Bird
Raised Fist0
GCPcloud~15 mins

Roles (basic, predefined, custom) in GCP - Deep Dive

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Overview - Roles (basic, predefined, custom)
What is it?
Roles in Google Cloud Platform (GCP) are sets of permissions that define what actions a user or service can perform. There are three main types: basic roles, predefined roles, and custom roles. Basic roles are broad and cover many permissions, predefined roles are more specific and tailored to common tasks, and custom roles let you create your own permission sets. These roles help control access to cloud resources safely and efficiently.
Why it matters
Without roles, anyone could do anything in your cloud environment, which risks security and accidental damage. Roles let you give just the right amount of access to people or programs, protecting your data and services. This control helps companies avoid costly mistakes, data leaks, or downtime, making cloud use safer and more reliable.
Where it fits
Before learning about roles, you should understand basic cloud concepts like projects and permissions. After roles, you can learn about Identity and Access Management (IAM) policies and how to apply roles to users and services. This knowledge leads to mastering secure cloud architecture and compliance.
Mental Model
Core Idea
A role is a key that unlocks specific doors (permissions) in your cloud environment, controlling what actions are allowed.
Think of it like...
Think of roles like job badges in a company: a janitor badge lets you clean rooms, a manager badge lets you approve budgets, and a custom badge can be made for special tasks. Each badge gives access only to the areas needed for that job.
┌───────────────┐
│   User/Service│
└──────┬────────┘
       │
       ▼
┌───────────────┐
│     Role      │
│ (Set of       │
│  Permissions) │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│ Cloud Resource│
│ (What can be  │
│  accessed)    │
└───────────────┘
Build-Up - 7 Steps
1
FoundationUnderstanding Permissions and Access
🤔
Concept: Permissions are specific actions allowed on cloud resources, like reading data or starting a server.
In GCP, every action you want to do needs permission. For example, to view files in storage, you need 'storage.objects.get' permission. Permissions are the smallest unit of access control.
Result
You know that permissions control what can be done, but managing them one by one is hard.
Understanding permissions is key because roles are just groups of these permissions bundled together.
2
FoundationWhat Are Roles in GCP?
🤔
Concept: Roles group permissions to simplify access management.
Instead of assigning many permissions individually, GCP uses roles. A role is a collection of permissions. Assigning a role to a user or service account grants all permissions in that role.
Result
You can manage access more easily by assigning roles instead of individual permissions.
Knowing roles group permissions helps you see how GCP simplifies security management.
3
IntermediateBasic Roles: Broad Access Sets
🤔Before reading on: do you think basic roles give very specific or very broad access? Commit to your answer.
Concept: Basic roles are broad and cover many permissions across all services.
GCP has three basic roles: Owner, Editor, and Viewer. Owner can do everything including managing roles, Editor can change resources but not manage roles, and Viewer can only see resources. These roles are easy to use but can give too much access.
Result
Assigning a basic role grants wide access, which might be more than needed.
Understanding basic roles helps you avoid giving too much access accidentally.
4
IntermediatePredefined Roles: Tailored Permissions
🤔Before reading on: do you think predefined roles are created by users or by Google? Commit to your answer.
Concept: Predefined roles are created by Google to fit common job functions with specific permissions.
Google offers many predefined roles like 'Storage Admin' or 'Compute Viewer' that include only the permissions needed for those tasks. These roles help follow the principle of least privilege, giving users only what they need.
Result
Using predefined roles improves security by limiting access to necessary actions.
Knowing predefined roles exist helps you assign more precise access without creating roles yourself.
5
IntermediateCustom Roles: Creating Your Own Access
🤔Before reading on: do you think custom roles can include any permissions or only a fixed set? Commit to your answer.
Concept: Custom roles let you combine permissions from any service to fit unique needs.
If basic or predefined roles don’t fit your needs, you can create custom roles. You pick exactly which permissions to include. This is useful for special jobs or security policies.
Result
Custom roles give you full control over access but require careful planning.
Understanding custom roles empowers you to tailor security precisely to your organization.
6
AdvancedAssigning Roles with IAM Policies
🤔Before reading on: do you think roles are assigned directly to users or through policies? Commit to your answer.
Concept: Roles are assigned to users or service accounts using IAM policies that define who has what role on which resource.
IAM policies are JSON documents that bind members (users, groups, or service accounts) to roles on resources like projects or buckets. This lets you control access at different levels.
Result
You can manage access flexibly and securely across your cloud environment.
Knowing how roles fit into IAM policies is crucial for effective access control.
7
ExpertRole Hierarchy and Permission Inheritance
🤔Before reading on: do you think permissions from roles assigned at a higher level apply to lower resources? Commit to your answer.
Concept: Roles assigned at higher resource levels apply to all resources below, creating inheritance of permissions.
If you assign a role at the project level, it applies to all resources in that project. This inheritance simplifies management but can cause unintended access if not carefully planned.
Result
You understand how access flows through resource hierarchy and can avoid privilege leaks.
Understanding inheritance prevents security mistakes and helps design clear access boundaries.
Under the Hood
GCP stores IAM policies as JSON documents attached to resources. Each policy lists bindings that connect members to roles. When a user requests an action, GCP checks all policies from the resource up through its parents to see if any role grants the needed permission. This evaluation happens quickly and securely to enforce access control.
Why designed this way?
This design balances flexibility and performance. By attaching policies at different resource levels and using role inheritance, GCP lets administrators manage access efficiently without repeating settings. It also supports a wide range of use cases from simple to complex security needs.
┌───────────────┐
│   User/Member │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│   IAM Policy  │
│ (Bindings:    │
│  Member → Role)│
└──────┬────────┘
       │
       ▼
┌───────────────┐
│    Role       │
│ (Permissions) │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│ Cloud Resource│
│ (Project,     │
│  Bucket, VM)  │
└───────────────┘
Myth Busters - 4 Common Misconceptions
Quick: Does assigning a basic role always give minimal access? Commit to yes or no.
Common Belief:Basic roles are safe because they are predefined and simple.
Tap to reveal reality
Reality:Basic roles are very broad and often give more permissions than needed, risking security.
Why it matters:Using basic roles carelessly can expose your cloud environment to accidental or malicious changes.
Quick: Can custom roles include permissions from any GCP service? Commit to yes or no.
Common Belief:Custom roles are limited to a fixed set of permissions.
Tap to reveal reality
Reality:Custom roles can include any permissions available in GCP, allowing precise access control.
Why it matters:Knowing this lets you create roles perfectly matched to your needs, improving security.
Quick: Does assigning a role at a resource level affect only that resource? Commit to yes or no.
Common Belief:Roles assigned to a resource affect only that resource.
Tap to reveal reality
Reality:Roles assigned at higher levels (like projects) apply to all child resources, due to inheritance.
Why it matters:Misunderstanding inheritance can lead to unintended access and security breaches.
Quick: Are IAM policies only attached to users? Commit to yes or no.
Common Belief:IAM policies are assigned only to individual users.
Tap to reveal reality
Reality:IAM policies can assign roles to users, groups, and service accounts, enabling flexible access management.
Why it matters:Ignoring service accounts or groups can cause gaps or excesses in access control.
Expert Zone
1
Custom roles must be carefully maintained as GCP updates permissions; some permissions may be deprecated or added, requiring role updates.
2
Predefined roles are updated by Google to reflect best practices, so using them can reduce maintenance compared to custom roles.
3
Role assignment at the organization level can override project-level roles, creating complex access scenarios that require careful policy review.
When NOT to use
Avoid using basic roles in production environments due to their broad permissions; prefer predefined or custom roles. For very dynamic or temporary access, consider using IAM Conditions or Access Context Manager instead of static roles.
Production Patterns
In production, teams often use predefined roles for common tasks and custom roles for specialized needs. They assign roles at the project or folder level to manage access inheritance and use service accounts with minimal roles for automation. Regular audits ensure roles match current needs.
Connections
Access Control Lists (ACLs)
Both control access but ACLs assign permissions directly to resources, while roles group permissions for easier management.
Understanding roles helps grasp why grouping permissions simplifies access control compared to managing many ACL entries.
Principle of Least Privilege (Security)
Roles enable applying the principle by granting only necessary permissions to users or services.
Knowing roles supports least privilege helps design secure cloud environments that minimize risk.
Organizational Hierarchies (Business Management)
Role inheritance in GCP mirrors how authority flows in organizations from top management to teams.
Seeing this connection clarifies why permissions assigned at higher levels affect all sub-levels, just like decisions cascade in companies.
Common Pitfalls
#1Assigning Owner role to all users for convenience.
Wrong approach:gcloud projects add-iam-policy-binding my-project --member='user:alice@example.com' --role='roles/owner'
Correct approach:gcloud projects add-iam-policy-binding my-project --member='user:alice@example.com' --role='roles/viewer'
Root cause:Misunderstanding that Owner role grants full control, which is often unnecessary and risky.
#2Creating custom roles without reviewing permissions regularly.
Wrong approach:Creating a custom role once and never updating it as GCP evolves.
Correct approach:Regularly auditing and updating custom roles to align with current permissions and security needs.
Root cause:Assuming roles are static and do not require maintenance.
#3Assigning roles only at resource level without considering inheritance.
Wrong approach:Assigning a role to a VM instance but ignoring project-level roles that grant broader access.
Correct approach:Reviewing IAM policies at all levels to understand effective permissions.
Root cause:Not understanding how IAM policies inherit permissions through resource hierarchy.
Key Takeaways
Roles in GCP group permissions to control who can do what with cloud resources.
Basic roles are broad and easy but often too powerful; predefined roles offer more precise access.
Custom roles let you tailor permissions exactly but require careful management.
IAM policies assign roles to users or services, and permissions inherit down resource hierarchies.
Understanding roles and their assignment is essential for secure and efficient cloud access control.

Practice

(1/5)
1. Which type of Google Cloud role provides broad access across all services with simple permissions like Owner, Editor, and Viewer?
easy
A. Predefined roles
B. Basic roles
C. Custom roles
D. Service accounts

Solution

  1. Step 1: Understand role categories

    Google Cloud has three main role types: basic, predefined, and custom.

  2. Step 2: Identify broad access roles

    Basic roles like Owner, Editor, and Viewer provide broad access across all services.

  3. Final Answer:

    Basic roles -> Option B

  4. Quick Check:

    Broad access = Basic roles [OK]
Hint: Basic roles cover broad access across all services [OK]
Common Mistakes:
  • Confusing predefined roles with basic roles
  • Thinking custom roles are broad by default
  • Mixing service accounts with roles
2. Which of the following is the correct way to create a custom role in Google Cloud IAM?
easy
A. Use the gcloud CLI with 'gcloud iam roles create' and specify permissions
B. Assign a predefined role to a user
C. Use the Google Cloud Console to assign a basic role
D. Create a service account with custom permissions

Solution

  1. Step 1: Identify how to create custom roles

    Custom roles require specifying exact permissions and are created via CLI or console.

  2. Step 2: Match correct command

    The 'gcloud iam roles create' command is used to create custom roles with specific permissions.

  3. Final Answer:

    Use the gcloud CLI with 'gcloud iam roles create' and specify permissions -> Option A

  4. Quick Check:

    Create custom role = gcloud iam roles create [OK]
Hint: Custom roles need explicit creation with permissions via CLI [OK]
Common Mistakes:
  • Confusing assigning roles with creating roles
  • Using service accounts to create roles
  • Assigning basic roles instead of creating custom ones
3. Given this snippet assigning roles to a user: 
gcloud projects add-iam-policy-binding my-project \
  --member='user:alice@example.com' \
  --role='roles/storage.objectViewer'
What type of role is 'roles/storage.objectViewer'?
medium
A. Basic role
B. Custom role
C. Service account role
D. Predefined role

Solution

  1. Step 1: Analyze the role name format

    The role name 'roles/storage.objectViewer' follows the predefined role naming pattern.

  2. Step 2: Understand role types

    Predefined roles are specific to services and have names like 'roles/serviceName.roleName'.

  3. Final Answer:

    Predefined role -> Option D

  4. Quick Check:

    roles/storage.objectViewer = Predefined role [OK]
Hint: Predefined roles have service-specific names like roles/service.role [OK]
Common Mistakes:
  • Thinking all roles starting with 'roles/' are basic
  • Confusing custom roles with predefined roles
  • Assuming service accounts have roles
4. A user tries to create a custom role but gets an error. The command used is: 
gcloud iam roles create myCustomRole --project=my-project --permissions=storage.buckets.list,compute.instances.create
What is the likely cause of the error?
medium
A. The command is missing the role title and description
B. Permissions must be comma-separated without spaces
C. The project ID is incorrect
D. Custom roles cannot include permissions from multiple services

Solution

  1. Step 1: Review required parameters for custom role creation

    Creating a custom role requires a title and description along with permissions.

  2. Step 2: Check the command for missing parameters

    The command lacks '--title' and '--description' flags, causing the error.

  3. Final Answer:

    The command is missing the role title and description -> Option A

  4. Quick Check:

    Missing title/description causes create role error [OK]
Hint: Always include title and description when creating custom roles [OK]
Common Mistakes:
  • Assuming permissions from multiple services are invalid
  • Ignoring required flags like title and description
  • Mistaking project ID errors for permission errors
5. You want to give a team member permission to manage only Compute Engine instances but no other services. Which role type should you assign and why?
hard
A. Custom role with all permissions, to cover all possible needs
B. Basic role Editor, because it covers all services including Compute Engine
C. Predefined Compute Engine Admin role, because it limits permissions to Compute Engine only
D. Basic role Viewer, because it allows managing instances

Solution

  1. Step 1: Understand the requirement

    The team member needs permissions only for Compute Engine, not other services.

  2. Step 2: Evaluate role types

    Basic roles are broad and cover all services; custom roles require manual permission selection; predefined roles offer service-specific permissions.

  3. Step 3: Choose the best fit

    The predefined Compute Engine Admin role grants full Compute Engine permissions without extra access.

  4. Final Answer:

    Predefined Compute Engine Admin role, because it limits permissions to Compute Engine only -> Option C

  5. Quick Check:

    Service-specific access = Predefined role [OK]
Hint: Use predefined roles for service-specific permissions [OK]
Common Mistakes:
  • Using broad basic roles instead of specific predefined roles
  • Assigning Viewer role expecting management permissions
  • Creating unnecessary custom roles without need