GCP IAM Roles: Basic vs Predefined vs Custom Roles
Understanding the three types of GCP IAM roles is essential for managing access control in Google Cloud. This guide explains when to use basic, predefined, and custom roles for your projects.
Managing access control in Google Cloud Platform requires understanding the three distinct types of GCP IAM roles available to you. Each type serves different organizational needs and provides varying levels of granularity in permission management. Whether you're setting up a new project or refining existing access controls, choosing the right type of role determines how effectively you can balance security with operational efficiency.
The three role types in Google Cloud are basic roles, predefined roles, and custom roles. These aren't interchangeable options but rather a progression from broad access patterns to increasingly precise control. Understanding how GCP IAM roles work and when to use each type helps you implement proper security boundaries while enabling teams to work effectively across services like BigQuery, Cloud Storage, and Compute Engine.
Understanding the Three Types of GCP IAM Roles
Google Cloud organizes IAM roles into three categories based on how they're created and the scope of permissions they grant. Basic roles are the original, coarse-grained roles that apply broadly across all services in a project. Predefined roles are created and maintained by Google, each designed around specific job functions or service interactions. Custom roles are defined by your organization to match your exact permission requirements when neither basic nor predefined roles fit your needs.
The organizing principle behind these categories is specificity and control. Basic roles cast a wide net, predefined roles target specific use cases, and custom roles give you complete control over individual permissions. This hierarchy exists because different scenarios demand different trade-offs between simplicity and precision.
Basic Roles: Project-Level Access Patterns
Basic roles in Google Cloud are the legacy IAM roles that existed before the introduction of more granular options. There are only three basic roles: Owner, Editor, and Viewer. These roles apply across all Google Cloud services within a project and grant thousands of permissions collectively.
The Viewer role grants read-only access to resources across the project. Someone with this role can examine configurations, view data in BigQuery tables, and list Cloud Storage buckets, but cannot modify anything. The Editor role includes all Viewer permissions and adds the ability to modify resources. Editors can create virtual machines, write data to Cloud Storage, and execute queries that modify BigQuery datasets. The Owner role includes all Editor permissions plus the ability to manage IAM policies, set up billing, and delete projects.
A solar farm monitoring company might assign the Viewer role to external auditors who need to verify data collection processes but shouldn't change configurations. Their data engineering team might receive Editor access to build pipelines and process sensor data from thousands of solar panels. Only the infrastructure lead would have Owner access to manage billing and assign permissions to new team members.
Basic roles create significant security concerns because they grant far more permissions than needed for specialized tasks. An engineer who only needs to run BigQuery queries receives thousands of unrelated permissions across Compute Engine, Cloud Storage, and dozens of other services when assigned the Editor role. This violates the principle of least privilege and expands your attack surface unnecessarily.
You assign basic roles the same way as other IAM roles, but they appear with simple names in the console:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="user:engineer@example.com" \
--role="roles/viewer"Basic roles work at the project level or higher in the resource hierarchy. You can assign them at the organization or folder level, where they cascade down to all contained projects. This broad application makes them powerful but dangerous tools for access control.
Predefined Roles: Google-Managed Job Function Permissions
Predefined roles are created and maintained by Google to match common job functions and use cases within GCP. There are hundreds of predefined roles, each containing a curated set of permissions for specific activities. When Google Cloud adds new features or APIs, the relevant predefined roles are automatically updated to include appropriate permissions.
These roles follow a naming pattern that indicates their scope and purpose. For example, roles/bigquery.dataEditor grants permissions to create, update, and delete BigQuery datasets and tables but not to run queries. The role roles/bigquery.jobUser allows running queries and creating jobs but doesn't permit modifying table schemas. The role roles/storage.objectViewer enables reading objects from Cloud Storage buckets without the ability to write or delete them.
A telehealth platform processing patient consultation records would use predefined roles extensively. Their data analysts might receive roles/bigquery.dataViewer and roles/bigquery.jobUser to query anonymized patient data for utilization analysis. The data engineering team building ETL pipelines would get roles/dataflow.developer to create and manage Dataflow jobs, plus roles/bigquery.dataEditor to manage destination tables. Compliance officers reviewing access logs would receive roles/logging.viewer to examine audit trails without the ability to modify resources.
Predefined roles typically apply to specific services or narrow domains within Google Cloud. Some predefined roles work across multiple services when job functions naturally span them. The roles/cloudsql.client role, for instance, grants permissions needed for applications to connect to Cloud SQL instances but nothing else.
You can examine the exact permissions in any predefined role:
gcloud iam roles describe roles/bigquery.dataEditorThis command shows all included permissions, which typically range from a few to several dozen depending on the role's scope. Predefined roles strike a balance between the excessive breadth of basic roles and the maintenance overhead of custom roles.
Google manages the lifecycle of predefined roles, which means they receive updates when new permissions are needed for existing features or when security best practices evolve. A predefined role you assign today might include additional permissions next year as the underlying service expands. This automatic maintenance reduces your operational burden but means you should periodically review which predefined roles your organization uses and whether the permission sets still align with your security requirements.
Custom Roles: Tailored Permission Combinations
Custom roles let you define exactly which permissions to include, giving you complete control over access boundaries. You create custom roles at the organization or project level by selecting individual permissions from Google Cloud's permission catalog. Once created, custom roles work identically to predefined roles in how you assign them to users, groups, and service accounts.
Organizations create custom roles when predefined roles either grant too many permissions or don't include the right combination needed for specific job functions. A trading platform might need a role that allows viewing Cloud Spanner database schemas and reading from specific tables but explicitly excludes any mutation permissions. No predefined role matches this exact requirement, so they create a custom role containing only schema inspection and read permissions.
Creating a custom role requires understanding the permission model in GCP. Permissions use the format service.resource.verb, such as bigquery.tables.get or storage.objects.create. You select the specific permissions needed and combine them into a role definition:
gcloud iam roles create bigQueryReadOnlySchemaViewer \
--project=PROJECT_ID \
--title="BigQuery Read-Only Schema Viewer" \
--description="Can view table schemas and metadata but not data" \
--permissions=bigquery.datasets.get,bigquery.tables.get,bigquery.tables.list \
--stage=GAAn agricultural IoT company monitoring soil conditions across thousands of farms might create custom roles for different operational needs. Their field technicians need to view sensor configurations and recent readings but shouldn't modify collection parameters. A custom role combining read permissions for IoT Core devices and BigQuery table data, without any write or update permissions, matches this requirement precisely.
Custom roles introduce maintenance responsibilities that predefined roles avoid. When Google Cloud adds new features or changes service APIs, your custom roles don't automatically update. You must monitor service changes and update custom role definitions when new permissions become relevant or when deprecated permissions need removal. This ongoing maintenance represents real operational cost.
Some permissions cannot be included in custom roles. These restricted permissions typically involve sensitive operations like IAM policy management or service account key creation. Google Cloud prevents their inclusion in custom roles to maintain security boundaries. You can check whether a specific permission supports custom roles by describing it:
gcloud iam list-testable-permissions //cloudresourcemanager.googleapis.com/projects/PROJECT_IDCustom roles work at the project or organization level but not at the folder level. A custom role created in one project isn't automatically available in other projects. Organization-level custom roles apply across all projects within the organization, making them suitable for standardized functions that span multiple projects.
Comparing Role Types in Google Cloud Platform
The practical differences between basic, predefined, and custom GCP IAM roles affect how you design access control strategies. Each type exists because it solves different problems in permission management.
| Characteristic | Basic Roles | Predefined Roles | Custom Roles |
|---|---|---|---|
| Permission Scope | Thousands across all services | Targeted to specific job functions | Exactly what you define |
| Management | Google-managed | Google-managed | Customer-managed |
| Automatic Updates | Yes | Yes | No |
| Number Available | Three total | Hundreds | Unlimited (within quotas) |
| Suitable for Production | Rarely recommended | Often appropriate | When specific needs exist |
| Creation Level | N/A (built-in) | N/A (built-in) | Project or organization |
Basic roles should rarely appear in production environments except for Owner assignments to a small number of administrators. The broad permissions they grant create security risks that outweigh their simplicity. Development and testing environments sometimes use basic roles for convenience, but even there, predefined roles often provide better security without significant additional complexity.
Predefined roles should be your default choice when managing access in Google Cloud. Google's service teams design these roles based on real usage patterns and update them as services evolve. The role roles/bigquery.admin grants full control over BigQuery resources, while roles/bigquery.dataViewer permits only reading data. This granularity lets you match roles closely to actual job requirements without creating custom definitions.
Custom roles become necessary when your security model requires permission combinations that predefined roles don't provide. A payment processor might need service accounts that can write transaction records to BigQuery and publish to specific Pub/Sub topics but nothing else. If predefined roles grant additional permissions beyond this scope, custom roles enforce stricter boundaries.
Role Relationships and Combined Usage
These three role types aren't mutually exclusive options. Users and service accounts often receive multiple role assignments that work together to provide needed access. A data scientist might have a predefined role for BigQuery access, another predefined role for Vertex AI usage, and a custom role that permits reading from specific Cloud Storage buckets containing training data.
Permissions from multiple role assignments combine additively in Google Cloud. When a user has multiple roles, they receive the union of all permissions those roles grant. This means you can layer specific predefined roles to build comprehensive access patterns without creating complex custom roles. A mobile game studio might assign roles/dataflow.developer, roles/bigquery.jobUser, and roles/storage.objectCreator to pipeline developers, giving them exactly the permissions needed across three services through predefined roles.
The inheritance hierarchy in GCP affects how roles apply across resource levels. Roles assigned at the organization level flow down to all folders and projects. Project-level role assignments apply only within that project. This hierarchy lets you establish baseline access at higher levels using predefined roles while adding project-specific permissions through additional role grants.
A common misconception suggests that custom roles always provide better security than predefined roles. The truth is more nuanced. Custom roles offer precise control but require ongoing maintenance and deep understanding of permission models. Predefined roles benefit from Google's expertise and automatic updates. Security comes from choosing appropriate roles and following least privilege principles, not from role type alone.
Choosing the Right Role Type
Selecting which type of GCP IAM role to use depends on several practical factors. Start with predefined roles and move to custom roles only when clear gaps exist in the available options. Basic roles should be avoided except in tightly controlled scenarios.
Use predefined roles when they closely match your requirements. The threshold for "close enough" involves security trade-offs. If a predefined role grants a few extra permissions that don't create significant risk, accepting it avoids custom role maintenance. If those extra permissions enable actions that violate security policies or compliance requirements, creating a custom role becomes justified.
A podcast network processing listener analytics might initially assign roles/bigquery.dataEditor to their analytics team. This predefined role grants table creation, data insertion, and schema modification permissions. If security reviews later determine that analysts should read and query data but never modify schemas, a custom role becomes necessary to enforce this boundary.
Consider the operational lifecycle of permissions when deciding on custom roles. Services under active development require frequent permission updates. Creating custom roles for rapidly evolving services increases maintenance burden as new features require permission additions. Predefined roles managed by Google handle this evolution automatically.
Organization size and security maturity influence these decisions. Smaller organizations with limited security teams often benefit from relying on predefined roles to reduce operational complexity. Large enterprises with dedicated security operations often create extensive custom role libraries to enforce precise access boundaries across hundreds or thousands of projects.
Implementation Patterns in Real Projects
Examining how organizations actually use different role types reveals practical patterns. A hospital network managing patient scheduling and medical records across Google Cloud uses primarily predefined roles for routine access. Nurses receive roles/healthcare.datasetViewer to access de-identified data for operational planning. Database administrators get roles/cloudsql.admin to manage Cloud SQL instances containing scheduling information.
The same hospital network creates custom roles for their compliance and security teams. Auditors need to review access logs and security configurations without the ability to modify resources. The predefined roles/logging.viewer grants read access to logs but doesn't include permissions to examine IAM policies. They create a custom role combining logging permissions with resourcemanager.projects.getIamPolicy and similar read-only IAM inspection permissions.
Service accounts in automated workflows often receive custom roles because their permission needs are highly specific. A Dataflow pipeline that reads from Cloud Storage, processes data, and writes results to BigQuery needs exactly those permissions and nothing else. While you could combine predefined roles like roles/storage.objectViewer and roles/bigquery.dataEditor, a custom role containing only the required permissions reduces security exposure if the service account credentials are compromised.
Certification Exam Considerations
The Google Cloud Professional Data Engineer certification exam tests understanding of IAM role types and when to apply each. Exam scenarios often present situations where you must choose the most appropriate role type based on security requirements, operational constraints, and least privilege principles.
Questions might describe a data engineering team needing specific permissions and ask which role type best meets the requirements. Understanding that basic roles grant excessive permissions, predefined roles cover common patterns, and custom roles provide precise control helps you eliminate incorrect answers. The exam evaluates whether you can identify situations where custom roles become necessary versus where predefined roles suffice.
Practical Approach to Role Selection
Building effective access control in Google Cloud Platform means understanding the capabilities and limitations of basic, predefined, and custom GCP IAM roles. Basic roles remain useful for understanding Google Cloud's permission model but rarely belong in production environments. Predefined roles should form the foundation of your access control strategy, providing well-designed permission sets that Google maintains and updates. Custom roles fill gaps when predefined options grant too much access or don't cover specific combinations your organization requires.
The decision between these role types isn't about which is universally better but about matching the right tool to your specific security requirements and operational capabilities. Start with predefined roles, monitor whether they meet your needs, and create custom roles only when clear security or compliance reasons justify the additional maintenance burden.