Error assigning GCP IAM Role for Creating Monitoring Policy
I am using a service account to create Monitoring Policy in my GCP Project. I am trying to identify the IAM role that's suited for this via this link and narrowing it down to "Cloud Monitoring" - https://cloud.google.com/iam/docs/understanding-roles#predefined
I have put in the following roles -- roles/monitoring.alertPolicyEditor roles/monitoring.admin
It doesn't seem to work and throws the following error --
ERROR: (gcloud.alpha.monitoring.policies.create) User [[email protected]] does not have permission to access projects instance [gcp-project] (or it may not exist): The caller does not have permission
When I assign the role - roles/owner. It seems to work. I don't want to assign Owner permission. Can someone help me what could be the appropriate role?
If you want to create a Monitoring Policy, you need the permissions “monitoring.alertPolicies.create” and “logging.notificationRules.create”. You need to grant the user in the IAM section the roles “Logging Admin” and “Monitoring AlertPolicy Editor”. That is explained in the following Google Official Documentation.
As you have added roles/monitoring.alertPolicyEditor and roles/monitoring.admin along with this try adding logging admin and roles/monitoring.alertPolicyEditor, roles/monitoring.notificationChannelEditor. Then you can create monitoring policies.
You can also add a browser role as suggested by John Hanley.