You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Roles are the mechanism for granting permissions in GCP. Choosing the right role type is critical for implementing least privilege. GCP offers three categories, each with different levels of granularity and management.
Basic roles are the original access control mechanism from before IAM existed. They apply across all services in a project.
| Role | Permissions | Permission Count |
|---|---|---|
roles/viewer | Read-only access to all resources | ~8,000+ |
roles/editor | Read + write access to all resources (except IAM and billing) | ~15,000+ |
roles/owner | Full control including IAM management and billing | ~18,000+ |
roles/browser | Read access to browse the resource hierarchy | ~50 |
Scenario: You want to give Alice read access to Cloud Storage
Option A (Basic): roles/viewer
→ Grants read access to EVERY service: Compute Engine, Cloud SQL,
BigQuery, Pub/Sub, Cloud Functions, networking, etc.
→ ~8,000 permissions granted
Option B (Predefined): roles/storage.objectViewer
→ Grants read access to Cloud Storage objects ONLY
→ ~3 permissions granted: storage.objects.get, storage.objects.list,
resourcemanager.projects.get
Predefined roles are created and maintained by Google. They are scoped to specific services and grant only the permissions needed for common tasks.
| Service | Role | Purpose |
|---|---|---|
| Compute Engine | roles/compute.instanceAdmin.v1 | Full control of VM instances |
| Compute Engine | roles/compute.viewer | Read-only access to Compute Engine |
| Cloud Storage | roles/storage.objectViewer | Read Cloud Storage objects |
| Cloud Storage | roles/storage.objectAdmin | Full control of Cloud Storage objects |
| Cloud Storage | roles/storage.admin | Full control of buckets and objects |
| BigQuery | roles/bigquery.dataViewer | Read BigQuery datasets and tables |
| BigQuery | roles/bigquery.dataEditor | Read and write BigQuery data |
| BigQuery | roles/bigquery.jobUser | Run BigQuery jobs (queries) |
| Cloud SQL | roles/cloudsql.client | Connect to Cloud SQL instances |
| Cloud Run | roles/run.invoker | Invoke Cloud Run services |
| IAM | roles/iam.serviceAccountUser | Act as a service account |
| Kubernetes | roles/container.admin | Full access to GKE clusters |
# List all predefined roles
gcloud iam roles list --filter="name:roles/"
# List roles for a specific service
gcloud iam roles list --filter="name:roles/storage"
# View permissions in a role
gcloud iam roles describe roles/storage.objectViewer
# Search for roles containing a specific permission
gcloud iam roles list --filter="includedPermissions:storage.objects.get"
roles/<service>.<resourceType><accessLevel>
Examples:
roles/storage.objectViewer → view storage objects
roles/storage.objectAdmin → admin storage objects
roles/compute.instanceAdmin.v1 → admin compute instances
roles/bigquery.dataEditor → edit bigquery data
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.