IAM roles

All actions in Google Cloud Platform have some associated permission (the WHAT). These permissions generally relate to a specific API operation or group of operations, such as listing Compute Engine VMs or creating an App Engine service. These permissions take the form of Service.Resource.Action. For example, a permission of compute.instances.list allows an actor to retrieve a list of Compute Engine VMs in a project.

While permissions offer fine-grain control over which actions an actor can take, any given activity on GCP will generally require multiple permissions. Building on the last example, there's very little utility in just being able to list VMs. A more realistic use case would be viewing all Compute Engine resources. To this end, Cloud IAM implements IAM roles. A role is a collection of permissions that are associated with some set of tasks. These roles tend to reflect real-world positions within organizations and help facilitate permission models that mirror organization structures. Rather than assigning an actor individual permissions, all permissions are granted in the form of roles.

Roles that are tied to some specific group of actions on a Google Cloud service are known as curated roles. In addition to curated roles, there are three primitive roles in Cloud IAM: owner, editor, and viewer. These roles predate the current IAM system and are available for every resource type. Primitive roles define the most basic levels of control. These roles are concentric—meaning an owner has full editor rights, and an editor has full viewer rights.

To view the complete list of roles available in your project, go to Navigation menu | IAM & admin | Roles. From here, users can find roles associated with different services and see what permissions are associated with a given role. In addition, this page can be used to create and manage custom roles.