How To Create A Custom IAM Role In GCP
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed identity and access management in GCP.
https://cloudaffaire.com/cloud-identity-and-access-management-iam-in-gcp/
In this blog post, we are going to discuss custom IAM role in GCP.
What Are Roles In GCP?
A role is a collection of permissions. You cannot grant a permission to the user directly. Instead, you grant them a role. When you grant a role to a user, you grant them all the permissions that the role contains.
Roles can be of the following types:
- Primitive roles: Roles historically available in the Google Cloud Console. These roles are Owner, Editor, and Viewer. Avoid using these roles if possible, because they include a wide range of permissions across all Google Cloud services.
- Predefined roles: Roles that give finer-grained access control than the primitive roles. For example, the predefined role Pub/Sub Publisher (roles/pubsub.publisher) provides access to only publish messages to a Pub/Sub topic.
- Custom roles: Roles that you create to tailor permissions to the needs of your organization when predefined roles don’t meet your needs.
Primitive roles:
There are three roles that existed prior to the introduction of Cloud IAM: Owner, Editor, and Viewer. These roles are concentric; that is, the Owner role includes the permissions in the Editor role, and the Editor role includes the permissions in the Viewer role.
- roles/viewer: Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
- roles/editor: All viewer permissions, plus permissions for actions that modify state, such as changing existing resources.
- roles/owner: All editor permissions and permissions to manage roles and permissions for a project and all resources within the project, Set up billing for a project.
Note: You cannot grant the owner role to a member for a project using the Cloud IAM API or the gcloud command-line tool. You can only add owners to a project using the Cloud Console. An invitation will be sent to the member via email and the member must accept the invitation to be made an owner of the project.
Predefined roles:
In addition to the primitive roles, Cloud IAM provides additional predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources. You can grant multiple roles to the same user. For example, the same user can have Network Admin and Log Viewer roles on a project and also have a Publisher role for a Pub/Sub topic within that project.
Custom roles:
In addition to the predefined roles, Cloud IAM also provides the ability to create customized Cloud IAM roles. You can create a custom Cloud IAM role with one or more permissions and then grant that custom role to users who are part of your organization.
How To Create A Custom IAM Role In GCP:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 |
################################################# ## How To Create/Update/Delete Cloud IAM Roles ## ################################################# ## Prerequisite: gcloud installed and configured ## https://cloudaffaire.com/gcloud-installation-and-configuration/ ## List all the available roles gcloud iam roles list ## List all roles related to specific resources (for example, cloud storage) gcloud iam roles list \ --filter="name: roles/storage.*" ## Get metadata for a specific role gcloud iam roles describe roles/storage.objectAdmin ## Create a custom role gcloud iam roles create mycustomrole --project cloudaffaire \ --title "Role Viewer" --description "My custom cloud storage role" \ --permissions storage.objects.get,storage.objects.list --stage GA ## ROLE-DESCRIPTION: is a short description about the role, such as "My custom cloud storage role". ## ETAG-VALUE: is the unique identifier for the current version of the role, such as BwVkBkbfr70=. ## includedPermissions: specifies the list of one or more permissions to include in the custom role. ## ROLE-ID: hierarchical ID for the role, depending on whether it was created at the project or organization level. ## LAUNCH-STAGE: indicates the stage of a role in the launch lifecycle, such as ALPHA, BETA, or GA. ## ROLE-TITLE: is a friendly title for the role, such as "Role Viewer". ## Get details of your custom role gcloud iam roles describe mycustomrole --project cloudaffaire ## description: My custom cloud storage role ## etag: BwWclU2r7Wc= ## includedPermissions: ## - storage.objects.get ## - storage.objects.list ## name: projects/cloudaffaire/roles/mycustomrole ## stage: GA ## title: Role Viewer ## Create a YAML file from above output with additional permissions ## storage.objects.create and storage.objects.delete vi mycustomroledef.yaml ---------------------- description: My upadted custom cloud storage role etag: BwWclU2r7Wc= includedPermissions: - storage.objects.get - storage.objects.list - storage.objects.create - storage.objects.delete name: projects/cloudaffaire/roles/mycustomrole stage: GA title: Object Admin ---------------------- :wq ## Update your custom role with role definition yaml file gcloud iam roles update mycustomrole --project cloudaffaire \ --file mycustomroledef.yaml ## Disable your custom role gcloud iam roles update mycustomrole --project cloudaffaire \ --stage DISABLED ## Delete your custom role gcloud iam roles delete mycustomrole --project cloudaffaire ## Recover your custom role gcloud iam roles undelete mycustomrole --project cloudaffaire ## The role can only be undeleted within 7 days of deletion |
Hope you have enjoyed this article. In the next blog post, we will discuss the service account in Cloud IAM.
All the public cloud providers are changing the console user interface rapidly and due to this some of the screenshots used in our previous AWS blogs are no longer relevant. Hence, we have decided that from now onwards most of the demo will be done programmatically. Let us know your feedback on this in the comment section.
To get more details on cloud IAM roles, please refer below GCP documentation.
https://cloud.google.com/iam/docs/
https://cloud.google.com/iam/docs/understanding-roles
https://cloud.google.com/iam/docs/understanding-custom-roles
https://cloud.google.com/iam/docs/creating-custom-roles