GCP- Create & Deploy Custom Roles with YAML
Google Cloud offers the ability to create custom roles at the project level and organization level. We will create a custom role and deploy it using a YAML file and some gcloud cli though cloudshell.
Before you begin, please ensure you have the right roles/permissions to create roles inside a project. A minimum permission of “iam.roles.create” is required.
General structure of YAML file needed for IAM
Below is the structure the YAML file needs to follow to create an IAM role:
title: role-title
description: role-description
stage: launch-stage
includedPermissions:
- permission-1
- permission-2
Creating a YAML file
Create the file by entering the follow command in cloudshell:
This creates a YAML file named securityanalyst; we now follow the structure needed to create the role inside the file.
Copy and paste the YAML structure inside your file and adjust to your preferences. In this example, I used permissions from log viewer and Compute Security Admin roles.
Deploying your custom role
Deploy the custom role using gcloud.
Here is the template of the command:
gcloud iam roles create role-id --project=project-id \
--file=yaml-file-path
What it looks like for me:
What the end results should look like if successful:
Additional tips
After creation, your custom role will be listable. Verify this by running the following command:
gcloud iam roles list --filter role-id --project=project-id
What running the command looks like in cloudshell:
If we need to get additional info for the custom role, we can use the describe command to help with further information:
Updating the custom role
Now that you deployed your custom role, you notice that it needs additional permissions. We simply update the existing role using the same YAML format method. You will need to run the describe command from above and copy the results. Create a new YAML file and paste the results of the describe command. If you need to add/remove permissions, edit the section “includedPermissions:”
In this example, I created a new YAML file called securityanalystv2 and added the permissions compute.firewalls.update:
Deploy the changes using the same exact method as before, but change the flag “— file” to your new YAML file. Here is what that should look like:
FIN!
If you need additional guidance, here is GCP documentation on creating custom IAM roles https://cloud.google.com/iam/docs/creating-custom-roles#iam-custom-roles-testable-permissions-console.
Bio: Jake has been in IT for 4 years and is currently an IT Engineer for Aunt Bertha. He currently holds a CompTIA S+ and Google ACE certification and is currently working on Google’s Professional Cloud Architect certification.