GCP IAM Predefined Roles Reference

Common GCP predefined IAM roles by service with included permissions summary.

Searchable reference for Google Cloud predefined IAM roles covering Compute, Storage, BigQuery, GKE and project basic roles with their role IDs and permission scope. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What are basic, predefined and custom roles in GCP?

Basic roles (Owner, Editor, Viewer) are broad legacy roles that span all services and are discouraged for production. Predefined roles are curated by Google for a specific service with a least-privilege permission set. Custom roles let you assemble an exact list of permissions you define.

GCP IAM predefined roles

Google Cloud IAM grants access by binding a role (a bundle of permissions) to a member on a resource. Predefined roles are Google-curated, least-privilege bundles scoped to a single service. This reference lists the most common predefined roles across Storage, Compute, BigQuery, GKE and project basics with their roles/* IDs and what each grants.

How it works

A role is bound with an IAM policy. The role ID is the canonical identifier you pass to tooling:

gcloud projects add-iam-policy-binding my-project \
  --member="user:[email protected]" \
  --role="roles/storage.objectViewer"

Predefined roles follow a naming pattern of roles/<service>.<scope> where the scope is usually one of viewer (read), user/writer (use/write), admin (full control of resources) or <resource>Admin (manage one resource type). Bindings can be set at organization, folder, project or resource level and are inherited downward.

Quick reference: most-used predefined roles by service

Cloud Storage

Role IDWhat it grants
roles/storage.objectViewerRead objects and metadata
roles/storage.objectCreatorCreate/upload objects (no read)
roles/storage.objectAdminFull CRUD on objects, not buckets
roles/storage.adminFull control including bucket management

BigQuery

Role IDWhat it grants
roles/bigquery.dataViewerRead table data and metadata
roles/bigquery.dataEditorRead, create, update, delete table data
roles/bigquery.jobUserRun queries (create jobs) — needed alongside dataViewer
roles/bigquery.adminFull BigQuery control

Compute Engine

Role IDWhat it grants
roles/compute.viewerRead-only view of all Compute resources
roles/compute.instanceAdmin.v1Manage VM instances
roles/compute.networkAdminManage networks, firewall rules
roles/compute.adminFull Compute control

GKE / Kubernetes Engine

Role IDWhat it grants
roles/container.viewerRead GKE cluster configurations
roles/container.developerDeploy to clusters (no cluster create/delete)
roles/container.clusterAdminFull cluster management

The three-level hierarchy of members

IAM binds roles to members, which can be:

  • User accounts (user:[email protected]): individual Google accounts
  • Service accounts (serviceAccount:[email protected]): non-human identities for apps and VMs
  • Groups (group:[email protected]): Google Groups, useful for managing access by team
  • Domain (domain:example.com): everyone in a Google Workspace domain

For production workloads, prefer service accounts with predefined roles bound at the narrowest scope. Granting your application’s service account roles/storage.objectViewer on a specific bucket rather than project-wide limits the blast radius if the account is compromised.

Tips and notes

  • Avoid the basic roles roles/owner, roles/editor, roles/viewer in production — they span every API.
  • Bind roles at the narrowest resource scope possible (a single bucket or dataset) rather than project-wide.
  • Pair data and job roles in BigQuery: dataViewer to read, jobUser to run queries.
  • Use gcloud iam roles describe roles/<id> to see the exact permission list behind any predefined role.
  • Audit bindings with gcloud projects get-iam-policy <project> to review who has what access.