A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://cloud.google.com/iam/docs/creating-custom-roles below:

Create and manage custom roles | IAM Documentation

Skip to main content Create and manage custom roles

Stay organized with collections Save and categorize content based on your preferences.

This page describes how to create and manage Identity and Access Management (IAM) custom roles. Managing roles includes modifying, disabling, listing, deleting, and undeleting roles.

Before you begin Required roles

To get the permissions that you need to create and manage custom roles, ask your administrator to grant you the following IAM roles:

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

View available permissions for projects, folders, and organizations

You can create custom roles for an entire organization, or for a specific project in that organization. The permissions that are available for custom roles depend on where you create the role. For example, if a permission can only be used at the organization level, then you can't include that permission in a project-level custom role.

To check which permissions are available for organization-level and project-level custom roles, you can use the gcloud CLI or the Identity and Access Management API to list the permissions that are available in a specific organization or project. For example, you can get all permissions that are available for custom roles that are created in your project.

Some permissions might not be visible to you or usable in a custom role, even if they are supported in custom roles. For example, a permission might not be available for use in custom roles if you have not enabled the API for the service.

To learn more about the permissions that you can add to custom roles, see Supported permissions.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. Use the gcloud iam list-testable-permissions command to get a list of permissions that are available for custom roles in a specific project or organization. The response lists the permissions that you can use in custom roles for that project or organization.

    To list permissions that are available in custom roles for a project or organization, run this command:

    gcloud iam list-testable-permissions FULL_RESOURCE_NAME \
    --filter="customRolesSupportLevel!=NOT_SUPPORTED"

    Replace FULL_RESOURCE_NAME with one of the following values:

    The results indicate whether each permission is supported in custom roles. Permissions that do not have a customRolesSupportLevel field are fully supported.

    The list-testable-permissions command might return hundreds of results. This partial example shows the format of each result:

    ---
name: appengine.applications.create
stage: GA
---
customRolesSupportLevel: TESTING
name: appengine.applications.disable
stage: GA
---
name: appengine.applications.get
stage: GA
---
name: appengine.applications.update
stage: GA
---
name: appengine.instances.delete
stage: GA
---
name: appengine.instances.get
stage: GA
---
C++

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

C#

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Go

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Java

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Python

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

REST

The permissions.queryTestablePermissions method lists permissions available in an organization or project.

Before using any of the request data, make the following replacements:

HTTP method and URL:

POST https://iam.googleapis.com/v1/permissions:queryTestablePermissions

Request JSON body:

{
  "fullResourceName": "FULL_RESOURCE_NAME"
  "pageSize": PAGE_SIZE,
  "pageToken": "NEXT_PAGE_TOKEN"
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/permissions:queryTestablePermissions"
PowerShell (Windows) Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/permissions:queryTestablePermissions" | Select-Object -Expand Content
APIs Explorer (browser)

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

The response contains the list of permissions.

Note: Permissions that do not have a customRolesSupportLevel field are fully supported in custom roles. 
{
  "permissions": [
    {
      "name": "iam.serviceAccountKeys.create",
      "stage": "GA"
    },
    {
      "name": "iam.serviceAccountKeys.delete",
      "stage": "GA"
    },
    {
      "name": "iam.serviceAccountKeys.get",
      "stage": "GA"
    }
  ],
  "nextPageToken": "CgoHBajEfjUDQyABEPaIv5vIiMDTVhgDIhtpYW0uc2VydmljZUFjY291bnRLZXlzLmxpc3Q"
}

Before you create a custom role, you might want to get the metadata for both predefined and custom roles. Role metadata includes the role ID and permissions contained in the role. You can view the metadata using the Google Cloud console or the IAM API.

To view the role metadata, use one of the methods below:

Create a custom role

You can create a custom role at the project or organization level.

Note: You cannot define custom roles at the folder level. If you need to use a custom role within a folder, define the custom role at the organization level.

An organization-level custom role can include any of the IAM permissions that are supported in custom roles. A project-level custom role can contain any supported permission except for permissions that can only be used at the organization or folder level, such as resourcemanager.organizations.get. If you try to add these permissions to a project-level custom role, you see an error message:

Console

The following warning message is displayed: "Not applicable for project-level custom roles". The permission will be automatically unselected from the list of included permissions, and you can proceed with creating the role.

gcloud

The following error message is returned: INVALID_ARGUMENT: Permission PERMISSION is not valid. The custom role will not be created until you first remove the permission from the role definition and try the operation again.

REST API

The following error message is returned: Permission PERMISSION is not valid, along with an HTTP 400 error code and a status of INVALID_ARGUMENT. The custom role will not be created until you first remove the permission from the role definition and try the operation again.

Each custom role can contain up to 3,000 permissions. Also, the maximum total size of the title, description, and permission names for a custom role is 64 KB. If you need to create a larger custom role, you can split the permissions across multiple custom roles. Choose role titles that show the relationship between the custom roles, such as Custom Admin (1 of 2) and Custom Admin (2 of 2).

Each custom role can have a launch stage. Most launch stages are informational, and help you keep track of whether each role is ready for widespread use. Additionally, the DISABLED launch stage lets you disable a custom role. For more information about launch stages, see Testing and deploying.

Console

Some predefined roles contain deprecated permissions or permissions that are otherwise not permitted in custom roles. If you try to create a custom role based on one of these predefined roles, the custom role will omit the deprecated and restricted permissions.

To create a new custom role from scratch:

  1. In the Google Cloud console, go to the Roles page.

    Go to the Roles page

  2. Using the drop-down list at the top of the page, select the organization or project in which you want to create a role.

  3. Click Create Role.

  4. Enter a Title, Description, ID, and Role launch stage for the role. The role ID cannot be changed after the role is created.

  5. Click Add Permissions.

  6. Select the permissions you want to include in the role and click Add Permissions. Use the All Services and All Types drop-down lists to filter and select permissions by services and types.

Creating a custom role based on an existing predefined role:

  1. In the Google Cloud console, go to the Roles page.

    Go to the Roles page

  2. Select the organization or project in which you want to create a role.
  3. Select the roles on which you want to base the new custom role.
  4. Click Create Role from Selection.
  5. Enter a Title, Description, ID, and Role launch stage for the role. The role ID cannot be changed after the role is created.
  6. Uncheck the permissions you want to exclude from the role.
  7. Click Add Permissions to include any permissions.
  8. Click Create.
gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. Use the gcloud iam roles create command to create new custom roles. You can use this command in two ways:

    When creating a custom role, you must specify whether it applies to the organization level or project level by using the --organization=ORGANIZATION_ID or --project=PROJECT_ID flags. Each example below creates a custom role at the project level.

    A custom role can contain only permissions that are supported in custom roles. If the custom role contains other permissions, the command fails.

    To create a custom role using a YAML file:

    Create a YAML file that contains the definition for your custom role. The file must be structured in the following way:

    title: ROLE_TITLE
description: ROLE_DESCRIPTION
stage: LAUNCH_STAGE
includedPermissions:
- PERMISSION_1
- PERMISSION_2

    Each placeholder value is described below:

    Save the YAML file, and then execute one of the following commands:

    Each placeholder value is described below:

    Examples

    The following example YAML file demonstrates how to create a role definition:

    title: "My Company Admin"
description: "My custom role description."
stage: "ALPHA"
includedPermissions:
- iam.roles.get
- iam.roles.list

    The following example demonstrates how to create a role at the organization level using the YAML file:

    gcloud iam roles create myCompanyAdmin --organization=123456789012 \
    --file=my-role-definition.yaml

    If the role was created successfully, the command's output is similar to the following:

    Created role [myCompanyAdmin].
description: My custom role description.
etag: BwVkBX0sQD0=
includedPermissions:
- iam.roles.get
- iam.roles.list
name: organizations/123456789012/roles/myCompanyAdmin
stage: ALPHA
title: My Company Admin

    The following example demonstrates how to create a role at the project level using the YAML file:

    gcloud iam roles create myCompanyAdmin --project=my-project \
    --file=my-role-definition.yaml

    If the role was created successfully, the command's output is similar to the following:

    Created role [myCompanyAdmin].
description: My custom role description.
etag: BwVkBX0sQD0=
includedPermissions:
- iam.roles.get
- iam.roles.list
name: projects/my-project/roles/myCompanyAdmin
stage: ALPHA
title: My Company Admin

    To create a custom role using flags:

    Execute one of the following commands:

    Each placeholder value is described below:

    Examples

    The following example demonstrates how to create a role at the organization level using flags:

    gcloud iam roles create myCompanyAdmin --organization=123456789012 \
    --title="My Company Admin" --description="My custom role description." \
    --permissions="iam.roles.get,iam.roles.list" --stage=ALPHA

    If the role was created successfully, the command's output is similar to the following:

    Created role [myCompanyAdmin].
description: My custom role description.
etag: BwVkBX0sQD0=
includedPermissions:
- iam.roles.get
- iam.roles.list
name: organizations/123456789012/roles/myCompanyAdmin
stage: ALPHA
title: My Company Admin

    The following example demonstrates how to create a role at the project level using flags:

    gcloud iam roles create myCompanyAdmin --project=my-project \
    --title="My Company Admin" --description="My custom role description." \
    --permissions="iam.roles.get,iam.roles.list" --stage=ALPHA

    If the role was created successfully, the command's output is similar to the following:

    Created role [myCompanyAdmin].
description: My custom role description.
etag: BwVkBX0sQD0=
includedPermissions:
- iam.roles.get
- iam.roles.list
name: projects/my-project/roles/myCompanyAdmin
stage: ALPHA
title: My Company Admin
C++

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

C#

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Go

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Java

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Python

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

REST

The roles.create method creates a custom role in a project or organization.

Before using any of the request data, make the following replacements:

HTTP method and URL:

POST https://iam.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/roles

Request JSON body:

{
  "roleId": "ROLE_ID",
  "role": {
    "title": "ROLE_TITLE",
    "description": "ROLE_DESCRIPTION",
    "includedPermissions": [
      "PERMISSION_1",
      "PERMISSION_2"
    ],
    "stage": "LAUNCH_STAGE"
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/roles"
PowerShell (Windows) Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/roles" | Select-Object -Expand Content
APIs Explorer (browser)

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

The response contains the role you created.

{
  "name": "projects/myProject/roles/myCompanyAdmin",
  "title": "My Company Admin",
  "description": "My custom role description.",
  "includedPermissions": [
    "iam.roles.get",
    "iam.roles.list"
  ],
  "etag": "BwWox/JbaZw="
}
Edit an existing custom role

A common pattern for updating a resource's metadata, such as a custom role, is the read-modify-write pattern. With this pattern, you read the role's current state, update the data locally, and then send the modified data for writing.

The read-modify-write pattern can cause a conflict if two or more independent processes attempt the sequence simultaneously. For example, if two owners for a project try to make conflicting changes to a role at the same time, some changes could fail. IAM solves this problem using an etag property in custom roles. This property is used to verify if the custom role has changed since the last request. When you make a request to IAM with an etag value, IAM compares the etag value in the request with the existing etag value associated with the custom role. It writes the change only if the etag values match.

When you update a role, first get the role using roles.get(), update the role, and then write the updated role using roles.patch(). Use the etag value when setting the role only if the corresponding role in roles.get() contains an etag value.

Note: When modifying a custom role by adding or removing any of the following permissions: resourcemanager.organizations.get, resourcemanager.folders.get, and resourcemanager.projects.get, the change to the custom role can require up to 24 hours to take effect for the organizations.search and folders.search Cloud Resource Manager APIs. The API projects.list is also subject to this delay for API calls that do not provide a filter specifying a parent type and ID. This delay occurs because these permissions involve search functionality, and it can take up to 24 hours between rebuilds of the search index. Console

  1. In the Google Cloud console, go to the Roles page.

    Go to the Roles page

  2. Using the drop-down list at the top of the page, select the project or organization that contains the role that you want to edit.

  3. Click a custom role.

  4. Click Edit Role.

  5. To update the role's metadata, edit the role's Title, Description, or Role launch stage.

  6. To update the role's permissions, do the following:

    1. Click Add Permissions to add new permissions to the role.
    2. Uncheck permissions to remove permissions from the role.

  7. Click Update to save the edited role.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. Use the gcloud iam roles update command to update custom roles. You can use this command in two ways:

    When updating a custom role, you must specify whether it applies to the organization level or project level by using the --organization=ORGANIZATION_ID or --project=PROJECT_ID flags. Each example below creates a custom role at the project level.

    To update a custom role using a YAML file:

    Get the current definition for the role by executing one of the following commands:

    Each placeholder value is described below:

    The describe command returns the role's definition and includes an etag value that uniquely identifies the current version of the role. The etag value should be provided in the updated role definition to ensure that any concurrent role changes are not overwritten.

    The describe command returns the following output:

    description: ROLE_DESCRIPTION
etag: ETAG
includedPermissions:
- PERMISSION_1
- PERMISSION_2
name: ROLE_NAME
stage: LAUNCH_STAGE
title: ROLE_TITLE

    Each placeholder value is described below:

    To update the role, either include the outputted role definition to a YAML file or update the original YAML file with the outputted etag value.

    Consider the following example YAML file, which contains the output from the describe command for a project-level role and adds two Cloud Storage permissions:

    description: My custom role description.
etag: BwVkBkbfr70=
includedPermissions:
- iam.roles.get
- iam.roles.list
- storage.buckets.get
- storage.buckets.list
name: projects/my-project/roles/myCompanyAdmin
stage: ALPHA
title: My Company Admin

    Save the YAML file, and then execute one of the following commands:

    Each placeholder value is described below:

    Examples

    The following example demonstrates how to update an organization-level role using a YAML file:

    gcloud iam roles update ROLE_ID --organization=ORGANIZATION_ID \
    --file=YAML_FILE_PATH

    Each placeholder value is described below:

    Examples

    The following example demonstrates how to update an organization-level role using a YAML file:

    gcloud iam roles update myCompanyAdmin --organization=123456789012 \
    --file=my-role-definition.yaml

    If the role was updated successfully, the command's output is similar to the following:

    description: My custom role description.
etag: BwVkBwDN0lg=
includedPermissions:
- iam.roles.get
- iam.roles.list
- storage.buckets.get
- storage.buckets.list
name: organizations/123456789012/roles/myCompanyAdmin
stage: ALPHA
title: My Company Admin

    The following example demonstrates how to update a project-level role using a YAML file:

    gcloud iam roles update myCompanyAdmin --project=my-project \
    --file=my-role-definition.yaml

    If the role was updated successfully, the command's output is similar to the following:

    description: My custom role description.
etag: BwVkBwDN0lg=
includedPermissions:
- iam.roles.get
- iam.roles.list
- storage.buckets.get
- storage.buckets.list
name: projects/my-project/roles/myCompanyAdmin
stage: ALPHA
title: My Company Admin

    To update a custom role using flags:

    Each part of a role definition can be updated using a corresponding flag. See the gcloud iam roles update topic for a list of all possible flags.

    You can use the following flags to add or remove permissions:

    Alternatively, you can simply specify the new permissions using the --permissions=PERMISSIONS flag and providing a comma-separated list of permissions to replace the existing permissions list.

    To update other parts of the role definition, execute one of the following commands:

    Each placeholder value is described below:

    Examples

    The following example demonstrates how to add permissions to an organization-level role using flags:

    gcloud iam roles update myCompanyAdmin --organization=123456789012 \
    --add-permissions="storage.buckets.get,storage.buckets.list"

    If the role was updated successfully, the command's output is similar to the following:

    description: My custom role description.
etag: BwVkBwDN0lg=
includedPermissions:
- iam.roles.get
- iam.roles.list
- storage.buckets.get
- storage.buckets.list
name: organization/123456789012/roles/myCompanyAdmin
stage: ALPHA
title: My Company Admin

    The following example demonstrates how to add permissions to a project-level role using flags:

    gcloud iam roles update myCompanyAdmin --project=my-project \
    --add-permissions="storage.buckets.get,storage.buckets.list"

    If the role was updated successfully, the command's output is similar to the following:

    description: My custom role description.
etag: BwVkBwDN0lg=
includedPermissions:
- iam.roles.get
- iam.roles.list
- storage.buckets.get
- storage.buckets.list
name: projects/my-project/roles/myCompanyAdmin
stage: ALPHA
title: My Company Admin
C++

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

C#

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Go

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Java

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Python

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

REST

The roles.patch method updates a custom role in a project or organization.

Before using any of the request data, make the following replacements:

Required:

Recommended:

Optional (define one or more of the following values):

HTTP method and URL:

PATCH https://iam.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/roles

Request JSON body:

{
  "roleId": "ROLE_NAME",
  "title": "ROLE_TITLE",
  "description": "ROLE_DESCRIPTION",
  "includedPermissions": [
    "PERMISSION_1",
    "PERMISSION_2"
  ],
  "stage": "LAUNCH-STAGE",
  "etag": "ETAG"
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/roles"
PowerShell (Windows) Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/roles" | Select-Object -Expand Content
APIs Explorer (browser)

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

The response contains an abbreviated role definition that includes the role name, the fields that you updated, and an etag that identifies the current version of the role.

{
  "name": "projects/test-project-1000092/roles/myCompanyAdmin",
  "title": "My Updated Company Admin",
  "includedPermissions": [
    "storage.buckets.get",
    "storage.buckets.list"
  ],
  "stage": "BETA",
  "etag": "BwWoyDpAxBc="
}
Disable a custom role

You can disable a custom role by changing its launch stage to DISABLED. When a role is disabled, any role bindings related to the role are inactivated, meaning that granting the role to a user has no effect.

Console

  1. In the Google Cloud console, go to the Roles page.

    Go to the Roles page

  2. Click "Select a project" drop-down list at the top of the page.

  3. Select your organization or project.

  4. Select a custom role and click Disable.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. Use the gcloud iam roles update command to disable a custom role by setting its launch stage to DISABLED.

    As described in the gcloud tab of the Editing an existing custom role section, you can update an existing custom role in the following two ways:

    The easiest way to disable an existing custom role is to use the --stage flag and set it to DISABLED. Execute one of the following commands:

    Each placeholder value is described below:

    Examples

    The following example demonstrates how to disable an organization-level role:

    gcloud iam roles update myCompanyAdmin --organization=123456789012 \
    --stage=DISABLED

    If the role was updated successfully, the command's output is similar to the following:

    description: My custom role description.
etag: BwVkB5NLIQw=
includedPermissions:
- iam.roles.get
- iam.roles.list
name: organization/123456789012/roles/myCompanyAdmin
stage: DISABLED
title: My Company Admin

    The following example demonstrates how to disable a project-level role:

    gcloud iam roles update myCompanyAdmin --project=my-project \
    --stage=DISABLED

    If the role was updated successfully, the command's output is similar to the following:

    description: My custom role description.
etag: BwVkB5NLIQw=
includedPermissions:
- iam.roles.get
- iam.roles.list
name: projects/my-project/roles/myCompanyAdmin
stage: DISABLED
title: My Company Admin
C++

Update the stage field of the role to DISABLED.

C#

Update the stage field of the role to DISABLED.

Go

Update the stage field of the role to DISABLED.

Java

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Python

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

REST

The roles.patch method lets you change a custom role's launch stage to DISABLED, which disables the role.

Before using any of the request data, make the following replacements:

HTTP method and URL:

PATCH https://iam.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/roles

Request JSON body:

{
  "roleId": "ROLE_NAME",
  "stage": DISABLED,
  "etag": "ETAG"
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/roles"
PowerShell (Windows) Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/roles" | Select-Object -Expand Content
APIs Explorer (browser)

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

You should receive a JSON response similar to the following:

{
  "name": "projects/test-project-1000092/roles/myCompanyAdmin",
  "stage": "DISABLED",
  "etag": "BwWoyDpAxBc="
}
List roles

You can list all custom roles created in your project or organization.

Console

In the Google Cloud console, go to the Roles page.

Go to the Roles page

All the custom roles for the organization or project that you have selected are listed on the page.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. Use the gcloud iam roles list command to list custom roles and predefined roles for a project or organization:

    Each placeholder value is described below:

    To list deleted roles, you can also specify the --show-deleted flag.

    Execute the following command to list predefined roles:

    gcloud iam roles list
C++

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

C#

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Go

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Java

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Python

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

REST

The roles.list method lists all of the custom roles in a project or organization.

Before using any of the request data, make the following replacements:

Note: To list all predefined IAM roles, omit the RESOURCE_TYPE and RESOURCE_ID fields. For example: GET https://iam.googleapis.com/v1/roles.

HTTP method and URL:

GET https://iam.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/roles?view=ROLE_VIEW&pageSize=PAGE_SIZE&pageToken=NEXT_PAGE_TOKEN

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/roles?view=ROLE_VIEW&pageSize=PAGE_SIZE&pageToken=NEXT_PAGE_TOKEN"
PowerShell (Windows) Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method GET `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v1/RESOURCE_TYPE/RESOURCE_ID/roles?view=ROLE_VIEW&pageSize=PAGE_SIZE&pageToken=NEXT_PAGE_TOKEN" | Select-Object -Expand Content
APIs Explorer (browser)

Open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Complete any required fields and click Execute.

You should receive a JSON response similar to the following:

{
  "roles": [
    {
      "name": "projects/my-project/roles/customRole1",
      "title": "First Custom Role",
      "description": "Created on: 2020-06-01",
      "etag": "BwWiPg2fmDE="
    },
    {
      "name": "projects/my-project/roles/customRole2",
      "title": "Second Custom Role",
      "description": "Created on: 2020-06-07",
      "etag": "BwWiuX53Wi0="
    }
  ]
}
Delete a custom role

You can delete any custom role in your project or organization.

Important: Deleted roles are suspended and cannot be used to create new role bindings in allow policies. Existing role bindings that include the deleted role have no effect. Console

  1. In the Google Cloud console, go to the Roles page.

    Go to the Roles page

  2. Select the role you wish to delete and click delete Delete on the top of the page.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. Use the gcloud iam roles delete command to delete a custom role:

    Each placeholder value is described below:

    The role will not be included in gcloud iam roles list, unless the --show-deleted flag is included. Deleted roles are indicated by the deleted: true block in a list response, such as:

    ---
deleted: true
description: My custom role description.
etag: BwVkB5NLIQw=
name: projects/my-project/roles/myCompanyAdmin
title: My Company Admin
---
C++

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

C#

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Go

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Java

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Python

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

REST

The roles.delete method deletes a custom role in a project or organization.

Before using any of the request data, make the following replacements:

HTTP method and URL:

DELETE https://iam.googleapis.com/v1/ROLE_NAME

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Execute the following command:

curl -X DELETE \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://iam.googleapis.com/v1/ROLE_NAME"
PowerShell (Windows) Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method DELETE `
    -Headers $headers `
    -Uri "https://iam.googleapis.com/v1/ROLE_NAME" | Select-Object -Expand Content
APIs Explorer (browser)

Open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Complete any required fields and click Execute.

The response contains the definition of the role that was deleted.

{
  "name": "projects/my-project/roles/myCompanyAdmin",
  "title": "My Company Admin",
  "description": "My custom role description.",
  "includedPermissions": [
    "iam.roles.get",
    "iam.roles.list"
  ],
  "etag": "BwWiPg2fmDE=",
  "deleted": true
}

When a role is deleted, any role bindings that refer to the role remain in your allow policies, but they have no effect. You can undelete a role within 7 days. During this 7-day period, the Google Cloud console shows that the role was deleted. You can also list deleted roles programmatically, but they are omitted by default.

After 7 to 14 days, the role is scheduled for permanent deletion. At this point, the role no longer counts towards the limit of 300 custom roles per organization or 300 custom roles per project.

Note: Custom roles created in a project do not count towards your organization's custom role limit.

The permanent deletion process takes 30 days. During the 30-day window, the role and all associated bindings are permanently removed, and you cannot create a new role with the same role ID.

After the role has been permanently deleted, up to 44 days after the initial deletion request, you can create a new role using the same role ID.

Undelete a custom role

Undeleting a role returns it to its previous state.

Roles can only be undeleted within 7 days. After 7 days, the role can be permanently deleted at any time, and all role bindings that refer to the role are removed.

Console

  1. In the Google Cloud console, go to the Roles page.

    Go to the Roles page

  2. Locate the role you wish to undelete, click the more icon at the end of the row, and click Undelete.

gcloud

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. Use the gcloud iam roles undelete command to undelete a custom role:

    Each placeholder value is described below:

    Examples

    The following example demonstrates how to undelete an organization-level custom role:

    gcloud iam roles undelete myCompanyAdmin --organization=123456789012

    If the role was undeleted successfully, the command's output is similar to the following:

    description: My custom role description.
etag: BwVkCAx9W6w=
includedPermissions:
- iam.roles.get
- iam.roles.list
name: organization/123456789012/roles/myCompanyAdmin
stage: ALPHA
title: My Company Admin

    The following example demonstrates how to undelete a project-level custom role:

    gcloud iam roles undelete myCompanyAdmin --project=my-project

    If the role was undeleted successfully, the command's output is similar to the following:

    description: My custom role description.
etag: BwVkCAx9W6w=
includedPermissions:
- iam.roles.get
- iam.roles.list
name: projects/my-project/roles/myCompanyAdmin
stage: ALPHA
title: My Company Admin
C++

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

C#

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Go

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Java

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

Python

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

REST

The roles.undelete method undeletes a custom role in a project or organization.

Before using any of the request data, make the following replacements:

HTTP method and URL:

POST https://iam.googleapis.com/v1/ROLE_NAME:undelete

Request JSON body:

{
  "etag": "ETAG"
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell) Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://iam.googleapis.com/v1/ROLE_NAME:undelete"
PowerShell (Windows) Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://iam.googleapis.com/v1/ROLE_NAME:undelete" | Select-Object -Expand Content
APIs Explorer (browser)

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

The response contains the definition of the role that was undeleted.

{
  "name": "projects/my-project/roles/myCompanyAdmin",
  "title": "My Company Admin",
  "description": "My custom role description.",
  "includedPermissions": [
    "iam.roles.get",
    "iam.roles.list"
  ],
  "etag": "BwWiPg2fmDE="
}
What's next

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-02 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[[["This guide covers managing Identity and Access Management (IAM) custom roles, including how to create, modify, disable, list, delete, and undelete them within your organization or project."],["Before beginning, ensure the IAM API is enabled and the appropriate authentication setup is in place for your chosen method, such as console, `gcloud`, or API clients."],["Custom role management can be performed through the console, `gcloud` CLI, or using code in various languages like C++, C#, Go, Java, and Python, as well as REST APIs."],["Key operations include retrieving metadata, creating roles with specific titles, descriptions, permissions, and stages, editing roles using a read-modify-write pattern, and disabling or deleting roles as needed."],["Custom roles that have been deleted can be restored within a 7-day period through the console, `gcloud`, or API method calls."]]],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4