Creating Custom IAM Roles and Bindings in Google Cloud Platform (GCP) Through various ways
INTRODUCTION
Google Cloud Platform (GCP) provides a flexible and scalable way to manage cloud resources through Identity and Access Management (IAM). One of the most powerful features of IAM is the ability to create custom roles and bindings, giving you fine-grained control over who can access your resources and what actions they can perform.
In this blog post, we'll walk you through how to write custom IAM roles, define custom role bindings, and apply them using different methods including JSON/YAML files, Google Cloud Console, and tools like Terraform and Deployment Manager.
What Are IAM Roles and Bindings?
IAM Roles: In GCP, roles define the permissions granted to a user or service account. There are two types of roles:
Predefined Roles: GCP provides a set of predefined roles for common use cases (e.g.,
roles/viewer,roles/editor).Custom Roles: These roles allow you to define a specific set of permissions for users, groups, or service accounts based on your unique needs.
IAM Bindings: Bindings are used to associate a role with a specific member (user, group, or service account). A role binding essentially tells GCP, "This member can perform these actions."
Step 1: Creating Custom Roles in GCP
Custom roles allow you to define a tailored set of permissions that fit your specific requirements. This helps in applying the principle of least privilege, ensuring users only get the permissions they need.
1.1. Using the GCP Console
Open the IAM & Admin Console in GCP.
Navigate to Roles and click Create Role.
Enter the following:
Title: Name of the custom role (e.g., "CustomReadOnlyRole").
ID: A unique identifier for the role.
Description: A brief description of the role’s function.
Permissions: Select the permissions you need from the available categories. For example,
compute.instances.list,storage.buckets.get.
Click Create.
1.2. Using the gcloud CLI
You can also create a custom role using the gcloud command:
gcloud iam roles create customRoleName \
--project=your-project-id \
--title="Custom Role Title" \
--description="A custom role for specific actions" \
--permissions="permission1,permission2,permission3" \
--stage="GA"
Replace
your-project-idwith your project ID.Replace
permission1,permission2, etc., with the required permissions.
Step 2: Creating Custom Role Bindings
Once you've created a custom role, you can assign it to users, service accounts, or groups. This is where role bindings come into play.
2.1. Using the GCP Console
Open the IAM & Admin Console.
Click on Add at the top of the page to assign a new role.
In the New principals field, enter the user, service account, or group (e.g.,
user:sa@example.com).In the Role field, select your custom role.
Click Save.
2.2. Using the gcloud CLI
You can also assign the custom role via the gcloud command:
gcloud projects add-iam-policy-binding your-project-id \
--member="user:sa@example.com" \
--role="projects/your-project-id/roles/customRoleName"
Replace
your-project-idwith your project ID.Replace
user:sa@example.comwith the email of the user or service account.Replace
customRoleNamewith the name of your custom roles.
Step 3: Applying IAM Policies from JSON or YAML Files
If you want to define IAM roles and bindings in a file and apply them programmatically, GCP allows you to write policies in JSON or YAML formats. Here’s how to apply these files using different methods.
Step 3: Applying IAM Policies from JSON or YAML Files
If you want to define IAM roles and bindings in a file and apply them programmatically, GCP allows you to write policies in JSON or YAML formats. Here’s how to apply these files using different methods.
3.1. IAM Policy File Example (JSON)
{
"bindings": [
{
"role": "roles/customRoleName",
"members": [
"user:sa@example.com",
"serviceAccount:my-service-account@my-project.iam.gserviceaccount.com"
]
}
]
}
3.2. IAM Policy File Example (YAML)
bindings:
- role: "roles/customRoleName"
members:
- "user:sa@example.com"
- "serviceAccount:my-service-account@my-project.iam.gserviceaccount.com"
3.3. Applying the Policy Using gcloud CLI
Once you’ve created the IAM policy in a file, you can apply it using the gcloud command:
gcloud projects set-iam-policy your-project-id iam-policy.json
Alternatively, for YAML:
gcloud projects set-iam-policy your-project-id iam-policy.yaml
This will apply the IAM policy to the project.
Step 4: Using Google Cloud Deployment Manager for IAM Policies (YAML)
Google Cloud Deployment Manager allows you to define and apply IAM policies as part of your infrastructure as code. Here’s an example YAML configuration for Deployment Manager:
resources:
- name: iam-policy-binding
type: gcp-types/cloudresourcemanager-v1:projects.setIamPolicy
properties:
resource: your-project-id
policy:
bindings:
- role: roles/customRoleName
members:
- user: sa@example.com
- serviceAccount: my-service-account@my-project.iam.gserviceaccount.com
To apply the policy:
gcloud deployment-manager deployments create my-deployment --config iam-policy.yaml
This will deploy the IAM policy defined in the YAML file.
Step 5: Using Terraform to Manage IAM Roles and Bindings
If you’re using Terraform to manage your infrastructure, you can define IAM roles and bindings in your Terraform configuration files:
resource "google_project_iam_member" "sa_member" {
project = "your-project-id"
role = "roles/customRoleName"
member = "serviceAccount:my-service-account@my-project.iam.gserviceaccount.com"
}
resource "google_project_iam_member" "user_member" {
project = "your-project-id"
role = "roles/customRoleName"
member = "user:sa@example.com"
}
Then, apply the Terraform configuration:
terraform init
terraform apply