Types of IAM Roles
- Predefined roles: These are created and maintained by Google. Their permissions are automatically updated as necessary, such as when new features or services are added to Google Cloud.
- Custom roles: These are user-defined, you create a custom role by combining one or more of the available Cloud IAM permissions. Custom roles are not maintained by Google and will not be updated automatically. These can be created at the organization level and project level, but not at the folder level.
Some commonly used project-level roles provided by Google are mentioned below:
Role |
Permissions |
---|---|
Viewer |
Permissions for read-only actions like viewing existing resources. |
Editor |
All viewer permissions + permissions for actions that modify state , like changing existing resources. |
Owner |
All editor permissions + permissions for :
|
Browser |
|
The Structure of a Cloud IAM permission looks like this:
<service>.<resource>.<verb>
Example:
storage.bucket.admin
: grants the ability to manage storage buckets, including creating, editing, and deleting buckets.compute.instances.stop :
allows a user to stop a Virtual Machine.
How to Use Cloud Identity and Access Management (IAM) For Access Control on GCP?
IAM defines “who can do what on which resource”. Cloud IAM (Identity Access Management) offers a standardized set of functions and integrates access management for Google Cloud services into a single solution. You can create and manage permissions for Google Cloud resources using the Identity and Access Management (IAM) service provided by Google Cloud. The appropriate tools are provided by Cloud IAM to efficiently and highly automate the management of resource rights. Users do not receive permissions directly from you, you give them roles instead, that combine one or more permissions. You can use this to relate jobs and groups within your organization to specific job responsibilities. Users only have access to the information they require to do their tasks, and administrators can easily give default permissions to huge groups of users.
Contact Us