Build custom IAM role definitions with granular permissions for project or organization-level use.
Last verified: May 2026
Common permissions:
Output will appear here...Google Cloud predefined roles often grant more permissions than a workload actually needs, violating the principle of least privilege. GCP IAM Custom Roles let you create roles with only the exact permissions required, reducing blast radius if credentials are compromised. This builder helps you assemble custom roles by selecting individual permissions from GCP service namespaces, validates that the permissions are compatible and not deprecated, and generates the gcloud CLI command or Terraform resource definition ready for deployment.
Predefined roles are maintained by Google and bundle permissions for common job functions — for example, roles/storage.objectViewer grants storage.objects.get and storage.objects.list. Custom roles let you pick individual permissions from any service, so you can create a role that grants storage.objects.get but not storage.objects.list. Custom roles can be scoped to a project or an organization and support up to 3,000 permissions per role.
Yes. A single custom role can combine permissions across any number of GCP services — for example, compute.instances.list, storage.buckets.get, and logging.logEntries.list in one role. The only restriction is that certain permissions are not available for custom roles (marked as NOT_IN_CUSTOM_ROLE in the permissions reference). The builder filters these out automatically.
Custom roles are static — they do not automatically inherit new permissions when Google updates a service. You should periodically review roles against the latest predefined roles and add any new permissions your workload needs. Using Terraform or Deployment Manager to manage custom roles makes updates auditable and repeatable across environments.
Your team needs CI/CD service account permissions: build images, push to Artifact Registry, deploy to Cloud Run. The naive approach grants roles/editor (way too broad). The builder helps you assemble a custom role with EXACTLY: artifactregistry.repositories.uploadArtifacts, run.services.update, run.services.get, cloudbuild.builds.create, plus a few iam permissions for the Cloud Run runtime SA. Total 12 permissions vs editor's 8,000+. Blast radius if the SA key leaks: minimal.
The builder constructs GCP custom IAM role definitions: title, description, stage (ALPHA/BETA/GA/DEPRECATED), included permissions list (filterable by service namespace, with deprecation flagging). Output is generated as gcloud iam roles create commands and Terraform google_project_iam_custom_role / google_organization_iam_custom_role resources.
Custom roles are STATIC — they don't auto-update when Google adds new permissions to a service. Schedule a quarterly review where you compare each custom role to the equivalent predefined roles and add any new permissions your workload needs. Without this discipline, custom roles silently drift behind service capabilities.
Audit existing predefined roles BEFORE creating a custom role. Most teams' first instinct is 'I need a custom role' but ~80% of the time, a predefined role at a more limited scope (folder vs org, or with IAM Conditions) achieves the same goal with zero maintenance overhead.
Project-level custom roles are project-scoped and need to be recreated in every project that needs them. Organization-level custom roles are visible across the whole org and can be assigned at any project. For roles you'll use in 3+ projects, create at the org level — saves repetitive recreation.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.