Cloud Trace roles and permissions

This page lists the IAM roles and permissions for Cloud Trace. Tosearch through all roles and permissions, see therole andpermission index.

Cloud Trace roles

Role Permissions

Role	Permissions
Cloud Trace Admin (`roles/cloudtrace.admin`) Provides full access to the Trace console and read-write access to traces. Lowest-level resources where you can grant this role: Project	`cloudtrace.` `cloudtrace.insights.get` `cloudtrace.insights.list` `cloudtrace.stats.get` `cloudtrace.tasks.create` `cloudtrace.tasks.delete` `cloudtrace.tasks.get` `cloudtrace.tasks.list` `cloudtrace.traceScopes.create` `cloudtrace.traceScopes.delete` `cloudtrace.traceScopes.get` `cloudtrace.traceScopes.list` `cloudtrace.traceScopes.update` `cloudtrace.traces.get` `cloudtrace.traces.list` `cloudtrace.traces.patch` `observability.scopes.get` `observability.traceScopes.` `observability.traceScopes.create` `observability.traceScopes.delete` `observability.traceScopes.get` `observability.traceScopes.list` `observability.traceScopes.update` `resourcemanager.projects.get` `resourcemanager.projects.list` `telemetry.traces.write`
Cloud Trace Agent (`roles/cloudtrace.agent`) For service accounts. Provides ability to write traces by sending the datato Stackdriver Trace. Lowest-level resources where you can grant this role: Project	`cloudtrace.traces.patch` `telemetry.traces.write`
Cloud Trace User (`roles/cloudtrace.user`) Provides full access to the Trace console and read access to traces. Lowest-level resources where you can grant this role: Project	`cloudtrace.insights.` `cloudtrace.insights.get` `cloudtrace.insights.list` `cloudtrace.stats.get` `cloudtrace.tasks.` `cloudtrace.tasks.create` `cloudtrace.tasks.delete` `cloudtrace.tasks.get` `cloudtrace.tasks.list` `cloudtrace.traceScopes.` `cloudtrace.traceScopes.create` `cloudtrace.traceScopes.delete` `cloudtrace.traceScopes.get` `cloudtrace.traceScopes.list` `cloudtrace.traceScopes.update` `cloudtrace.traces.get` `cloudtrace.traces.list` `observability.scopes.get` `observability.traceScopes.` `observability.traceScopes.create` `observability.traceScopes.delete` `observability.traceScopes.get` `observability.traceScopes.list` `observability.traceScopes.update` `resourcemanager.projects.get` `resourcemanager.projects.list`

Cloud Trace Admin

(roles/cloudtrace.admin)

Provides full access to the Trace console and read-write access to traces.

Lowest-level resources where you can grant this role:

Project

cloudtrace.*

cloudtrace.insights.get
cloudtrace.insights.list
cloudtrace.stats.get
cloudtrace.tasks.create
cloudtrace.tasks.delete
cloudtrace.tasks.get
cloudtrace.tasks.list
cloudtrace.traceScopes.create
cloudtrace.traceScopes.delete
cloudtrace.traceScopes.get
cloudtrace.traceScopes.list
cloudtrace.traceScopes.update
cloudtrace.traces.get
cloudtrace.traces.list
cloudtrace.traces.patch

observability.scopes.get

observability.traceScopes.*

observability.traceScopes.create
observability.traceScopes.delete
observability.traceScopes.get
observability.traceScopes.list
observability.traceScopes.update

resourcemanager.projects.get

resourcemanager.projects.list

telemetry.traces.write

Cloud Trace Agent

(roles/cloudtrace.agent)

For service accounts. Provides ability to write traces by sending the datato Stackdriver Trace.

Lowest-level resources where you can grant this role:

Project

cloudtrace.traces.patch

telemetry.traces.write

Cloud Trace User

(roles/cloudtrace.user)

Provides full access to the Trace console and read access to traces.

Lowest-level resources where you can grant this role:

Project

cloudtrace.insights.*

cloudtrace.insights.get
cloudtrace.insights.list

cloudtrace.stats.get

cloudtrace.tasks.*

cloudtrace.tasks.create
cloudtrace.tasks.delete
cloudtrace.tasks.get
cloudtrace.tasks.list

cloudtrace.traceScopes.*

cloudtrace.traceScopes.create
cloudtrace.traceScopes.delete
cloudtrace.traceScopes.get
cloudtrace.traceScopes.list
cloudtrace.traceScopes.update

cloudtrace.traces.get

cloudtrace.traces.list

observability.scopes.get

observability.traceScopes.*

observability.traceScopes.create
observability.traceScopes.delete
observability.traceScopes.get
observability.traceScopes.list
observability.traceScopes.update

resourcemanager.projects.get

resourcemanager.projects.list

Cloud Trace permissions

Permission	Included in roles
`cloudtrace.insights.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace User (`roles/cloudtrace.user`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudtrace.insights.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace User (`roles/cloudtrace.user`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudtrace.stats.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace User (`roles/cloudtrace.user`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudtrace.tasks.create`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace User (`roles/cloudtrace.user`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudtrace.tasks.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace User (`roles/cloudtrace.user`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`)
`cloudtrace.tasks.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace User (`roles/cloudtrace.user`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudtrace.tasks.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace User (`roles/cloudtrace.user`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudtrace.traceScopes.create`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace User (`roles/cloudtrace.user`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`)
`cloudtrace.traceScopes.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace User (`roles/cloudtrace.user`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`)
`cloudtrace.traceScopes.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace User (`roles/cloudtrace.user`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudtrace.traceScopes.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace User (`roles/cloudtrace.user`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudtrace.traceScopes.update`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace User (`roles/cloudtrace.user`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`)
`cloudtrace.traces.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace User (`roles/cloudtrace.user`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudtrace.traces.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace User (`roles/cloudtrace.user`) Security Admin (`roles/iam.securityAdmin`) Security Auditor (`roles/iam.securityAuditor`) Security Reviewer (`roles/iam.securityReviewer`) Site Reliability Engineer (`roles/iam.siteReliabilityEngineer`) Support User (`roles/iam.supportUser`)
`cloudtrace.traces.patch`	Owner (`roles/owner`) Editor (`roles/editor`) Cloud Trace Admin (`roles/cloudtrace.admin`) Cloud Trace Agent (`roles/cloudtrace.agent`) Firebase App Hosting Compute Runner (`roles/firebaseapphosting.computeRunner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Apigee Service Agent (`roles/apigee.serviceAgent`) KubeRun Events Data Plane Service Agent (`roles/kuberun.eventsDataPlaneServiceAgent`) Mesh Data Plane Service Agent (`roles/meshdataplane.serviceAgent`) Monitoring Service Agent (`roles/monitoring.notificationServiceAgent`) Vertex AI Reasoning Engine Service Agent (`roles/aiplatform.reasoningEngineServiceAgent`)

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.

Movatterモバイル変換

Cloud Trace roles and permissions