How to Create Custom Roles in GCP
Google Cloud Platform (GCP) offers powerful IAM (Identity and Access Management) features that allow organizations to create custom roles tailored to their unique needs. This post guides you through creating custom roles in GCP and assigning the necessary permissions to manage billing, services, and monitoring tasks within CloudBolt CSMP. Managing access control in Google Cloud Platform (GCP) is crucial for maintaining a secure and efficient cloud environment. GCP offers Identity and Access Management (IAM), allowing administrators to manage permissions by assigning roles to users, groups, and service accounts. While predefined roles cover most use cases, there are scenarios where custom roles are necessary to meet specific business requirements. Creating custom roles ensures that users or services have only the permissions they need, reducing the risk of accidental data breaches or unauthorized actions. This post will guide you through the creation of custom roles in GCP and the assignment of permissions to these roles, with practical examples and step-by-step instructions.Why Custom Roles Matter in GCP
Custom roles provide granular control over permissions, allowing organizations to implement the principle of least privilege. This approach enhances security by limiting the permissions assigned to users or service accounts, ensuring they have only the access necessary to perform their duties.
By creating custom roles in GCP, administrators can streamline project management, reduce unnecessary access, and ensure compliance with organizational policies.
While GCP provides predefined roles such as Viewer, Editor, and Owner, these roles often include more permissions than necessary for certain tasks. Custom roles allow you to:
- Enforce the Principle of Least Privilege
Grant only the permissions required for a user or service to perform specific actions, enhancing security. - Tailor Permissions to Unique Workflows
Customize roles to fit your organizational needs, ensuring users can perform their tasks without accessing sensitive resources. - Improve Operational Efficiency
Streamline project and billing management by assigning targeted permissions that align with responsibilities. - Reduce Security Risks
Limit access to critical systems and sensitive data, mitigating potential threats.
Common Use Cases for Custom Roles
Custom roles can be tailored to suit a variety of operational needs, such as:
-
- Billing Administrator
- Access billing data from BigQuery for financial reports and forecasting.
- Service Manager
- Manage compute instances, disks, and networks for infrastructure oversight.
- Monitoring and Reporting (Service Advisor)
- Access and analyze monitoring data to ensure systems are running efficiently.
- Billing Administrator
Role-Based Permissions in GCP
Creating and assigning specific permissions to custom roles in GCP is essential for integrating services like CloudBolt CSMP. Below is a table outlining permissions for various roles:
| Role | Permission Required | Functionality |
|---|---|---|
| CloudBolt Billing Administrator | bigquery.jobs.create | Run queries and validate billing adapters. |
| bigquery.tables.getData | Fetch billing data from BigQuery. | |
| Service Manager | resourcemanager.projects.get | Authenticate service account keys with project ID. |
| compute.instances.list | Fetch all instances in the project. | |
| Service Advisor | monitoring.timeSeries.list | Access monitoring data for idle resources. |
Step-by-Step: How to Create Custom Roles in GCP
Pre-requisites for Creating Custom Roles
Before creating custom roles, ensure you have the following permissions:
- roles/iam.roleAdmin – Allows creation and management of IAM roles.
- iam.roles.create – Required to create custom roles.
- roles/iam.organizationRoleAdmin – Enables organization-level custom role creation.
- Owner or Project Admin – Default role for full access to all IAM functions.
If you do not have these permissions, contact your GCP organization administrator to grant you access.
1. Access the IAM & Admin Console
- Log in to the GCP Console
- Navigate to IAM & Admin from the side panel.
2. Select the Organization or Project
- At the top of the page, select the organization or project for which you want to create the custom role.
- Ensure you are selecting the correct scope (organization or project) depending on where the role will be used.
3. Create a New Custom Role
- In the IAM & Admin dashboard, click Roles in the side menu.
- Click + Create Role at the top of the screen.
4. Define the Role Details
- Title: Enter a descriptive title for the role (e.g., “Billing Administrator”).
- ID: This is auto-generated by GCP but can be customized to match internal naming conventions.
- Role Launch Stage: Choose “Alpha” (default) or “General Availability” for production roles.
5. Add Permissions to the Role
- Click + Add Permissions.
- Use the filter bar to search for specific permissions.
- Select permissions that align with the role’s responsibilities.
- Click Create. The custom role CloudBolt Billing Administrator is created with assigned permissions and added to the roles list.
Example for a Billing Administrator:
bigquery.jobs.create– Run queries and billing adapters.bigquery.tables.getData– Access BigQuery billing tables.bigquery.tables.list– View available BigQuery tables.bigquery.readsessions.create– Read sessions for data import.
Example for a Service Manager:
resourcemanager.projects.get– Access project information.compute.instances.list– View compute instances.compute.disks.list– Fetch project disk data.- After selecting all necessary permissions, click Add and then Create.
Granting Custom Role Permissions
Once the custom role is created, you can assign it to principals:
-
1. Assign the Custom Role to Users
- Go to IAM & Admin → IAM.
- Select the project or organization where the role is created.
- Click + Add to assign the role.
- Enter the principal’s email (user, service account, or group).
- Select the custom role from the dropdown list and click Save.
2. Assigning Permissions at the Organization Level
- For organization-wide roles, select the Organization instead of the project in the IAM section.
- Assign the custom role to the necessary users or service accounts.
3. Service Accounts and Custom Roles
- Service accounts can also be assigned custom roles for automation or API-level interactions.
- Go to IAM & Admin → Service Accounts.
- Select the service account and assign the custom role.
Example: Creating a Billing Administrator Role
Permissions Required:
bigquery.jobs.createbigquery.tables.getDatabigquery.tables.listbigquery.readsessions.createbigquery.readsessions.getData
How to Apply:
- Create a new role titled Billing Administrator.
- Add the permissions listed above.
- Assign the role to users who need access to billing data.
Best Practices for Custom Roles
- Regularly Review Permissions
Periodically audit custom roles to ensure users only have the permissions necessary for their current tasks. - Use Least Privilege Model
Avoid assigning broad permissions that could expose sensitive resources. - Label and Document Roles
Use consistent naming conventions and document the purpose of each custom role to maintain clarity across teams. - Automate Role Assignment
Use automation tools to manage IAM policies programmatically, reducing manual errors. - Utilize IAM Policy Simulator
Test role permissions using the IAM Policy Simulator to validate that users can only access intended resources.
Conclusion
Creating custom roles in Google Cloud Platform enhances security, simplifies operations, and ensures users and services operate with just the right amount of access. By defining roles that align with organizational needs, businesses can safeguard their cloud environments while maintaining operational efficiency. For more insights into GCP, check out Google’s IAM documentation.