5

I'm looking into roles in GCP. I have a use case to read everything in GCP. So when I looked at the viewer role, docs say it is a read-only role but it seems it has a lot of restrictions. what are the exact permissions of a viewer role?

John Hanley
  • 74,467
  • 6
  • 95
  • 159
Praveen kumar
  • 225
  • 1
  • 6
  • 18

3 Answers3

6

To list the permission that a role contains, use the CLI:

gcloud iam roles describe roles/editor

gcloud iam roles describe

Editor is a predefined role that currently has 4,078 permissions. Google Cloud manages the permissions for predefined roles. This means that the permissions assigned to these roles can change over time.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
4

You can use the below gcloud commands for roles/viewer.

gcloud iam roles describe roles/viewer

You can add or revoke a single role using the gcloud command-line tool's add-iam-policy-binding and remove-iam-policy-binding commands. Granting access:

To quickly grant a role to a member, run the following gcloud ‘add-iam-policy-binding’ command:

gcloud projects add-iam-policy-binding my-project --member=user:my-user@example.com --role=roles/viewer

gcloud projects add-iam-policy-binding my-project --member=user:my-user@example.com --role=roles/editor

Revoking access:

gcloud projects remove-iam-policy-binding my-project --member=user:my-user@example.com --role=roles/viewer

For more information, you can also refer to gcloud iam roles describe, roles Granting changing and revoking access to resources.

Khaja Shaik
  • 136
  • 6
0

You should also bare in mind the concept of 'convenience values' that apply to Basic Roles.

In the case of the Viewer role, by default an identity granted this role would be granted more permissions than are listed when running the gcloud command;

gcloud iam roles describe roles/viewer

In addition to the listed permissions, they will be able to read all objects under the resource that the role is granted at through convenience values - see this link to the Google documentation. For example, roles/storage.legacyObjectReader or READER on the bucket ACL will be granted by default (this is dependant on if Uniform Bucket Level Access is configured).

ellefc
  • 233
  • 2
  • 9