How to find the least privileged IAM Role in Google Cloud Platform

06 Mar, 2022
Xebia Background Header Wave

In this blog I will show you how to find the least privileged IAM Role in Google Cloud Platform to perform a particular task. The least privileged principle states that a user or program should be given the minimal amount of permissions required to perform his/her function. In Google Cloud Platform, permissions are grouped into a role. You grant the role to a user, and the user will have all of the associated permissions. So a role contains one or more permissions. Google’s predefined role names follow the format roles/<servicename>.<roleName>, for instance roles/compute.admin. Permissions on the other hand have the format <servicename>.<resource-type>.<operation>, for instance compute.disk.delete.

Find all relevant IAM roles

So lets say you want to delete a compute disk. To find all of the available roles, type:

ROLES=$(gcloud iam roles list \
  --filter "name ~ roles/compute.*" \
  --format 'value(name)')

This returns more than twenty different pre-defined roles:

$ echo $ROLES

Find all applicable IAM roles

To find all applicable IAM roles with the permission compute.disk.delete, type:

DELETE_ROLES=$(for role in $ROLES; do
    gcloud iam roles describe $role  --format json | \
      jq -r 'select(
               .includedPermissions[] | . == "compute.disks.delete"
              ) | .name'

So, now we are down to four roles!


Find least privileged IAM Role

To find the IAM role with the least amount of permissions, type:

for role in $DELETE_ROLES; do
    gcloud iam roles describe $role  --format json | \
    jq '{
         name: .name, 
         title: .title,
         description: .description,
         number_of_permissions : (.includedPermissions|length)
done | \
jq --slurp 'sort_by(.number_of_permissions)'

As you can see, this results in four potential roles:

    "name": "roles/compute.storageAdmin",
    "title": "Compute Storage Admin",
    "description": "Full control of Compute Engine storage resources.",
    "number_of_permissions": 77
    "name": "roles/compute.instanceAdmin",
    "title": "Compute Instance Admin (beta)",
    "description": "Full control of Compute Engine instance resources.",
    "number_of_permissions": 162
    "name": "roles/compute.instanceAdmin.v1",
    "title": "Compute Instance Admin (v1)",
    "description": "Full control of Compute Engine instances, instance groups, disks, snapshots, and images. Read access to all Compute Engine networking resources.",
    "number_of_permissions": 278
    "name": "roles/compute.admin",
    "title": "Compute Admin",
    "description": "Full control of all Compute Engine resources.",
    "number_of_permissions": 587

Clearly, roles/compute.storageAdmin is the least privileged IAM role, if you need to delete a disk.


To find the least privileged IAM role on Google Cloud Platform to perform a specific task, you can query the IAM Role definition API. The entire code is also available as a bash script: gcp-least-privileged Photo by FLY:D on Unsplash

Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.

Get in touch with us to learn more about the subject and related solutions

Explore related posts