Google Cloud Platform (GCP) is a popular choice for those just getting into cloud computing, because it offers a supply of free resources to first-time users. It also comes with basic “roles” that you can use to add combinations of permissions to an account (called a “principal”). However, these basic roles are meant to be built upon—it’s not recommended that you rely on them for your security configuration. If you want to optimize the security of your GCP project resources, you need to define custom roles that assign only the permissions you want.
The Google Cloud documentation provides an overview of the concepts of Identity and Access Management (IAM) roles; those concepts will not be covered here. Instead, I will show you the steps to add custom roles to a principal using the GCP user interface. I found certain aspects of the UI to be counterintuitive, so below each step, I’ve included a screenshot with relevant information highlighted.
- Bring the navigation menu up by clicking the three bars in the upper left corner of the screen. Hover over “IAM & Admin” and select “Roles.”
2. There’s a very long list of possible roles, so enter a few keywords into the filter to narrow down your results. When you find a role that looks like a reasonable summary of the permissions you want, click on the three dots to the right and select “Create role from this role.”
3. By default, all possible permissions for this role will be selected. It’s more secure to limit the permissions to only ones you need, so start by deselecting all permissions. If you do this by clicking the top checkbox, it will deselect all permissions on that page of the list. Use the right-left arrows below the permissions list to navigate to other pages.
4. To select permissions you want, click on the box to the left of them. Do not click on the name of the permission, or all other permissions will be deselected, including ones on other pages. One way to make sure your desired permissions all stay selected is by keeping track of the number in bold above the permissions list.
Hit “Save” at the bottom of the page to save this role to your custom roles.
5. Hover over “IAM & Admin” on the navigation menu again, but this time select “IAM” at the top of the sub-menu. Click the pencil symbol to the right of the principal you want to add the role to, then click “ADD ANOTHER ROLE.”
6. In the popup menu, hover over “Custom,” and you should see the name of the role you just created. Select it, and hit “SAVE.”
If you want to create another custom role for this principal, you can do so from here by clicking “MANAGE ROLES” at the bottom of the popup menu—however, the role you create will not automatically be added to this principal. After saving your new role, you will have to navigate back to this page and manually add it to the principal.
Congratulations! You just added a custom combination of permissions to an account in GCP. I hope you found this guide useful.