Start using custom IAM roles in Google Cloud!

When it comes to managing access control in Google Cloud, many engineers tend to rely on predefined roles. However, I strongly believe that this often leads to granting an unnecessary amount of permissions to an identity.

The problem with predefined roles

Google Cloud provides a wide range of predefined roles that cover common use cases for accessing different resources and services. These roles are designed to provide a balance between granting sufficient permissions and limiting access to only what is necessary. However, they are still broad in scope and may include permissions that are not required for a particular identity or use case.

When creating a service account for a new service, you should simply grant the service account only the permissions required for the service to function. If a service needs to list the bucket, create, list, get and delete objects, then the service account should only be granted these permissions and nothing else.

Custom roles

Custom roles allow you to create a role with a specific set of permissions that you can then grant to an identity. This allows you to grant only the permissions that are required.

resource "google_project_iam_custom_role" "my_custom_role" {
  role_id     = "myCustomRole"
  title       = "My Custom Role"
  description = "A description"
  permissions = [
    "storage.buckets.list",
    "storage.objects.get",
    "storage.objects.update",
    "storage.objects.delete",
    "storage.objects.create",
    "storage.multipartUploads.*",
  ]
}

While predefined roles provide a convenient way to manage access control in Google Cloud, they often grant more permissions than necessary. Custom roles offer a more granular and tailored approach to access control.