IAM Custom Roles

Understanding IAM Custom Roles

You can create a custom role at the organization level and at the project level. However, you cannot create custom roles at the folder level

permissions are represented in the form

<service>.<resource>.<verb>

compute.instances.list

Custom roles can only be used to grant permissions in policies for the same project or organization that owns the roles or resource under them.

Required permissions and roles

To create a custom role, a caller must have the iam.roles.create permission.

Organization Role Administrator role (roles/iam.organizationRoleAdmin)

IAM Role Administrator role (roles/iam.roleAdmin)

Viewing the available permissions for resource

gcloud iam list-testable-permissions

Getting the role metadata

gcloud iam roles describe [ROLE_NAME]

gcloud iam roles describe roles/viewer
gcloud iam roles describe roles/editor

To create a custom role using a YAML file

vi role-definition.yaml

title: "Role Editor"
description: "Edit access for App Versions"
stage: "ALPHA"
includedPermissions:
- appengine.versions.create
- appengine.versions.delete

gcloud iam roles create editor --project $DEVSHELL_PROJECT_ID \
--file role-definition.yaml

Created role [editor].
description: Edit access for App Versions
etag: BwVs4O4E3e4=
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
name: projects/[PROJECT_ID]/roles/editor
stage: ALPHA
title: Role Editor

Create a custom role using flags

gcloud iam roles create viewer --project $DEVSHELL_PROJECT_ID \
--title "Role Viewer" --description "Custom role description." \
--permissions compute.instances.get,compute.instances.list --stage ALPHA

Created role [viewer].
description: Custom role description.
etag: BwVs4PYHqYI=
includedPermissions:
- compute.instances.get
- compute.instances.list
name: projects/[PROJECT_ID]/roles/viewer
stage: ALPHA
title: Role Viewer

Listing the custom roles

gcloud iam roles list --project $DEVSHELL_PROJECT_ID

Editing an existing custom role

To update a custom role using a YAML file

gcloud iam roles describe editor --project $DEVSHELL_PROJECT_ID]

description: Edit access for App Versions
etag: BwXCsFdYv0o=
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/editor
stage: ALPHA
title: Role Editor

vi new-role-definition.yaml

description: Edit access for App Versions
etag: BwVxIBjfN3M=
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
- storage.buckets.get
- storage.buckets.list
name: projects/[PROJECT_ID]/roles/editor
stage: ALPHA
title: Role Editor
gcloud iam roles update editor --project $DEVSHELL_PROJECT_ID --file new-role-definition.yaml

To update a custom role using flags

gcloud iam roles describe viewer --project $DEVSHELL_PROJECT_ID

description: Custom role description.
etag: BwXCsFyYXGs=
includedPermissions:
- compute.instances.get
- compute.instances.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: ALPHA
title: Role Viewer

gcloud iam roles update viewer --project $DEVSHELL_PROJECT_ID --add-permissions storage.buckets.get,storage.buckets.list


description: Custom role description.
etag: BwXCsIGVf6M=
includedPermissions:
- compute.instances.get
- compute.instances.list
- storage.buckets.get
- storage.buckets.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: ALPHA
title: Role Viewer

Disabling a custom role

gcloud iam roles update viewer --project $DEVSHELL_PROJECT_ID --stage DISABLED

description: Custom role description.
etag: BwXCsIeZQcs=
includedPermissions:
- compute.instances.get
- compute.instances.list
- storage.buckets.get
- storage.buckets.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: DISABLED
title: Role Viewer

Deleting a custom role

gcloud iam roles delete viewer --project $DEVSHELL_PROJECT_ID

deleted: true
description: Custom role description.
etag: BwXCsIpRAkM=
includedPermissions:
- compute.instances.get
- compute.instances.list
- storage.buckets.get
- storage.buckets.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: DISABLED
title: Role Viewer

The role can be undeleted within 7 days

After 7 days, the role enters a permanent deletion process that lasts 30 days

After 37 days, the Roel ID is available to be used again

Undeleting a custom role

gcloud iam roles undelete viewer --project $DEVSHELL_PROJECT_ID

description: Custom role description.
etag: BwXCsJhLFsY=
includedPermissions:
- compute.instances.get
- compute.instances.list
- storage.buckets.get
- storage.buckets.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: DISABLED
title: Role Viewer