.user`) Error Reporting Viewer (`roles/errorreporting.viewer`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.notificationRules.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Error Reporting Admin (`roles/errorreporting.admin`) Error Reporting User (`roles/errorreporting.user`) Error Reporting Viewer (`roles/errorreporting.viewer`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.notificationRules.update`	Owner (`roles/owner`) Editor (`roles/editor`) Error Reporting Admin (`roles/errorreporting.admin`) Error Reporting User (`roles/errorreporting.user`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.privateLogEntries.list`	Owner (`roles/owner`) Billing Account Administrator (`roles/billing.admin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Logging Admin (`roles/logging.admin`) Private Logs Viewer (`roles/logging.privateLogViewer`)
`logging.queries.deleteShared`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`)
`logging.queries.getShared`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Observability Analytics User (`roles/observability.analyticsUser`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`)
`logging.queries.listShared`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Observability Analytics User (`roles/observability.analyticsUser`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`)
`logging.queries.share`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`)
`logging.queries.updateShared`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`)
`logging.queries.usePrivate`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Observability Analytics User (`roles/observability.analyticsUser`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`)
`logging.settings.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.settings.update`	Owner (`roles/owner`) Editor (`roles/editor`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`)
`logging.sinks.create`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.sinks.delete`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.sinks.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) KubeRun Events Control Plane Service Agent (`roles/kuberun.eventsControlPlaneServiceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.sinks.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.sinks.update`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`logging.sqlAlerts.create`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) SQL Alert Writer (`roles/logging.sqlAlertWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.sqlAlerts.update`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) SQL Alert Writer (`roles/logging.sqlAlertWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.usage.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) VPC Service Controls Troubleshooter Viewer (`roles/accesscontextmanager.vpcScTroubleshooterViewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`)
`logging.views.access`	Owner (`roles/owner`) Cloud Build Service Account (`roles/cloudbuild.builds.builder`) Composer Worker (`roles/composer.worker`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs View Accessor (`roles/logging.viewAccessor`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Build Service Agent (`roles/cloudbuild.serviceAgent`)
`logging.views.create`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Apigee Service Agent (`roles/apigee.serviceAgent`)
`logging.views.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.views.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Auditor (`roles/iam.securityAuditor`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Apigee Service Agent (`roles/apigee.serviceAgent`)
`logging.views.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)
`logging.views.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Hub Operator (`roles/cloudhub.operator`) Dataproc Hub Agent (`roles/dataproc.hubAgent`) Data Scientist (`roles/iam.dataScientist`) Databases Admin (`roles/iam.databasesAdmin`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) ML Engineer (`roles/iam.mlEngineer`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Private Logs Viewer (`roles/logging.privateLogViewer`) Logs Viewer (`roles/logging.viewer`) Telco Automation Admin (`roles/telcoautomation.admin`) Telco Automation Tier 1 Operations Admin (`roles/telcoautomation.opsAdminTier1`) Telco Automation Tier 4 Operations Admin (`roles/telcoautomation.opsAdminTier4`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Composer API Service Agent (`roles/composer.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Apigee Service Agent (`roles/apigee.serviceAgent`)
`logging.views.listLogs`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs View Accessor (`roles/logging.viewAccessor`)
`logging.views.listResourceKeys`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs View Accessor (`roles/logging.viewAccessor`)
`logging.views.listResourceValues`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Support User (`roles/iam.supportUser`) Logging Admin (`roles/logging.admin`) Logs View Accessor (`roles/logging.viewAccessor`)
`logging.views.setIamPolicy`	Owner (`roles/owner`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Security Admin (`roles/iam.securityAdmin`) Logging Admin (`roles/logging.admin`)
`logging.views.update`	Owner (`roles/owner`) Editor (`roles/editor`) Dev Ops (`roles/iam.devOps`) Infrastructure Administrator (`roles/iam.infrastructureAdmin`) Network Administrator (`roles/iam.networkAdmin`) Logging Admin (`roles/logging.admin`) Logs Configuration Writer (`roles/logging.configWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) GKE Hub Service Agent (`roles/gkehub.serviceAgent`) Cloud Composer API Service Agent (`roles/composer.serviceAgent`)

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-16 UTC.

Movatterモバイル変換

Cloud Logging roles and permissions Stay organized with collections Save and categorize content based on your preferences.