Introducing custom roles, a powerful way to make Cloud IAM policies more precise
Rohit Khare
Product Manager
As enterprises move their applications, services and data to the cloud, it’s critical that they put appropriate access controls in place to help ensure that the right people can access the right data at the right time. That’s why we’re excited to announce the beta release of custom roles for Cloud IAM.
Custom roles offer customers full control of 1,287 public permissions across Google Cloud Platform services. This helps administrators grant users the permissions they need to do their jobs — and only those permissions. Fine-grained access controls help enforce the principle of least privilege for resources and data on GCP.
Verily is using custom roles to uphold the highest standards of patient trust by carefully managing the granularity of data access granted to people and programs based on their ‘need-to-know’.” — Harriet Brown, Product Manager for Trust, Compliance, and Data Security at Verily Life Sciences
— Harriet Brown, Product Manager for Trust, Compliance, and Data Security at Verily Life Sciences
Understanding IAM roles
IAM offers three primitive roles for Owner, Editor, and Viewer that make it easy to get started, and over one hundred service-specific predefined roles that combine a curated set of permissions necessary to complete different tasks across GCP. In many cases, predefined roles are sufficient for controlling access to GCP services. For example, the Cloud SQL Viewer predefined role combines 14 permissions necessary to allow users to browse and export databases.Custom roles complement the primitive and predefined roles when you need to be even more precise. For example, an auditor may only need to access a database to gather audit findings so they know what data is being collected, but not to read the actual data or perform any other operations. You can build your own “Cloud SQL Inventory” custom role to grant auditors browse access to databases without giving them permission to export their contents.
How to create custom roles
To begin crafting custom roles, we recommend starting from the available predefined roles. These predefined roles are appropriate for most use cases and often only need small changes to the permissions list to meet an organization's requirements. Here’s how you could implement a custom role for the above use case:Step 1: Select the predefined role that you’d like to customize, in this case Cloud SQL Viewer:
Step 2: Clone the predefined role and give it a custom name and ID. Add or remove the desired permissions for your new custom role. In this case, that’s removing
cloudsql.instances.export.
How to use custom roles
Custom roles are available now in the Cloud Console, on the Roles tab under the ‘IAM & admin’ menu; as a REST API; and on the command line asgcloud beta iam
. As you create a custom role, you can also assign it a lifecycle stage to inform your users about the readiness of the role for production usage.IAM supports custom roles for projects and across entire organizations to centralize development, testing, maintenance, and sharing of roles.