GCPcloud~5 mins

Roles (basic, predefined, custom) in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When you want to control who can do what in your Google Cloud project, you use roles. Roles group permissions so you can give people just the access they need without confusion.

When you want to give a team member full control over all resources in a project.

When you want to allow a user to only view resources without making changes.

When you want to give a user permission to manage only specific services like Cloud Storage or Compute Engine.

When you want to create a role that fits your company’s unique needs by combining specific permissions.

When you want to follow the security best practice of least privilege by giving only necessary permissions.

Commands

This command gives Alice the Editor role on the project, allowing her to create and modify most resources.

Terminal

gcloud projects add-iam-policy-binding example-project --member=user:alice@example.com --role=roles/editor

Expected OutputExpected

Updated IAM policy for project [example-project].

→

--member - Specifies the user or service account to grant the role.

→

--role - Specifies the role to assign.

This command creates a custom role named Custom Viewer with permissions to view storage buckets and list objects.

Terminal

gcloud iam roles create customViewer --project=example-project --title="Custom Viewer" --permissions=storage.buckets.get,storage.objects.list --stage=GA

Expected OutputExpected

Created role [projects/example-project/roles/customViewer].

→

--permissions - Lists the permissions included in the custom role.

→

--stage - Sets the release stage of the role, here GA means generally available.

This command assigns the custom role Custom Viewer to Bob on the project.

Terminal

gcloud projects add-iam-policy-binding example-project --member=user:bob@example.com --role=projects/example-project/roles/customViewer

Expected OutputExpected

Updated IAM policy for project [example-project].

→

--member - Specifies the user to assign the role.

→

--role - Specifies the custom role to assign.

This command shows the current IAM policy for the project, listing who has which roles.

Terminal

gcloud projects get-iam-policy example-project

Expected OutputExpected

bindings: - members: - user:alice@example.com role: roles/editor - members: - user:bob@example.com role: projects/example-project/roles/customViewer etag: BwW8xYz7v7k= version: 3

Key Concept

If you remember nothing else from this pattern, remember: roles group permissions so you can easily control who can do what in your cloud project.

Common Mistakes

Assigning a role to a user without specifying the correct member type (like user:, serviceAccount:).

The command will fail or assign the role to the wrong identity.

Always prefix the member with the correct type, for example user:alice@example.com.

Trying to assign a custom role before creating it.

The assignment will fail because the role does not exist yet.

Create the custom role first, then assign it to users.

Using basic roles like Owner for all users without considering least privilege.

This gives too many permissions, increasing security risks.

Use predefined or custom roles with only the permissions needed.

Summary

Use gcloud commands to assign basic, predefined, or custom roles to users.

Create custom roles when predefined roles do not fit your needs.

Check the project IAM policy to verify role assignments.