What is the difference between predefined and custom roles in GCP?

Predefined roles are maintained by Google and bundle permissions for common job functions — for example, roles/storage.objectViewer grants storage.objects.get and storage.objects.list. Custom roles let you pick individual permissions from any service, so you can create a role that grants storage.objects.get but not storage.objects.list. Custom roles can be scoped to a project or an organization and support up to 3,000 permissions per role.

Can custom roles include permissions from multiple services?

Yes. A single custom role can combine permissions across any number of GCP services — for example, compute.instances.list, storage.buckets.get, and logging.logEntries.list in one role. The only restriction is that certain permissions are not available for custom roles (marked as NOT_IN_CUSTOM_ROLE in the permissions reference). The builder filters these out automatically.

How do I keep custom roles updated when Google adds new permissions?

Custom roles are static — they do not automatically inherit new permissions when Google updates a service. You should periodically review roles against the latest predefined roles and add any new permissions your workload needs. Using Terraform or Deployment Manager to manage custom roles makes updates auditable and repeatable across environments.

GCP IAM Custom Role Builder

IAM & SecurityGCP

Build custom IAM role definitions with granular permissions for project or organization-level use.

Custom Role Configuration

Role ID

Title

Description

Launch Stage

Project ID (for gcloud)

Permissions (0)

Common permissions:

Output Format

Generated Role YAML

Output will appear here...

About This Tool

Google Cloud predefined roles often grant more permissions than a workload actually needs, violating the principle of least privilege. GCP IAM Custom Roles let you create roles with only the exact permissions required, reducing blast radius if credentials are compromised. This builder helps you assemble custom roles by selecting individual permissions from GCP service namespaces, validates that the permissions are compatible and not deprecated, and generates the gcloud CLI command or Terraform resource definition ready for deployment.

When to Use This Tool

•Creating least-privilege roles for CI/CD service accounts that need only specific permissions like storage.objects.create and cloudbuild.builds.create
•Building project-level or organization-level custom roles that combine permissions from multiple predefined roles without the excess permissions
•Generating Terraform google_project_iam_custom_role resources for infrastructure-as-code pipelines
•Auditing existing custom roles to identify deprecated or beta-stage permissions that should be replaced

Frequently Asked Questions

What is the difference between predefined and custom roles in GCP?: Predefined roles are maintained by Google and bundle permissions for common job functions — for example, roles/storage.objectViewer grants storage.objects.get and storage.objects.list. Custom roles let you pick individual permissions from any service, so you can create a role that grants storage.objects.get but not storage.objects.list. Custom roles can be scoped to a project or an organization and support up to 3,000 permissions per role.
Can custom roles include permissions from multiple services?: Yes. A single custom role can combine permissions across any number of GCP services — for example, compute.instances.list, storage.buckets.get, and logging.logEntries.list in one role. The only restriction is that certain permissions are not available for custom roles (marked as NOT_IN_CUSTOM_ROLE in the permissions reference). The builder filters these out automatically.
How do I keep custom roles updated when Google adds new permissions?: Custom roles are static — they do not automatically inherit new permissions when Google updates a service. You should periodically review roles against the latest predefined roles and add any new permissions your workload needs. Using Terraform or Deployment Manager to manage custom roles makes updates auditable and repeatable across environments.

Related Learning Guides

IAM & Organization Policies26 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.