GCP infrastructureIntermediate28 min read

What Does Custom role Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

In Google Cloud, a custom role lets you create your own set of permissions instead of using the built-in roles. You pick exactly which actions a user or service account can perform. This is useful when you need to grant only the specific permissions required for a task, reducing unnecessary access.

Commonly Confused With

Custom rolevsPredefined role

A predefined role is a ready-made set of permissions created and maintained by Google Cloud for common job functions (e.g., Compute Admin, Storage Object Admin). A custom role is one you create yourself by selecting exact permissions. Predefined roles are updated by Google and may change over time, while custom roles are static unless you edit them. You cannot modify the permissions of a predefined role; you can only use it as is. Custom roles give you fine-grained control.

If you need a user to only list Cloud Storage objects, you could use the predefined role roles/storage.objectViewer. But if you also need that user to be able to upload objects (but not delete or overwrite), no single predefined role fits, you create a custom role with storage.objects.create and storage.objects.get.

Custom rolevsPrimitive role

Primitive roles (Owner, Editor, Viewer) are the broadest and oldest roles in GCP. They grant permissions across all services in a project. Custom roles are narrow and service-specific. Primitive roles are often considered too permissive for security, while custom roles are the best practice for least privilege. Primitive roles cannot be customized at all.

Assigning the Editor role to a data entry clerk gives them permission to delete databases and shut down VMs. A custom role with only storage.objects.create is far more appropriate.

Custom rolevsService account

A service account is a special type of Google account that represents a non-human user (like an application or a VM). It is not a role. A custom role is a set of permissions that can be assigned to any principal, including service accounts. You assign a custom role to a service account to grant the application the specific permissions it needs. Confusing these terms can lead to granting permissions to the wrong entity.

You create a custom role called 'bucketWriter' with storage.objects.create. Then you assign that custom role to a service account that runs a backup script. The service account is the identity, the custom role is the permission set.

Custom rolevsIAM policy binding

An IAM policy binding is the attachment of a role (predefined or custom) to a principal (user, group, service account). The custom role itself is just a definition of permissions; the binding is what actually grants those permissions. Learners sometimes say 'I created a custom role' without also creating the binding, so the permissions are not effective. The two must go together.

You create a custom role 'vmViewer' with compute.instances.list. Then you must bind the role to user alice@example.com using 'gcloud projects add-iam-policy-binding'. Without the binding, Alice cannot list instances.

Must Know for Exams

In the Google Cloud Associate Cloud Engineer (ACE) exam, custom roles appear in several key domains, primarily under IAM and Security Best Practices. The exam guide explicitly lists “IAM roles (primitive, predefined, custom)” as a core objective. You can expect multiple-choice questions that ask you to identify when to use a custom role over a predefined role, or to interpret a scenario where a user needs a specific set of permissions that are not covered by a single predefined role.

The objective tests your understanding of the principle of least privilege and the steps to create, update, and delete custom roles. Questions often present a scenario like: “A developer needs to be able to deploy Cloud Functions and view logs but should not be able to delete any resources. You want to follow best practices.

Which approach should you take?” The correct answer is to create a custom role with the exact permissions for Cloud Functions deploy and log viewing, avoiding the broader Editor role. Another typical question type involves ordering the steps to create a custom role: first, list the available permissions, then create the role with the correct flag, then assign it to a user.

You might also see a scenario where a custom role is assigned but a user cannot perform an action, you must troubleshoot whether the permission is actually included in the custom role. The exam may also test that custom roles can be scoped at the organization, folder, or project level, and that you cannot delete a role that is still assigned. Another trap is that custom roles cannot be used to grant the iam.

serviceAccounts.actAs permission in all contexts; the exam will test whether you understand that service account impersonation requires the Service Account User role, not just the permission in a custom role. You may be asked to compare custom roles with predefined roles when cost management or compliance is mentioned.

The exam will sometimes present an ambiguous scenario where a predefined role might be more appropriate because creating a custom role could introduce more complexity than needed, for example, if the needed permission already exists in a concise predefined role like roles/storage.objectViewer. The key is to recognize that custom roles are for cases where no single predefined role meets the exact need.

Also, note that custom roles have a quota of 300 per organization (or per project if no organization). A question might ask about that limit. For the Professional Cloud Security Engineer exam, custom roles get deeper treatment, but for ACE, you only need operational knowledge.

However, because ACE is a foundation exam, you must be comfortable with the gcloud command: gcloud iam roles create, gcloud iam roles update, gcloud iam roles list, and gcloud iam roles delete. Commands like gcloud iam list-testable-permissions help you discover permissions. The exam might also test that you can define a custom role in YAML and import it.

Finally, you should remember that custom roles are not available for every Google Cloud service, some services like certain machine learning APIs only support predefined roles. The exam expects you to recognize that limitation and choose a predefined role when a custom role is not possible. Overall, custom roles are a frequent topic that can separate well-prepared candidates from those who simply memorize without understanding the principle of least privilege.

Simple Meaning

Think of Google Cloud permissions like keys to different rooms in a large office building. The predefined roles are like master key sets, one set might open every door in the building (Owner role), another might open most doors but not the secure server room (Editor role), and another only opens the reception area and common spaces (Viewer role). But what if you have a team member who only needs to start and stop virtual machines, or a database specialist who only needs to manage certain databases without touching the network?

The predefined master key sets are either too restrictive or too permissive. That is where a custom role comes in. A custom role is like having a locksmith create a key that opens exactly the doors you decide, and no others.

You can include permissions to start a compute instance but not delete it, or to read logs but not change settings. This granularity is the heart of the principle of least privilege: give each person exactly the access they need to do their job, nothing more. In Google Cloud, you define a custom role by listing the specific API permissions (like compute.

instances.start or storage.objects.list) and then assign that role to users or service accounts. This is powerful for security because if a user’s account is compromised, the damage is limited to only the permissions in that custom role.

Creating a custom role involves three steps: you choose the role ID, specify which permissions to include, and then define the role in your project or organization. Once created, you can assign it like any other role. You can also update custom roles later if needs change.

This flexibility is essential for organizations with complex compliance requirements or unique workflows.

Full Technical Definition

A custom role in Google Cloud Platform (GCP) is an Identity and Access Management (IAM) role that you define yourself by combining a set of permissions from the list of available API permissions. Unlike the three primitive roles (Owner, Editor, Viewer) or the hundreds of predefined roles (e.g., roles/compute.admin, roles/storage.objectViewer), custom roles allow you to specify exact permissions down to the API method level. Each permission corresponds to a specific Google Cloud API operation, for example, compute.instances.start, cloudfunctions.functions.create, or iam.serviceAccounts.actAs. A custom role is defined using a YAML or JSON file that includes the role title, description, a unique role ID (which becomes part of the role name, like projects/my-project/roles/myCustomRole), and a list of included permissions. When you create a custom role, it is scoped to a specific project, folder, or organization. You can also promote a role to organization level for reuse across projects. The permissions in a custom role must exist in the IAM permission list; you cannot invent new permissions. Once a custom role is created, it can be assigned to IAM principals (users, groups, service accounts, or Google Workspace domains) via IAM policies in the same way as predefined roles. Custom roles support the concept of “staged” and “launched” permission states, some permissions are in alpha or beta and may not be available for use in custom roles in production. Google Cloud also enforces a quota: you can create up to 300 custom roles per organization (or 300 per project if not using an organization node). Permissions can be added or removed from a custom role at any time, and those changes propagate to all principals assigned that role within minutes. However, you cannot delete a custom role if it is currently assigned to any principal; you must first remove the assignments. Custom roles are critical for implementing least privilege: for instance, a DevOps engineer might need only compute.instances.list, compute.instances.get, and compute.instances.start/stop, but not compute.instances.delete or compute.instances.setMetadata. By using a custom role, you prevent that engineer from accidentally or maliciously deleting production VMs. In IAM policy binding, custom roles are referenced by their full resource name, such as projects/my-project/roles/myCustomRole. The IAM policy is then evaluated when a principal makes an API call, checking if the principal has a role that includes the required permission. Custom roles also support the inclusion of permissions from multiple services, for example, a role might include both Compute Engine and Cloud Storage permissions. This makes them flexible for cross-service workflows. One important technical nuance: custom roles cannot be used to grant permissions for certain sensitive operations like setting IAM policies themselves, because the permission iam.serviceAccounts.setIamPolicy is not allowed in custom roles. This restriction prevents privilege escalation. Also, Google Cloud audits changes to custom roles via Cloud Audit Logs, so you can track who modified a role. For the Google Cloud Associate Cloud Engineer exam, you need to know how to create a custom role using the gcloud command line, the Cloud Console, and the IAM API. Understanding the difference between primitive, predefined, and custom roles is a core objective. The command syntax is: gcloud iam roles create custom_role_id --project=project_id

--title=title

--description=description

--permissions=permission1,permission2. To update, use gcloud iam roles update. To list available permissions, use gcloud iam list-testable-permissions. Finally, remember that custom roles are not available for all services; some newer services may not have their permissions exposed for custom role creation yet.

Real-Life Example

Imagine you run a small family restaurant with a kitchen, a dining area, and a storage room. You have the owner (you), the head chef, the waitstaff, and the dishwasher. The predefined roles would be like giving everyone a master key that opens every door, the owner can lock up the register, the chef can access the wine cellar, waitstaff can enter the kitchen, and the dishwasher can go into the office.

This is risky because anyone could accidentally lock themselves in the freezer or mess with the inventory system. Instead, you want custom keys. You create a custom key for the head chef that opens the kitchen door, the walk-in cooler, and the spice cabinet, but not the cash register or the employee files.

You create a custom key for the waitstaff that opens the dining area, the service window, and the front door, but not the back office or the food storage. You create a custom key for the dishwasher that opens only the kitchen entrance and the cleaning supply closet. These custom keys are exactly like custom roles in GCP.

They give each person the specific access they need to do their job effectively without exposing sensitive areas. In the restaurant, if the dishwasher loses their key, the damage is limited, they cannot access the cash register or the recipe book. Similarly, if a service account with a custom role gets compromised, the attacker can only do what that custom role allows.

This is the practical benefit: you tailor access to real-world job responsibilities. In Google Cloud, you might have a data analyst who only needs to query BigQuery tables (bigquery.tables.

getData) but not delete them. You create a custom role with just that permission and assign it. This prevents accidental data loss. The custom role is not a generic ‘viewer’, it is a precise set of permissions designed for that specific task.

In real-world IT environments, custom roles are used extensively in regulated industries like finance and healthcare, where auditors require that each user has the minimum necessary access. The custom role becomes your tool to meet compliance requirements like SOC 2, HIPAA, or PCI DSS. It also simplifies onboarding: new employees get a custom role that matches their function without you having to figure out which predefined roles are safe to assign.

Over time, as job functions change, you update the custom role in one place, and all users assigned that role automatically get the updated permissions. This keeps your access management clean and auditable. The restaurant analogy works because it is about physical access control, keys that open specific doors, which maps directly to digital permissions that allow or deny specific API calls.

Why This Term Matters

Custom roles matter because they are the primary mechanism to enforce the principle of least privilege in Google Cloud environments. In any IT organization, security is paramount, and one of the most common attack vectors is over-privileged accounts. When users or service accounts have more permissions than they need, a single compromised credential can lead to massive data breaches, accidental deletions, or resource hijacking.

Custom roles let you narrow permissions to the exact actions a user must perform. For example, a DevOps engineer who needs to restart VMs during maintenance does not need permission to create new VMs or delete persistent disks. By using a custom role with only compute.

instances.start, compute.instances.stop, and compute.instances.get, you drastically reduce the blast radius. Practical IT implementation also demands that access be auditable and reversible.

Custom roles allow you to define roles that align with organizational chart, job descriptions, and compliance frameworks. When an auditor asks why a specific user can access a sensitive dataset, you can point to the custom role that grants only list and get permissions on that dataset, not delete or update. Custom roles also simplify the management of many users who share the same job function.

Instead of assigning eight different predefined roles to a group, you create one custom role with the exact permission set and assign it to the entire group. If the job function changes, you update the custom role once, and all group members inherit the change. This reduces administrative overhead and the risk of configuration drift.

In real-world cloud implementations, especially in organizations that run hybrid workloads or have multiple projects, custom roles become a cornerstone of IAM governance. They also support multi-project and organization-wide scoping, making them suitable for large enterprises. For IT professionals, knowing how to design, create, and audit custom roles is a critical skill.

Misconfigured custom roles can inadvertently grant too much access (e.g., forgetting to exclude compute.instances.delete) or cause breakage if a needed permission is missing. Therefore, careful planning and testing are essential.

The Google Cloud Associate Engineer exam tests your ability to reason about when a custom role is appropriate versus when a predefined role suffices. You must also understand the limitations, custom roles cannot include permissions that require additional authorization steps (like iam.serviceAccounts.

getAccessToken) and cannot include permissions that are only available in alpha or beta stages unless the role is also staged. Overall, custom roles are a fundamental tool for secure, compliant cloud management. Without them, cloud environments tend to drift toward excessive privileges, which is a leading cause of security incidents.

How It Appears in Exam Questions

Questions about custom roles in the Google Cloud ACE exam typically fall into three patterns: scenario-based decision, configuration steps, and troubleshooting. In scenario-based questions, you are given a specific job responsibility and a set of permissions required. For example: “A data scientist needs to run BigQuery queries and create datasets in a specific project.

They should not be able to delete tables or modify table schemas. What should you do?” The answer choices might include assigning the BigQuery Data Editor predefined role, creating a custom role with only bigquery.

datasets.create, bigquery.jobs.create, and bigquery.tables.getData, or assigning the primitive Editor role. The correct answer is to create a custom role with the exact permissions.

Another scenario: “An intern should only be able to list Compute Engine instances in a project but not start, stop, or delete them. Which role should you assign?” The answer is a custom role with compute.

instances.list permission only. Configuration step questions typically ask you to put the steps in order. For example: “To create a custom role, what is the correct sequence?” The steps are: 1.

Determine the needed permissions using gcloud iam list-testable-permissions, 2. Create the custom role with gcloud iam roles create with the permissions list, 3. Assign the role to a user or service account.

Troubleshooting questions present a situation where a user with a custom role cannot perform an action they expected to be able to do. For instance, “A user with a custom role including compute.instances.

start cannot start an instance. What is the likely cause?” The answer could be that the custom role is missing the compute.instances.get permission (which is often required to read the instance state before starting).

Another common trap: the custom role lacks iam.serviceAccounts.actAs when trying to start an instance with a service account attached. The exam may also present a situation where a custom role is created at the project level but the user is trying to use it in a different project, the role is not inherited unless it was created at the organization level.

Another pattern: a custom role includes many permissions, and the question asks you to identify which permission should not be included to follow least privilege. For example, when creating a role for a storage administrator, you include storage.buckets.

get but accidentally include storage.buckets.delete, you must realize that deletion permission is too broad. The exam may also ask about the limitation of custom roles: “Which of the following permissions CANNOT be included in a custom role?

” Options might include iam.serviceAccounts.setIamPolicy, compute.instances.list, or storage.objects.create, the correct answer is iam.serviceAccounts.setIamPolicy because it is a security-sensitive permission that is not allowed.

Finally, questions might ask about the quota: “How many custom roles can you have per organization?” The answer is 300. Some questions combine custom roles with service account impersonation: “You want a Compute Engine VM to be able to read objects from a Cloud Storage bucket.

You create a custom role with storage.objects.get and assign it to the compute service account. The VM still cannot read. What is missing?” The answer is that the compute service account likely needs the role granted at the bucket level or the VM needs the correct scope.

Understanding these patterns will help you quickly identify the correct reasoning.

Practise Custom role Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Imagine you are an IT administrator at a university. The university uses Google Cloud to host a student portal, research databases, and administrative systems. You have a student intern named Maya who is helping with data entry.

Maya needs to upload files to a specific Cloud Storage bucket called student-submissions, but she should not be able to see or delete files uploaded by other students. She also needs to start and stop a small Compute Engine instance that runs a script to process new submissions, but she should not be able to delete that instance or create new ones. You look at the predefined roles.

The Storage Object Creator role would allow Maya to upload but also to list objects? Actually, Storage Object Creator does not list or read, but it also does not allow starting instances. The Instance Admin role would let her start and stop instances but also delete them and create them.

None of the predefined roles fit exactly without giving extra permissions. So you decide to create a custom role. You name it studentUploadProcessor. You include the exact permissions: storage.

objects.create for the student-submissions bucket (so Maya can upload files but not list or delete), compute.instances.start to start the instance, compute.instances.stop to stop it, and compute.

instances.get to get details about the instance (the start and stop actions actually require get permission). You do NOT include compute.instances.delete, compute.instances.create, storage.

objects.list, or storage.objects.delete. You then assign this custom role to Maya’s user account at the project level. Now Maya can do her job: she can upload new submissions and start/stop the processing instance.

She cannot access other students’ files, cannot delete the instance, and cannot create any new resources. This scenario is exactly what you might see in an exam question: a clear need for a custom role because the predefined roles either give too much access (like Editor) or too little (like Viewer). The exam will present a similar requirement and expect you to select the custom role approach.

This scenario also illustrates the practical benefit: Maya’s account, if compromised, cannot delete the student-submissions bucket or permanently destroy the instance. The custom role limits the damage. If the university later decides that Maya should also be able to list the files she uploaded (but still not see others), you can update the custom role to add storage.

objects.list, and Maya automatically gets the new permission on her next API call. This dynamic update capability is a powerful feature for managing access as roles evolve. In an exam question, they might ask: “What is the most secure way to grant Maya the necessary permissions?

” The answer: create a custom role with the exact permissions needed and assign that role to Maya.

Common Mistakes

Using the primitive Editor role instead of a custom role when least privilege is needed

The Editor role grants full write access to all resources in a project, except IAM. It is far too broad. A developer who only needs to deploy Cloud Functions and view logs would be able to delete databases, shut down instances, and modify networking. This violates the principle of least privilege and increases the attack surface.

If the developer needs only a specific subset of permissions, create a custom role with exactly those permissions (e.g., cloudfunctions.functions.create, cloudfunctions.functions.get, logging.logEntries.list). Assign that custom role instead of Editor.

Including permissions that are not actually needed because they sound helpful

Adding unnecessary permissions (like compute.instances.delete when only start/stop is needed) grants more access than intended. This can lead to accidental or malicious resource deletion. It also complicates audit reviews because the role scope is larger than necessary.

Use the principle of least privilege: start with the minimum set of permissions required for the job. You can always add permissions later if needed. Use gcloud iam list-testable-permissions to identify the exact permissions for the actions you want to allow.

Forgetting that certain permissions require other permissions to work (e.g., compute.instances.start requires compute.instances.get)

If you assign only compute.instances.start without compute.instances.get, the user may not be able to start an instance because the API first needs to read the instance state. This results in an error and a broken user experience.

Before creating the custom role, consult the Google Cloud IAM permissions documentation for each service to understand prerequisite permissions. For Compute Engine start/stop, always include compute.instances.get. Use gcloud iam roles create with the full set of permissions, and test the role with a non-production account.

Creating a custom role at project level when the role should be defined at organization or folder level for reuse

A custom role created at the project level is only available in that specific project. If you have 50 projects and need the same role in each, you would have to create it 50 times and maintain it separately in each project, leading to configuration drift and extra overhead.

If the same custom role is needed in multiple projects under the same organization, create the role at the organization level using the --organization flag. Then it can be assigned in any project within that organization. Use gcloud iam roles create --organization=ORG_ID for that.

Deleting a custom role that is still assigned to users

Google Cloud IAM prevents deleting a role that has active bindings. If you try, you will get an error. But if you force-remove the bindings first and then delete the role, all users who relied on that role will immediately lose access, potentially causing service outages.

Before deleting a custom role, ensure no principals are assigned to it. Use gcloud projects get-iam-policy to check bindings, and remove any bindings that reference the custom role. Then delete the role using gcloud iam roles delete. Alternatively, update the role to be inactive or add a warning period.

Exam Trap — Don't Get Fooled

{"trap":"In an exam question, you are asked to grant a user the ability to stop and start a Compute Engine instance, but not to delete it or modify it. Among the answer choices, you see 'Assign the roles/compute.instanceAdmin.

v1 role' and 'Create a custom role with compute.instances.start and compute.instances.stop'. Many learners would choose the custom role because they think it is more secure, but they forget that the Instance Admin v1 role actually allows start and stop while also allowing other operations like modify metadata or set labels, but not delete.

However, the question might explicitly require 'not delete', and the predefined role includes delete? Actually, roles/compute.instanceAdmin.v1 does include delete permission. So it is not appropriate.

But the trap is that learners may not remember the exact permissions of the predefined role and assume it is safe. The correct answer is the custom role. The trap is to pick the predefined role without checking its permissions."

,"why_learners_choose_it":"Learners may assume that a predefined role like Instance Admin is designed to handle start/stop and is safe because it is an official Google role. They may not realize that Instance Admin v1 also includes compute.instances.

delete and compute.instances.create, which are broader than needed. The option with the custom role looks more complicated, so they fall back on the simpler predefined role.","how_to_avoid_it":"In any exam question, when you need to grant a specific set of permissions that does not exactly match a predefined role, always choose the custom role.

If the scenario implies minimal necessary access, a custom role is the correct answer. To avoid this trap, memorize the typical permissions of common predefined roles, especially that Instance Admin includes delete, Storage Admin includes delete, etc. When in doubt, ask yourself: 'Does this predefined role grant any permission that the user does not need?'

If yes, choose custom role."

Step-by-Step Breakdown

1

Identify the exact permissions needed

Before creating a custom role, list the precise API actions the user or service account needs. Use the Google Cloud documentation for each service to find the permission names (e.g., compute.instances.start). Use gcloud iam list-testable-permissions to see available permissions in your project. This step prevents including unnecessary permissions.

2

Create the custom role using gcloud or Console

Run gcloud iam roles create with a unique role ID (e.g., myCustomRole), a title, a description, and the list of permissions. Alternatively, use the Cloud Console IAM section to create the role. This step defines the role in your project (or organization). The role ID becomes part of the role's resource name.

3

Assign the custom role to a principal

Use gcloud projects add-iam-policy-binding to bind the custom role to a user, group, or service account. You specify the role's full resource name (e.g., projects/my-project/roles/myCustomRole). Without this binding, the role exists but is not granted to anyone. This step activates the permissions.

4

Test the custom role in a safe environment

Impersonate the principal or use a test account to verify that the role allows only the intended actions. For example, try to start a VM and try to delete one. This step catches missing prerequisite permissions (like compute.instances.get needed for start/stop) or accidentally included dangerous permissions.

5

Update or delete the custom role as needed

If job requirements change, update the custom role using gcloud iam roles update. You can add or remove permissions. If the role is no longer needed, first remove all bindings, then delete the role. This step maintains the principle of least privilege over time.

6

Document the custom role and its purpose

Maintain a record of why each custom role was created, who assigned it, and what permissions it includes. This is crucial for audits and for future administrators. Use the description field in the role for a short note. This step ensures long-term manageability.

7

Review custom roles regularly for compliance

Periodically review all custom roles to ensure they still align with current job functions and security policies. Use gcloud iam roles list to see custom roles and their bindings. Remove roles that are no longer used or tighten permissions if too broad. This step is part of ongoing identity governance.

Practical Mini-Lesson

Custom roles are one of the most powerful tools you have as a Google Cloud administrator for enforcing the principle of least privilege. In practice, you will often start by analyzing a user's job description. For example, a DevOps engineer who manages CI/CD pipelines might need permission to deploy Cloud Run services, view build logs, and create service accounts for pipelines, but they should not be able to modify VPC networks or delete existing services.

Rather than assigning Editor role (which would grant all those dangerous permissions) or trying to combine several predefined roles (which may overlap or conflict), you create one custom role that precisely matches the engineer's responsibilities. The process begins with discovery: you need to know the exact permission names for each action. Google Cloud's IAM permissions are structured as serviceName.

resourceType.verb. For Cloud Run, relevant permissions include run.services.create, run.services.update, run.services.get, run.services.list, run.services.delete (which you exclude), and logging.

logEntries.list. You would also include iam.serviceAccounts.actAs because deploying a Cloud Run service often requires impersonating a service account. Next, you create the custom role using the gcloud command: gcloud iam roles create devops_pipeline_role --project=my-project --title="DevOps Pipeline" --description="Permissions for CI/CD pipeline management" --permissions=run.

services.create,run.services.update,run.services.get,run.services.list,logging.logEntries.list,iam.serviceAccounts.actAs. This creates the role in your project. Then you assign it to the engineer's user account: gcloud projects add-iam-policy-binding my-project --member=user:devops-eng@example.

com --role=projects/my-project/roles/devops_pipeline_role. Once assigned, the engineer can do their work without being able to delete services or modify networking. What can go wrong?

One common issue is that the engineer may need another permission that you did not anticipate, like run.services.getIamPolicy for debugging. That would cause a permission denied error.

You would then check the logs (either Cloud Audit Logs or in the engineer's console) and add the missing permission. Over time, the role may accumulate permissions and become bloated. To avoid role bloat, treat custom roles as living documents: periodically review the role's effective permissions using gcloud iam roles describe projects/my-project/roles/devops_pipeline_role and compare them to the current job requirements.

If you find that some permissions are no longer needed (e.g., the engineer changed teams and no longer needs logs), remove them with gcloud iam roles update. Another practical aspect: custom roles can be created at different levels.

For a small start-up, project-level roles may be fine. For a large enterprise with hundreds of projects, you should create custom roles at the organization level. This centralizes role definition and avoids duplicating roles across projects.

You can then assign the same organization-level role to principals in any project under that organization. This is far more scalable. Finally, remember that custom roles are subject to IAM conditions.

You can add conditions to the role binding to further restrict access based on attributes like resource name, IP address, or time. For example, you could allow the start/stop permission only for instances with a specific label (e.g.

, env=dev). This adds another layer of security. The practical mini lesson is: custom roles are not just a feature; they are a discipline. They force you to think about exactly what access is needed and document it.

When used correctly, they dramatically reduce the risk of accidental or malicious actions in your cloud environment. As an IT professional, mastering custom roles is a key step toward becoming a proficient cloud security administrator.

Memory Tip

Remember that custom roles are individual permission picks, while predefined roles are permission bundles. Use the acronym C.I.T.Y. for the steps: Collect needed permissions, Identify role ID, Test the role, Yoke (assign) to users.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms