# Google Cloud IAM Roles [jinaldesai.com](https://jinaldesai.com/) --- ### There are three kinds of roles in IAM: basic, predefined, and custom.  --- # Basic roles `---`  --- # Basic roles `---` Basic roles are broad in scope. When applied to a Google Cloud project, they affect all resources in that project. Basic roles include owner, editor, viewer, and billing administrator. --- # Basic roles `---` Project viewers can examine resources, but can’t modify them. Project editors can examine and modify a resource. And project owners can also examine and modify a resource. In addition, project owners can manage the associate roles and permissions, and set up billing. --- # Billing Administrator role `---` Often companies want someone to control the billing for a project, but not have permissions to change the resources in the project. This is possible through a billing administrator role. --- # Predefined roles `---`  --- # Predefined roles `---` Specific Google Cloud services offer sets of predefined roles, and they even define where those roles can be applied. For example, with Compute Engine, you can apply specific predefined roles—such as “instanceAdmin”—to Compute Engine resources in a given project, a given folder, or an entire organization. --- # Custom role `---`  --- # Custom role `---` What if you need to assign a role that has even more specific permissions? Many companies use a “least-privilege” model, in which each person in your organization is given the minimal amount of privilege needed to do their job. --- # Custom role `---` So, for example, maybe you want to define an “instanceOperator” role to allow some users to stop and start Compute Engine virtual machines, but not reconfigure them. Custom roles allow for that. --- # Drawbacks of Custom role `---` - First, you must manage the permissions that comprise the custom role you’ve created. - And second, custom roles can only be applied to either project or organization level. They can’t be applied to the folder level.