Cloud Identity & Access Management lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources. Cloud IAM lets you adopt the security principle of least privilege, where you grant only necessary permissions to access specific resources.
Primitive Roles are broad and impact all resources in the project. They are roles which existed prior to existence of Cloud IAM.
These roles are concentric, owner includes the permissions of editor and editor includes the permission of viewer.
- Viewer – Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
- Editor – All viewer permissions, plus permissions for actions that modify state, such as changing existing resources.
- Owner – All editor permissions, plus Manage roles and permissions for a project and all resources within the project. Set up billing for a project.
4. Billing Administrator Role
someone to be able to control the billing for a project without the right to change the resources in the project.
In addition to the primitive roles, Cloud IAM provides additional predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources.
There is a long list of these roles listed here.
Custom roles can only be used at the project or organization levels. They can’t be used at the folder level.
To create a custom role, a caller must possess iam.roles.create permission. By default, the owner of a project or an organization has this permission and can create and manage custom roles.
Users who are not owners, including organization admins, must be assigned either the Organization Role Administrator role, or the IAM Role Administrator role.