GCP- Create & Deploy Custom Roles with YAML

Image for post
Image for post
GCP IAM Icon

Google Cloud offers the ability to create custom roles at the project level and organization level. We will create a custom role and deploy it using a YAML file and some gcloud cli though cloudshell.

Before you begin, please ensure you have the right roles/permissions to create roles inside a project. A minimum permission of “iam.roles.create” is required.

Below is the structure the YAML file needs to follow to create an IAM role:

title: role-title
description: role-description
stage: launch-stage
includedPermissions:
- permission-1
- permission-2

Create the file by entering the follow command in cloudshell:

Image for post
Image for post

This creates a YAML file named securityanalyst; we now follow the structure needed to create the role inside the file.

Copy and paste the YAML structure inside your file and adjust to your preferences. In this example, I used permissions from log viewer and Compute Security Admin roles.

Image for post
Image for post

Deploy the custom role using gcloud.

Here is the template of the command:

gcloud iam roles create role-id --project=project-id \
--file=yaml-file-path

What it looks like for me:

Image for post
Image for post

What the end results should look like if successful:

Image for post
Image for post

After creation, your custom role will be listable. Verify this by running the following command:

gcloud iam roles list --filter role-id --project=project-id 

What running the command looks like in cloudshell:

Image for post
Image for post

If we need to get additional info for the custom role, we can use the describe command to help with further information:

Image for post
Image for post

Now that you deployed your custom role, you notice that it needs additional permissions. We simply update the existing role using the same YAML format method. You will need to run the describe command from above and copy the results. Create a new YAML file and paste the results of the describe command. If you need to add/remove permissions, edit the section “includedPermissions:”

In this example, I created a new YAML file called securityanalystv2 and added the permissions compute.firewalls.update:

Image for post
Image for post

Deploy the changes using the same exact method as before, but change the flag “— file” to your new YAML file. Here is what that should look like:

Image for post
Image for post

FIN!

If you need additional guidance, here is GCP documentation on creating custom IAM roles https://cloud.google.com/iam/docs/creating-custom-roles#iam-custom-roles-testable-permissions-console.

Bio: Jake has been in IT for 4 years and is currently an IT Engineer for Aunt Bertha. He currently holds a CompTIA S+ and Google ACE certification and is currently working on Google’s Professional Cloud Architect certification.

LinkedIn: https://www.linkedin.com/in/jacob-c-luna/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store