Understanding predefined IAM roles within a project
In this we will learn and understanding predefined IAM roles within a project.
However, a role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. To make permissions available to members you grant roles to the members. And, this also including users, groups, and service accounts.
Role types
There are three types of roles in IAM:
- Firstly, basic roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
- Secondly, predefined roles, which provide granular access for a specific service and are managed by Google Cloud.
- Lastly, custom roles, which provide granular access according to a user-specified list of permissions.
However, to determine if a permission is in a basic, predefined, or custom role, you can use one of the following methods:
- Firstly, run the gcloud iam roles describe command to list the permissions in the role.
- Secondly, call the roles.get() REST API method to list the permissions in the role.
- Next, for basic and predefined roles only: Search the permissions reference to see if the permission is granted by the role.
- Lastly, for predefined roles only: Search the predefined role descriptions on this page to see which permissions the role includes.
Predefined roles
In addition to the basic roles, IAM provides additional predefined roles that give granular access to specific Google Cloud resources and prevent unwanted access to other resources. Google creates and maintains these roles. Google Cloud automatically changes their permissions as needed, such as when new features or services are added to Google Cloud.
These roles, their descriptions, and the lowest-level resource type where they can be set are listed in the table below. This resource type can be assigned a specific role. In most circumstances, any kind higher in the Google Cloud hierarchy will suffice. A single user can be assigned many roles. On a project, for example, the same user can hold the Network Admin and Log Viewer responsibilities. In such a project, you need also to have a Publisher role for a Pub/Sub subject.
Custom roles
In addition to the predefined roles, IAM also provides the ability to create customized IAM roles. A custom IAM role with one or more permissions can be created. Then, within your company, grant that unique role to users.
Reference: Google Documentation