Basic IAM roles in Google Cloud Platform are predefined roles that provide broad permissions across all resources within a project. These roles were the original access control mechanism before more granular options became available.
There are three fundamental Basic IAM roles:
1. **Owner (roles/…Basic IAM roles in Google Cloud Platform are predefined roles that provide broad permissions across all resources within a project. These roles were the original access control mechanism before more granular options became available.
There are three fundamental Basic IAM roles:
1. **Owner (roles/owner)**: This role grants full administrative access to all resources. Owners can manage roles and permissions for team members, set up billing, and have complete control over the project. They can add or remove members and delete the entire project.
2. **Editor (roles/editor)**: Editors have read and write access to most resources. They can create, modify, and delete resources within the project. However, they cannot manage IAM policies or handle billing settings. This role is suitable for developers who need to deploy and manage applications.
3. **Viewer (roles/viewer)**: This role provides read-only access to resources. Viewers can see existing resources and their configurations but cannot make any modifications. This is ideal for auditors or team members who need visibility for monitoring purposes.
Key considerations when using Basic roles:
- **Security concerns**: Basic roles grant extensive permissions, which may violate the principle of least privilege. For production environments, predefined or custom roles are recommended.
- **Inheritance**: Basic roles assigned at the organization or folder level are inherited by all child resources, including projects and individual resources.
- **Billing implications**: Only Owners can configure billing accounts and manage payment settings.
Best practices suggest limiting the use of Basic roles and instead leveraging predefined roles that offer more granular permissions tailored to specific services. This approach enhances security by ensuring users only have access to what they need for their specific tasks. Custom roles can also be created when predefined options do not meet requirements.
Basic IAM Roles in Google Cloud Platform
Why Basic IAM Roles Are Important
Understanding Basic IAM roles is fundamental to managing access control in Google Cloud Platform. These roles determine who can do what within your cloud environment, making them critical for security, compliance, and operational efficiency. For the Associate Cloud Engineer exam, this topic appears frequently as it forms the foundation of GCP's identity and access management system.
What Are Basic IAM Roles?
Basic IAM roles (formerly called Primitive roles) are the original set of roles available in Google Cloud. They are broad roles that apply at the project level and include three main types:
1. Viewer (roles/viewer) - Read-only access to all resources - Can view existing resources and data - Cannot make any changes or modifications
2. Editor (roles/editor) - All Viewer permissions plus the ability to modify resources - Can create, update, and delete most resources - Cannot manage roles, permissions, or billing
3. Owner (roles/owner) - Full access to all resources - Can manage roles and permissions for the project - Can set up billing for the project - Has complete administrative control
How Basic IAM Roles Work
Basic roles are granted at the project level and cascade down to all resources within that project. When you assign a basic role to a user, service account, or group, they receive all the permissions associated with that role across every service in the project.
The hierarchy works as follows: - Owner includes all Editor permissions - Editor includes all Viewer permissions - Viewer is the most restrictive basic role
Key Characteristics: - Apply broadly across all GCP services in a project - Are coarse-grained and not service-specific - Should be used cautiously in production environments - Are inherited by all resources within the project
Best Practices and Limitations
Google recommends using Predefined roles or Custom roles instead of Basic roles for most use cases because: - Basic roles grant overly broad permissions - They violate the principle of least privilege - They cannot be customized or restricted - They increase security risk in production environments
However, Basic roles are appropriate for: - Development and testing environments - Small projects with limited team members - Quick setup scenarios where granular control is not required
Exam Tips: Answering Questions on Basic IAM Roles
1. Know the Permission Hierarchy Remember that Owner > Editor > Viewer in terms of permissions. If a question asks about the minimum role needed for a task, start with Viewer and work up.
2. Understand What Each Role Cannot Do - Viewer cannot modify anything - Editor cannot manage IAM policies or billing - Only Owner can manage access control and billing
3. Recognize When Basic Roles Are NOT the Answer If a question mentions security best practices, production environments, or least privilege, the answer is likely a Predefined or Custom role rather than a Basic role.
4. Watch for Keywords - Questions mentioning broad access or all services often point to Basic roles - Questions about specific service permissions suggest Predefined roles
5. Remember the Billing Exception Only the Owner role can configure billing. This is a common exam question topic.
6. Service Account Considerations Assigning Basic roles to service accounts is generally discouraged. Look for answers that suggest more restrictive, service-specific roles for service accounts.
7. Project-Level Scope Basic roles are always applied at the project level. If a question asks about organization or folder-level permissions with fine-grained control, Basic roles are typically not the best answer.
Common Exam Scenarios
- A developer needs to view logs but not modify resources: Viewer - A team member needs to deploy applications but not manage users: Editor - An administrator needs full control including user management: Owner - A production application needs specific API access: Use Predefined roles instead