You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Roles are the mechanism for granting permissions in GCP. Choosing the right role type is critical for implementing least privilege. GCP offers three categories, each with different levels of granularity and management.
Basic roles are the original access control mechanism from before IAM existed. They apply across all services in a project.
| Role | Permissions | Permission Count |
|---|---|---|
roles/viewer | Read-only access to all resources | ~8,000+ |
roles/editor | Read + write access to all resources (except IAM and billing) | ~15,000+ |
roles/owner | Full control including IAM management and billing | ~18,000+ |
roles/browser | Read access to browse the resource hierarchy | ~50 |
Scenario: You want to give Alice read access to Cloud Storage
Option A (Basic): roles/viewer
→ Grants read access to EVERY service: Compute Engine, Cloud SQL,
BigQuery, Pub/Sub, Cloud Functions, networking, etc.
→ ~8,000 permissions granted
Option B (Predefined): roles/storage.objectViewer
→ Grants read access to Cloud Storage objects ONLY
→ ~3 permissions granted: storage.objects.get, storage.objects.list,
resourcemanager.projects.get
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.