Google Cloud Platform Project IAM Custom Role

This page shows how to write Terraform for Cloud Platform Project IAM Custom Role and write them securely.

google_project_iam_custom_role (Terraform)

The Project IAM Custom Role in Cloud Platform can be configured in Terraform with the resource name google_project_iam_custom_role. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub
resource "google_project_iam_custom_role" "veeam-default" {
  role_id = "veeam_default"
  title   = "veeam-default"
  permissions = [
resource "google_project_iam_custom_role" "patrol-operations-custom-role" {
  project     = var.project_id
  role_id     = var.ops_id
  permissions = var.ops_perm
  title       = "Patrol Operations Role"
  description = "A Custom Role for Patrol Operations"
resource "google_project_iam_custom_role" "custom_roles_chd_encrypt" {
  project     = google_project.chd.project_id
  role_id     = "lvhpaykmsencrypt"
  title       = "Terraform Managed Encrypt"
  description = "Terraform Managed"
  permissions = ["cloudkms.cryptoKeyVersions.useToEncrypt"]
resource "google_project_iam_custom_role" "my_custom_role" {
  role_id = "MyCustomRole"
  title   = "My Custom Role"

  permissions = [
    # VMインスタンスにSSH接続するのに必要な権限
resource "google_project_iam_custom_role" "storage-object-ro" {
  role_id     = "object_ro"
  title       = "Storage Object RO"
  description = "Allow read access to bucket objects"
  permissions = ["storage.objects.get", "storage.objects.list"]


  • deleted requiredcomputed - bool
    • The current deleted state of the role.

  • description optional - string
    • A human-readable description for the role.

  • id optionalcomputed - string
  • name requiredcomputed - string
    • The name of the role in the format projects/{{project}}/roles/{{role_id}}. Like id, this field can be used as a reference in other resources such as IAM role bindings.

  • permissions required - set / string
    • The names of the permissions this role grants when bound in an IAM policy. At least one permission must be specified.

  • project optionalcomputed - string
    • The project that the service account will be created in. Defaults to the provider project configuration.

  • role_id required - string
    • The camel case role id to use for this role. Cannot contain - characters.

  • stage optional - string
    • The current launch stage of the role. Defaults to GA.

  • title required - string
    • A human-readable title for the role.

Explanation in Terraform Registry

Allows management of a customized Cloud IAM project role. For more information see the official documentation and API.

Warning: Note that custom roles in GCP have the concept of a soft-delete. There are two issues that may arise from this and how roles are propagated. 1) creating a role may involve undeleting and then updating a role with the same name, possibly causing confusing behavior between undelete and update. 2) A deleted role is permanently deleted after 7 days, but it can take up to 30 more days (i.e. between 7 and 37 days after deletion) before the role name is made available again. This means a deleted role that has been deleted for more than 7 days cannot be changed at all by Terraform, and new roles cannot share that name.

Frequently asked questions

What is Google Cloud Platform Project IAM Custom Role?

Google Cloud Platform Project IAM Custom Role is a resource for Cloud Platform of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Cloud Platform Project IAM Custom Role?

For Terraform, the ONSdigital/veeam-terraform-modules, Biarca/patrol-k8s-marketplace and intetunder-temp/terraform-modules source code examples are useful. See the Terraform Example section for further details.


Scan your IaC problem in 3 minutes for free

You can keep your IaC security for free. No credit card required.