How to Create and Manage Custom Roles in GCP

In Google Cloud, Identity and Access Management (IAM) allows the administrator to authorize the use of specific resources. With IAM, you can adopt the security principle of least privilege, which gives only the required permissions. You can manage resources by deciding who(identity) and what access(role) can be given to the organization or owner. 

A role is a set of permissions that control what operations can be performed on a particular resource. The three roles used to access resources are: 

1. Basic Roles: Basic roles contain the Owner, Editor, and Viewer permissions. 

2. Predefined Roles: These are the set of permissions that are fully managed by Google. But what if you want to add or remove certain permission? Here’s where the Custom role comes in!

3. Custom roles: These are user-defined roles containing permissions to access resources in Google Cloud. They are created within a project or an organisation. They are not managed by Google. Instead, it’s the user who owns and manages it.

Required Permission

To create a custom role, you need to have the following permission: iam.roles.create 

By default, the project owner has this permission. However, if you’re not an owner, you must have assigned the Organisation Role Administrator role (roles/iam.organizationRoleAdmin)  or IAM Role Administrator role (roles/iam.roleAdmin). 

Make a new custom role

To create new custom roles from scratch, follow the given steps: 

1. Go to the Roles page in GCP 
2. From the Organisation drop-down, select your organization. 
3. Click on the Create Role 
4. Fill up the Name, Title, and Description for the role. 

5. Choose the permissions you want to include in the role and then click Add Permission.  

Custom roles with predefined roles

You can also create custom roles from existing predefined roles. Here are the steps to follow: 

1. Go to the Roles page in the Google Cloud console 
2. Select in which project you want to create a role. 
3. Choose the role on which you would like to base the new role.
4. Click on the Create Role from the selection. 
5. Enter Name, Title, Description, and Role Launch Stage for the role. 
6. Uncheck the permissions you don’t want in the role 
7. Add any permission by clicking on Add Permission 
8. Click Create 

Updating the Custom roles

The read-modify-write pattern is commonly used to update the roles. However, it can cause friction if two or more owners of a project attempt to change roles simultaneously. To avoid this clash, IAM uses the etag property. It helps to determine whether the custom roles have changed since the last request. Update the roles on the roles page by following the steps: 

1. Click Edit Role.
2. Edit the role’s Title, Description, or Role launch stage to update its metadata.
3. Follow these steps to update the role’s permissions:
   1. New permission can be added to the role by clicking Add Permissions.
   2. To remove permissions from a role, uncheck permissions.
4. Once the role has been edited, click Update to save it. 

Disable a custom role  

Select the project from which you want to disable the role and then: 

1. Select the custom role you want to disable.
2. Click on Disable. 

Deleting a custom role  

Click on the role you want to delete and choose to delete at the top of the page. Deleted roles leave a trace in your allow policies, but do not have any effect on any role bindings. Within seven days, you can undelete a role. In this timeframe, the Google Cloud console shows the role as deleted user can opt to undelete within the period of 7 days after that the role is permanently deleted.