Bird
Raised Fist0
GCPcloud~5 mins

Roles (basic, predefined, custom) in GCP - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
When you want to control who can do what in your Google Cloud project, you use roles. Roles group permissions so you can give people just the access they need without confusion.
When you want to give a team member full control over all resources in a project.
When you want to allow a user to only view resources without making changes.
When you want to give a user permission to manage only specific services like Cloud Storage or Compute Engine.
When you want to create a role that fits your company’s unique needs by combining specific permissions.
When you want to follow the security best practice of least privilege by giving only necessary permissions.
Commands
This command gives Alice the Editor role on the project, allowing her to create and modify most resources.
Terminal
gcloud projects add-iam-policy-binding example-project --member=user:alice@example.com --role=roles/editor
Expected OutputExpected
Updated IAM policy for project [example-project].
--member - Specifies the user or service account to grant the role.
--role - Specifies the role to assign.
This command creates a custom role named Custom Viewer with permissions to view storage buckets and list objects.
Terminal
gcloud iam roles create customViewer --project=example-project --title="Custom Viewer" --permissions=storage.buckets.get,storage.objects.list --stage=GA
Expected OutputExpected
Created role [projects/example-project/roles/customViewer].
--permissions - Lists the permissions included in the custom role.
--stage - Sets the release stage of the role, here GA means generally available.
This command assigns the custom role Custom Viewer to Bob on the project.
Terminal
gcloud projects add-iam-policy-binding example-project --member=user:bob@example.com --role=projects/example-project/roles/customViewer
Expected OutputExpected
Updated IAM policy for project [example-project].
--member - Specifies the user to assign the role.
--role - Specifies the custom role to assign.
This command shows the current IAM policy for the project, listing who has which roles.
Terminal
gcloud projects get-iam-policy example-project
Expected OutputExpected
bindings: - members: - user:alice@example.com role: roles/editor - members: - user:bob@example.com role: projects/example-project/roles/customViewer etag: BwW8xYz7v7k= version: 3
Key Concept

If you remember nothing else from this pattern, remember: roles group permissions so you can easily control who can do what in your cloud project.

Common Mistakes
Assigning a role to a user without specifying the correct member type (like user:, serviceAccount:).
The command will fail or assign the role to the wrong identity.
Always prefix the member with the correct type, for example user:alice@example.com.
Trying to assign a custom role before creating it.
The assignment will fail because the role does not exist yet.
Create the custom role first, then assign it to users.
Using basic roles like Owner for all users without considering least privilege.
This gives too many permissions, increasing security risks.
Use predefined or custom roles with only the permissions needed.
Summary
Use gcloud commands to assign basic, predefined, or custom roles to users.
Create custom roles when predefined roles do not fit your needs.
Check the project IAM policy to verify role assignments.

Practice

(1/5)
1. Which type of Google Cloud role provides broad access across all services with simple permissions like Owner, Editor, and Viewer?
easy
A. Predefined roles
B. Basic roles
C. Custom roles
D. Service accounts

Solution

  1. Step 1: Understand role categories

    Google Cloud has three main role types: basic, predefined, and custom.

  2. Step 2: Identify broad access roles

    Basic roles like Owner, Editor, and Viewer provide broad access across all services.

  3. Final Answer:

    Basic roles -> Option B

  4. Quick Check:

    Broad access = Basic roles [OK]
Hint: Basic roles cover broad access across all services [OK]
Common Mistakes:
  • Confusing predefined roles with basic roles
  • Thinking custom roles are broad by default
  • Mixing service accounts with roles
2. Which of the following is the correct way to create a custom role in Google Cloud IAM?
easy
A. Use the gcloud CLI with 'gcloud iam roles create' and specify permissions
B. Assign a predefined role to a user
C. Use the Google Cloud Console to assign a basic role
D. Create a service account with custom permissions

Solution

  1. Step 1: Identify how to create custom roles

    Custom roles require specifying exact permissions and are created via CLI or console.

  2. Step 2: Match correct command

    The 'gcloud iam roles create' command is used to create custom roles with specific permissions.

  3. Final Answer:

    Use the gcloud CLI with 'gcloud iam roles create' and specify permissions -> Option A

  4. Quick Check:

    Create custom role = gcloud iam roles create [OK]
Hint: Custom roles need explicit creation with permissions via CLI [OK]
Common Mistakes:
  • Confusing assigning roles with creating roles
  • Using service accounts to create roles
  • Assigning basic roles instead of creating custom ones
3. Given this snippet assigning roles to a user: 
gcloud projects add-iam-policy-binding my-project \
  --member='user:alice@example.com' \
  --role='roles/storage.objectViewer'
What type of role is 'roles/storage.objectViewer'?
medium
A. Basic role
B. Custom role
C. Service account role
D. Predefined role

Solution

  1. Step 1: Analyze the role name format

    The role name 'roles/storage.objectViewer' follows the predefined role naming pattern.

  2. Step 2: Understand role types

    Predefined roles are specific to services and have names like 'roles/serviceName.roleName'.

  3. Final Answer:

    Predefined role -> Option D

  4. Quick Check:

    roles/storage.objectViewer = Predefined role [OK]
Hint: Predefined roles have service-specific names like roles/service.role [OK]
Common Mistakes:
  • Thinking all roles starting with 'roles/' are basic
  • Confusing custom roles with predefined roles
  • Assuming service accounts have roles
4. A user tries to create a custom role but gets an error. The command used is: 
gcloud iam roles create myCustomRole --project=my-project --permissions=storage.buckets.list,compute.instances.create
What is the likely cause of the error?
medium
A. The command is missing the role title and description
B. Permissions must be comma-separated without spaces
C. The project ID is incorrect
D. Custom roles cannot include permissions from multiple services

Solution

  1. Step 1: Review required parameters for custom role creation

    Creating a custom role requires a title and description along with permissions.

  2. Step 2: Check the command for missing parameters

    The command lacks '--title' and '--description' flags, causing the error.

  3. Final Answer:

    The command is missing the role title and description -> Option A

  4. Quick Check:

    Missing title/description causes create role error [OK]
Hint: Always include title and description when creating custom roles [OK]
Common Mistakes:
  • Assuming permissions from multiple services are invalid
  • Ignoring required flags like title and description
  • Mistaking project ID errors for permission errors
5. You want to give a team member permission to manage only Compute Engine instances but no other services. Which role type should you assign and why?
hard
A. Custom role with all permissions, to cover all possible needs
B. Basic role Editor, because it covers all services including Compute Engine
C. Predefined Compute Engine Admin role, because it limits permissions to Compute Engine only
D. Basic role Viewer, because it allows managing instances

Solution

  1. Step 1: Understand the requirement

    The team member needs permissions only for Compute Engine, not other services.

  2. Step 2: Evaluate role types

    Basic roles are broad and cover all services; custom roles require manual permission selection; predefined roles offer service-specific permissions.

  3. Step 3: Choose the best fit

    The predefined Compute Engine Admin role grants full Compute Engine permissions without extra access.

  4. Final Answer:

    Predefined Compute Engine Admin role, because it limits permissions to Compute Engine only -> Option C

  5. Quick Check:

    Service-specific access = Predefined role [OK]
Hint: Use predefined roles for service-specific permissions [OK]
Common Mistakes:
  • Using broad basic roles instead of specific predefined roles
  • Assigning Viewer role expecting management permissions
  • Creating unnecessary custom roles without need