Understanding IAM Custom Roles
You can create a custom role at the organization level and at the project level. However, you cannot create custom roles at the folder level
permissions are represented in the form
<service>.<resource>.<verb>
compute.instances.list
Custom roles can only be used to grant permissions in policies for the same project or organization that owns the roles or resource under them.
Required permissions and roles
To create a custom role, a caller must have the iam.roles.create permission.
Organization Role Administrator role (roles/iam.organizationRoleAdmin)
IAM Role Administrator role (roles/iam.roleAdmin)
Viewing the available permissions for resource
gcloud iam list-testable-permissions
Getting the role metadata
gcloud iam roles describe [ROLE_NAME]
gcloud iam roles describe roles/viewer
gcloud iam roles describe roles/editor
To create a custom role using a YAML file
vi role-definition.yaml
title: "Role Editor"
description: "Edit access for App Versions"
stage: "ALPHA"
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
gcloud iam roles create editor --project $DEVSHELL_PROJECT_ID \
--file role-definition.yaml
Created role [editor].
description: Edit access for App Versions
etag: BwVs4O4E3e4=
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
name: projects/[PROJECT_ID]/roles/editor
stage: ALPHA
title: Role Editor
Create a custom role using flags
gcloud iam roles create viewer --project $DEVSHELL_PROJECT_ID \
--title "Role Viewer" --description "Custom role description." \
--permissions compute.instances.get,compute.instances.list --stage ALPHA
Created role [viewer].
description: Custom role description.
etag: BwVs4PYHqYI=
includedPermissions:
- compute.instances.get
- compute.instances.list
name: projects/[PROJECT_ID]/roles/viewer
stage: ALPHA
title: Role Viewer
Listing the custom roles
gcloud iam roles list --project $DEVSHELL_PROJECT_ID
Editing an existing custom role
To update a custom role using a YAML file
gcloud iam roles describe editor --project $DEVSHELL_PROJECT_ID]
description: Edit access for App Versions
etag: BwXCsFdYv0o=
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/editor
stage: ALPHA
title: Role Editor
vi new-role-definition.yaml
description: Edit access for App Versions
etag: BwVxIBjfN3M=
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
- storage.buckets.get
- storage.buckets.list
name: projects/[PROJECT_ID]/roles/editor
stage: ALPHA
title: Role Editor
gcloud iam roles update editor --project $DEVSHELL_PROJECT_ID --file new-role-definition.yaml
To update a custom role using flags
gcloud iam roles describe viewer --project $DEVSHELL_PROJECT_ID
description: Custom role description.
etag: BwXCsFyYXGs=
includedPermissions:
- compute.instances.get
- compute.instances.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: ALPHA
title: Role Viewer
gcloud iam roles update viewer --project $DEVSHELL_PROJECT_ID --add-permissions storage.buckets.get,storage.buckets.list
description: Custom role description.
etag: BwXCsIGVf6M=
includedPermissions:
- compute.instances.get
- compute.instances.list
- storage.buckets.get
- storage.buckets.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: ALPHA
title: Role Viewer
Disabling a custom role
gcloud iam roles update viewer --project $DEVSHELL_PROJECT_ID --stage DISABLED
description: Custom role description.
etag: BwXCsIeZQcs=
includedPermissions:
- compute.instances.get
- compute.instances.list
- storage.buckets.get
- storage.buckets.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: DISABLED
title: Role Viewer
Deleting a custom role
gcloud iam roles delete viewer --project $DEVSHELL_PROJECT_ID
deleted: true
description: Custom role description.
etag: BwXCsIpRAkM=
includedPermissions:
- compute.instances.get
- compute.instances.list
- storage.buckets.get
- storage.buckets.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: DISABLED
title: Role Viewer
The role can be undeleted within 7 days
After 7 days, the role enters a permanent deletion process that lasts 30 days
After 37 days, the Roel ID is available to be used again
Undeleting a custom role
gcloud iam roles undelete viewer --project $DEVSHELL_PROJECT_ID
description: Custom role description.
etag: BwXCsJhLFsY=
includedPermissions:
- compute.instances.get
- compute.instances.list
- storage.buckets.get
- storage.buckets.list
name: projects/qwiklabs-gcp-03-867ca1078c1e/roles/viewer
stage: DISABLED
title: Role Viewer