When working in Google Cloud, one of the most important things you’ll need to manage is access control — deciding who can do what with your cloud resources (projects, VM instances, disks, etc.). Google Cloud’s Identity and Access Management (IAM) service provides the tools to control that access in a flexible and secure way. And as we will see later in this article, IAM Roles and Permissions is what makes the critical portion of the entire IAM framework.

For example, imagine you’re working on a Google Cloud project, and you want to allow a teammate to view Cloud Storage buckets but not delete them. IAM is what makes this possible. Without a proper IAM configuration, users might have more access than they need (a security risk) or be blocked from doing their job.

At the heart of IAM are Roles and Permissions. These two concepts work together to define and enforce what actions an identity (like a user, group, or service account) can take. Although access control is ultimately enforced through IAM Policies, this article focuses on understanding Roles and Permissions themselves — the actual building blocks of access control.

What are IAM Permissions in Google Cloud?

A Permission in Google Cloud represents a specific action on a specific type of resource. Think of Permissions as of access rights or privileges.

Permissions follow a standard format: service.resource.verb. Each part of the permission refers to:

• service – the Google Cloud product (e.g., Storage, Compute)
• resource – the type of resource the action applies to (e.g., buckets, instances)
• verb – the operation being performed (e.g., create, start, delete, list)

Here are a few examples:

• storage.objects.get – allows reading an object from Cloud Storage
• compute.instances.start – allows starting a virtual machine
• bigquery.tables.create – allows creating a BigQuery table

Note that Permissions are very granular and because of that, they are not assigned directly to users. Instead, they are bundled into IAM Roles.

What are IAM Roles in Google Cloud?

A Role is a named collection of Permissions. Rather than assigning dozens or hundreds of Permissions to a user, you assign them a Role — which bundles the Permissions they need.

Google Cloud offers three types of Roles, each serving a different purpose:

Basic Roles – highly permissive Roles that give broad access to Google Cloud resources:

• Viewer (roles/viewer) – read-only access across most of the Google Cloud resources
• Editor (roles/editor) – read and write access to most Google Cloud services and resources
• Owner (roles/owner) – all Editor Permissions, plus more, including the ability to manage IAM

Predefined Roles – created, maintained, and updated by Google. Each one is designed for a specific job function or service. Examples:

• roles/compute.instanceAdmin – allows managing Compute Engine VMs
• roles/bigquery.dataViewer – allows read access to BigQuery datasets

Custom Roles – created by you to match exactly the permissions your team or app needs.

Key things to remember about IAM Roles:

• Basic Roles are convenient but too broad for fine-grained security, and you should avoid using them in production
• Predefined Roles are a good default choice when you want to follow least-privilege access principles. They offer a good balance between security and convenience
• Custom Roles are perfect for enforcing the Principle of Least Privilege (giving only the minimum required access for a job). They are ideal when you need to limit access more precisely than a Predefined Role allows, or you’re working in highly regulated/security-sensitive environments

How Roles and Permissions Work Together?

Now you know that in Google Cloud IAM, Permissions define what actions are possible, and Roles package those Permissions into manageable units that can be assigned to Identities (such as users, groups, or service accounts). But is it enough to start controlling cloud access?

The answer to this question is “no”. Roles and Permissions alone don’t enforce access control — they need to be connected to Identities. This connection happens through an IAM Policy, which defines as a set of rules to control access to resources.

While IAM Policies define access, in most day-to-day scenarios, what truly matters is which Role an Identity has, and what Permissions that Role provides. Get them right, and your cloud environment will stay safe, productive, and manageable.

Our Google Cloud Training

Check out Cybrec’s Secure Google Cloud Access video series to learn more about IAM, Roles, Permissions and Policies and their implementation in Google Cloud.

—