Glean Collaboration Exercise

icon picker
IAM role access needed for Glean alert-monitoring

This document goes into the details of the IAM role access needed for email alias

Background

Glean provides a fully managed SaaS experience for your Glean system, even though it is hosted in a GCP project owned by your organization. In order to monitor and manage the system efficiently, we request that (our on-call team) be granted the following IAM permissions. Please note that these permissions do not provide any access to the customer data (which lives in Cloud SQL, Kubernetes, Cloud Storage) nor any access to logs with PII (that are not sent to the Stackdriver Logging Console).

Permissions for

roles/logging.viewer - grants access to non-PII logs that are logged to Stackdriver Logging console. Also note that user queries, document titles etc are considered as PII and so are not accessible in the Stackdriver Logging console. Please see the doc for more details on this.
roles/monitoring.editor - allows the alias to manage and create alert policies, view metric graphs/dashboard, receive notifications and view/resolve alerts.
roles/errorreporting.user - this is used for viewing and managing the errors in the GCP error dashboard, that provides stack traces of unhandled exceptions encountered at runtime. This does not contain PII
dataflow.jobs.list, dataflow.metrics.get, dataflow.jobs.get, dataflow.jobs.cancel - this allows the oncall team to view the jobs status and cancel running jobs. It doesnt show any of the job data.
appengine.applications.get, appengine.instances.delete, appengine.instances.get, appengine.instances.list, appengine.services.delete, appengine.services.get, appengine.services.list, appengine.versions.delete, appengine.versions.get, appengine.versions.list, appengine.operations.get - These fine-grained permissions are used by the on-call team to view and restart instances of app engine services
roles/run.viewer, roles/run.invoker - Ability for the oncall team to view Cloud Run service status and invoke them manually
roles/workflows.viewer, roles/workflows.invoker - Ability for the oncall team to view Workflows service status and invoke them manually
roles/cloudscheduler.viewer,roles/cloudscheduler.jobRunner - These roles are given for the oncall team to view the cron jobs in the project and be able to manually trigger the job
roles/cloudbuild.builds.viewer- This is for the oncall team to be able to view the cloud build logs in order to debug deployment errors
roles/cloudtrace.user - This is in order to view performance traces for long-running requests.
roles/cloudprofiler.user - This is in order to view CPU and memory profile information for services.
pubsub.schemas.get, pubsub.schemas.list, pubsub.subscriptions.get, pubsub.subscriptions.list, pubsub.topics.get, pubsub.topics.list, resourcemanager.projects.get, serviceusage.quotas.get, serviceusage.services.get, serviceusage.services.list - This is in order to view the PubSub topics/subscriptions configuration and associated metrics (number of messages processed etc)
roles/ml.viewer, ml.jobs.cancel - This is in order to view ML jobs and cancel them if needed.
billing.resourceCosts.get - This is so that the oncall team can monitor costs for the project and do cost optimization. Please note that this provides access only to the costs for the Glean GCP project and not that of any other project in the org.
Access to the gs://config-<project> storage bucket - This bucket stores the system configuration settings. No customer data is stored in this bucket
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.