Before we get to custom roles, let us talk about why we need custom roles in GCP (Also read, Service accounts and bindings in GCP). The first use case is that of restricting user access. If you have a set of users that you would like to let into your project (or folder or org), but want to limit what they can do, custom roles are the way to do it.

Conceptually, it helps to think of two types of custom roles – iam centric roles and non-IAM centric roles.

IAM centric implies that the custom role is able to perform IAM actions. Non IAM centric is everything else (e.g. a custom role that has access to compute engine and pub sub and nothing else)

Create a Custom Role in GCP using Terraform

resource “google_project_iam_custom_role” “my-custom-role” {
role_id = “my-custom-iam-role”
title = “custom iam Role”
description = “custom iam role to bind to an SA”
permissions = [“iam.roles.projectowner”, “iam.roles.iamadmin”]
}

Define a Policy containing this custom role – This spits out a policy_data object (a policy document)

#Define an IAM policy to bind SA to the custom role. This just defines the policy, actual binding is later:

data "google_iam_policy" "customrole-sa-policy" {
  binding {
    role = "roles/my-custom-iam-role" members = [ serviceAccount:my-service-account@MY_PROJECT_ID.iam.gserviceaccount.com" ] } }

Attach Policy_Data – Now, when you create any resource, you can use the OUTPUT of the snipped above (which should be a policy document)

resource "google_pubsub_subscription"  "attach-policy" {
  name  = "my-example-subscription"
  topic = google_pubsub_topic.pubsub-policy.name
  ack_deadline_seconds = 20
  
  policy_data = data.google_iam_policy.admin.policy_data  
}

What about a custom role that restricts a user to a project?

Often, what we want is a way to restrict a user to a particular project. They can do what they like within that project but they are not allowed to cross the project boundary. Or go into another folder containing another project.

In order to do this, we can define a custom role as the project editor (or a Project owner). The project owner is also fine – as long as they are not granted folder admin (this would let them cross over into another project under another folder)

Summary

Projects are central to all GCP resources and services. Often, you want to RESTRICT users from access to resources within a project. Custom Roles in GCP, are an ideal way to accomplish this. In addition, a policy binding can help bind that role to a service account.


Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Identity Migration? Set up a time with Anuj Varma.