Controlling access to Cloud Service Mesh in the Google Cloud console
Access to Cloud Service Mesh in the Google Cloud console is controlled byIdentity and Access Management (IAM).To get access, a Project Owner must grant users the Project Editor or Viewerrole, or the more restrictive roles described in the following tables. Forinformation about how to grant roles to users, seeGranting, changing, and revoking access to resources.
Minimum read-only roles
Users with the following roles can access the Cloud Service Mesh pages formonitoring purposes only. Users with these roles can't create or modify servicelevel objects (SLOs) or make changes to the GKEinfrastructure.
| IAM role name | Role title | Description |
|---|---|---|
| Monitoring Viewer | roles/monitoring.viewer | Provides read-only access to get and list information about all monitoring data and configurations. |
| Kubernetes Engine Viewer | roles/container.viewer | Provides read-only access to GKE resources. This role is not required for GKE clusters on Google Cloud. |
| Logs Viewer | roles/logging.viewer | Provides read-only access to the Diagnostics page in the service details view. If access to this page is not needed, then this permission may be omitted. |
| Service Usage Viewer | roles/serviceusage.serviceUsageViewer | Ability to inspect service states and operations for a consumer project. |
Minimum write roles
Users with the following roles can create or modify SLOs in the Cloud Service Meshpages and create or modify alerting policies based on the SLOs. Users withthese roles can't make changes to the GKE infrastructure.
| IAM role name | Role title | Description |
|---|---|---|
| Monitoring Editor | roles/monitoring.editor | Provides full access to information about all monitoring data and configurations. |
| Kubernetes Engine Editor | roles/container.editor | Provides write permissions needed to managed GKE resources. |
| Logs Editor | roles/logging.editor | Provides write permissions needed to the Diagnostics page in the service details view. |
Special cases
The following roles are required for particular mesh configurations.
| IAM role name | Role title | Description |
|---|---|---|
| GKE Hub Viewer | roles/gkehub.viewer | Provides view access to clusters outside Google Cloud in the Google Cloud console. This role is required for users to view off-Google Cloud clusters in the mesh. Also, you will need to grant the userthe cluster-admin RBAC role to allow the dashboard to query the cluster on their behalf. |
Additional roles and permissions
IAM has additional roles and granular permissions if the above rolesdon't meet your needs. For example, you might want to grant the KubernetesEngine Admin role or the Kubernetes Engine Cluster Admin role to let a useradminister your GKE infrastructure.
For more information see the following:
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.