Creating custom roles on Google Cloud Platform

You have your beautiful project on GCP, and you've granted access to you colleagues.

You have also specified which roles they need to do their work, using GCP predefined roles, but after some time, visiting the IAM section on GCP web console, you see this:

Inspecting the over granted permissions you find out that only 12 of 247 permissions are effectively used:

How to restrict access if predefined or primitive roles are too wide? 

Solution: create a custom role.

Custom roles enable you to enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the permissions essential to performing their intended functions.

Create a custom-dev-role.yaml file:

title: "Custom Dev Role"
description: "Custom role for developers"
stage: "GA"
includedPermissions:
#General permissions
- resourcemanager.projects.get
#GKE permissions
- container.clusters.get
- container.clusters.list
- container.deployments.create
- container.deployments.get
- container.deployments.update
- container.horizontalPodAutoscalers.get
- container.namespaces.get
- container.pods.list
- container.services.create
- container.services.get
- container.services.update
# GCR and GCS
- storage.buckets.get
- storage.buckets.getIamPolicy
- storage.objects.create
- storage.objects.get
- storage.objects.getIamPolicy
- storage.objects.list
- storage.objects.update

Use gcloud cli to create the role in your project:

gcloud iam roles create custom_dev_role \
--project=my-project \
--file=custom-dev-role.yaml

If the command is successful, you should see something like this:

Created role [custom_dev_role].
description: Custom role for developers
etag: LwP9dL8kXGc=
includedPermissions:
- container.clusters.get
- container.clusters.list
- container.deployments.create
- container.deployments.get
- container.deployments.update
- container.horizontalPodAutoscalers.get
- container.namespaces.get
- container.pods.list
- container.services.create
- container.services.get
- container.services.update
- resourcemanager.projects.get
- storage.buckets.get
- storage.buckets.getIamPolicy
- storage.objects.create
- storage.objects.get
- storage.objects.getIamPolicy
- storage.objects.list
- storage.objects.update
name: projects/my-project/roles/custom_dev_role
stage: GA
title: Custom Dev Role

Use the custom role.

On GCP web console, go to IAM -> Permissions.

Select the members to whom you want the associate the custom role.

In the right panel, search the role you've created under the 'Custom' category.

That's all!

-------------

You can find all the available roles in this page of GCP documentation:
https://cloud.google.com/iam/docs/understanding-roles