Jump to Content
Google Cloud

Finer-grained security using custom roles for Cloud IAM

January 31, 2018
Rohit Khare

Product Manager

Pradeep Madhavarapu

Engineering Manager

IT security aims to ensure the right people have access to the right resources and use them in the right ways. Making sure those are the only things that can happen is the "principle of least privilege," a cornerstone of enterprise security policy. Custom roles for Cloud IAM make that easier with the power to pick the precise permissions people need to do their jobs—and are now generally available.

Google Cloud Platform (GCP) offers hundreds of predefined roles that range from "Owner" to product- and job-specific roles as narrow as "Cloud Storage Viewer." These are curated combinations of the thousands of IAM permissions that control every API in GCP, from starting a virtual machine to making predictions using machine learning models. For even finer-grained access control, custom roles now offer production-level support for remixing permissions across all GCP services.

Security that’s built to fit

Consider a tool that needs access to multiple GCP services to inventory Cloud Storage buckets, BigQuery tables and Cloud Spanner databases. Enumerating data doesn’t require privileges to decrypt that data. While predefined roles to view an entire project may grant .query,.decrypt and .get as a set, custom roles make it possible to grant .get permission on its own. Since a custom role can also combine permissions from multiple GCP services, you can put all of the permissions for a service account in one place—and then share that new role across your entire organization.


Custom roles aren’t just for services; users can also benefit from roles that are properly tailored to get their jobs done. For example, one regulation may state that a privacy auditor should be able to inspect all the the personally-identifiable information (PII) stored about your customers; another, that only full-time employees should process such data. Depending on job roles, it may be too powerful to grant Bigquery Data Owner to an auditor (who shouldn’t be able to delete data); yet Bigquery Data Viewer may be too weak for employees (who also need to search the data and run reports). IAM custom roles allow you to include or exclude permissions to match specific job roles:

As the largest owner and operator of shopping centers in Australia and New Zealand, data security is crucial to our business. Google Cloud IAM custom roles help us meet our security standards, legislative requirements and remain compliant with the Australian Privacy Principles. With this feature, we can implement identity and access control to the authorized tasks performed by a specific person or machine, allowing us to fine-tune permissions and rigorously conform to the principle of least privilege.

— Evgeny Minkevich, Integration Solution Architect, Scentre Group

Managing custom roles

GCP is constantly expanding and evolving, and the set of permissions that control all of its APIs do, too. Almost all permissions are available for customization today, with the exception of a few that are only tested and supported in predefined role combinations. To keep abreast of new permissions, and changes in the support level of existing ones, you can now rely on a central permission change log for all public GCP services as well as a list of all supported permissions in custom roles.

We also suggest some recommended practices for testing, deploying and maintaining your own custom roles. To track and control changes to your custom roles, we’ve improved our integration with Cloud Deployment Manager to create and update custom roles, both within projects and across entire organizations (sample code). Together with existing Deployment Manager features that control how resources are created, organized and secured, IAM custom roles can help automate applying the principle of least privilege.

What’s next

We continue to invest in making IAM more powerful and easier to use, including helping you to create and manage custom roles. That starts with regular updates on permission changes, so you can keep your own custom roles in sync with Google’s new services, roles and permissions. It extends into research with the Forseti Security open source initiative to explain why a permission was granted or denied. We want the principle of "least privilege" to take the least effort, too!

Posted in