How To Create A Custom IAM Role In GCP

How To Create A Custom IAM Role In GCP

How To Create A Custom IAM Role In GCP

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

In the last blog post, we have discussed identity and access management in GCP.

https://cloudaffaire.com/cloud-identity-and-access-management-iam-in-gcp/

In this blog post, we are going to discuss custom IAM role in GCP.

What Are Roles In GCP?

A role is a collection of permissions. You cannot grant a permission to the user directly. Instead, you grant them a role. When you grant a role to a user, you grant them all the permissions that the role contains.

Roles can be of the following types:

  • Primitive roles: Roles historically available in the Google Cloud Console. These roles are Owner, Editor, and Viewer. Avoid using these roles if possible, because they include a wide range of permissions across all Google Cloud services.
  • Predefined roles: Roles that give finer-grained access control than the primitive roles. For example, the predefined role Pub/Sub Publisher (roles/pubsub.publisher) provides access to only publish messages to a Pub/Sub topic.
  • Custom roles: Roles that you create to tailor permissions to the needs of your organization when predefined roles don’t meet your needs.

Primitive roles:

There are three roles that existed prior to the introduction of Cloud IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role.

  • roles/viewer: Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
  • roles/editor: All viewer permissions, plus permissions for actions that modify state, such as changing existing resources.
  • roles/owner: All editor permissions and permissions to manage roles and permissions for a project and all resources within the project, Set up billing for a project.

Note: You cannot grant the owner role to a member for a project using the Cloud IAM API or the gcloud command-line tool. You can only add owners to a project using the Cloud Console. An invitation will be sent to the member via email and the member must accept the invitation to be made an owner of the project.

Predefined roles:

In addition to the primitive roles, Cloud IAM provides additional predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources. You can grant multiple roles to the same user. For example, the same user can have Network Admin and Log Viewer roles on a project and also have a Publisher role for a Pub/Sub topic within that project.

Custom roles:

In addition to the predefined roles, Cloud IAM also provides the ability to create customized Cloud IAM roles. You can create a custom Cloud IAM role with one or more permissions and then grant that custom role to users who are part of your organization.

How To Create A Custom IAM Role In GCP:

Hope you have enjoyed this article. In the next blog post, we will discuss the service account in Cloud IAM.

All the public cloud providers are changing the console user interface rapidly and due to this some of the screenshots used in our previous AWS blogs are no longer relevant. Hence, we have decided that from now onwards most of the demo will be done programmatically. Let us know your feedback on this in the comment section.

To get more details on cloud IAM roles, please refer below GCP documentation.

https://cloud.google.com/iam/docs/

https://cloud.google.com/iam/docs/understanding-roles

https://cloud.google.com/iam/docs/understanding-custom-roles

https://cloud.google.com/iam/docs/creating-custom-roles

 

Leave a Reply

Close Menu