GCP IAM predefined roles
Google Cloud IAM grants access by binding a role (a bundle of permissions) to
a member on a resource. Predefined roles are Google-curated, least-privilege
bundles scoped to a single service. This reference lists the most common
predefined roles across Storage, Compute, BigQuery, GKE and project basics with
their roles/* IDs and what each grants.
How it works
A role is bound with an IAM policy. The role ID is the canonical identifier you pass to tooling:
gcloud projects add-iam-policy-binding my-project \
--member="user:[email protected]" \
--role="roles/storage.objectViewer"
Predefined roles follow a naming pattern of roles/<service>.<scope> where the
scope is usually one of viewer (read), user/writer (use/write),
admin (full control of resources) or <resource>Admin (manage one resource
type). Bindings can be set at organization, folder, project or resource level
and are inherited downward.
Quick reference: most-used predefined roles by service
Cloud Storage
| Role ID | What it grants |
|---|---|
roles/storage.objectViewer | Read objects and metadata |
roles/storage.objectCreator | Create/upload objects (no read) |
roles/storage.objectAdmin | Full CRUD on objects, not buckets |
roles/storage.admin | Full control including bucket management |
BigQuery
| Role ID | What it grants |
|---|---|
roles/bigquery.dataViewer | Read table data and metadata |
roles/bigquery.dataEditor | Read, create, update, delete table data |
roles/bigquery.jobUser | Run queries (create jobs) — needed alongside dataViewer |
roles/bigquery.admin | Full BigQuery control |
Compute Engine
| Role ID | What it grants |
|---|---|
roles/compute.viewer | Read-only view of all Compute resources |
roles/compute.instanceAdmin.v1 | Manage VM instances |
roles/compute.networkAdmin | Manage networks, firewall rules |
roles/compute.admin | Full Compute control |
GKE / Kubernetes Engine
| Role ID | What it grants |
|---|---|
roles/container.viewer | Read GKE cluster configurations |
roles/container.developer | Deploy to clusters (no cluster create/delete) |
roles/container.clusterAdmin | Full cluster management |
The three-level hierarchy of members
IAM binds roles to members, which can be:
- User accounts (
user:[email protected]): individual Google accounts - Service accounts (
serviceAccount:[email protected]): non-human identities for apps and VMs - Groups (
group:[email protected]): Google Groups, useful for managing access by team - Domain (
domain:example.com): everyone in a Google Workspace domain
For production workloads, prefer service accounts with predefined roles bound at the narrowest scope. Granting your application’s service account roles/storage.objectViewer on a specific bucket rather than project-wide limits the blast radius if the account is compromised.
Tips and notes
- Avoid the basic roles
roles/owner,roles/editor,roles/viewerin production — they span every API. - Bind roles at the narrowest resource scope possible (a single bucket or dataset) rather than project-wide.
- Pair data and job roles in BigQuery:
dataViewerto read,jobUserto run queries. - Use
gcloud iam roles describe roles/<id>to see the exact permission list behind any predefined role. - Audit bindings with
gcloud projects get-iam-policy <project>to review who has what access.