DEV Community

Cover image for Part-127: Hands-on with Google Cloud IAM: Manage Access Using Basic, Predefined, and Custom Roles
Latchu@DevOps
Latchu@DevOps

Posted on

Part-127: Hands-on with Google Cloud IAM: Manage Access Using Basic, Predefined, and Custom Roles

#googlecloud #devops #iam #cloud

Create Basic Role, Predefined Role and Custom Role in Google Cloud IAM

Step-01: Introduction

We are going to use all three role types in this demo:

  • Basic Roles
  • Predefined Roles
  • Custom Roles

Step-02: Create a VM Instance 

bash
# Set Project
gcloud config set project PROJECT_ID
# (example) gcloud config set project gcpdemos

# Create VM Instance
gcloud compute instances create vm1 \
  --zone=us-central1-a \
  --machine-type=e2-micro \
  --network-interface=subnet=default
Enter fullscreen mode Exit fullscreen mode

Step-03: Pre-requisite: Create a test Gmail ID for this demo 

gcpuser08@gmail.com
Enter fullscreen mode Exit fullscreen mode

Step-04: Basic Role: Owner

Step-04-01: Add Principal with IAM Role: Owner and Verify

  1. Go to IAM & Admin → IAM → GRANT ACCESS in the Google Cloud Console.
  2. Add Principal: gcpuser08@gmail.com.
  3. Select Role: Owner.
  4. Click SAVE.

i1

An invitation will be sent to the new user.

Step-04-02: Login to Gmail and Accept Invitation

Login to Gmail and accept the invitation:

  • Username: gcpuser08@gmail.com
  • Password: XXXXXXXX (test account password)

Step-04-03: Login to Google Cloud with the New User

  1. Open an Incognito / private browser window.
  2. Login to Google Cloud using gcpuser08@gmail.com.
  3. Select the project (example: gcplearn9).

Observation: The user should have full access for all resources (Owner permission).

Step-05: Predefined Role: Compute Viewer

Step-05-01: Add Principal with IAM Role Compute Viewer

  1. Go to IAM & Admin → IAM → GRANT ACCESS.
  2. Add Principal: gcpuser08@gmail.com.
  3. Select Role: Compute Viewer.
  4. Click SAVE.

i2

Step-05-02: Login to Google Cloud with the New User

  1. Open an Incognito / private browser window.
  2. Login to Google Cloud with gcpuser08@gmail.com.
  3. Select the project (example: gcplearn9).

Observation: The user should see read-only access to Compute Engine resources.

Step-06: Custom Role: Stop and Start VMs

Step-06-01: Create Custom Role

  1. Go to IAM → Roles → CREATE ROLE.
  2. Set:
  • Title: Custom Role Start Stop VM
  • ID: customRoleStartStopVM101
    1. Add permissions: compute.instances.start, compute.instances.stop.
    2. Click CREATE.

i3

Note: The permission names are compute.instances.start and compute.instances.stop (use the exact permission strings when adding permissions).

Step-06-02: Add Principal with the Custom Role

  1. Go to IAM & Admin → IAM → GRANT ACCESS.
  2. Add Principal: gcpuser08@gmail.com.
  3. Select Role: Compute Viewer.
  4. Select Role: Custom Role Start Stop VM (the custom role you created).
  5. Click SAVE.

i4

Step-06-03: Login to Google Cloud with the New User

  1. Open an Incognito / private browser window.
  2. Login to Google Cloud with gcpuser08@gmail.com.
  3. Select the project (example: gcplearn9).

Observations:

  • Observation-1: The user should have only read-only access from the Compute Viewer role.
  • Observation-2: The user should be able to stop and start the VM instance thanks to the custom role.

🌟 Thanks for reading! If this post added value, a like ❤️, follow, or share would encourage me to keep creating more content.

— Latchu | Senior DevOps & Cloud Engineer

☁️ AWS | GCP | ☸️ Kubernetes | 🔐 Security | ⚡ Automation
📌 Sharing hands-on guides, best practices & real-world cloud solutions

Top comments (0)