Stay organized with collections
Save and categorize content based on your preferences.
Overview
IAM provides the ability to create
custom roles. You can create a custom
IAM role with one or more permissions and then grant that custom
role to users who are part of your organization. Custom roles enable you to
enforce the
principle of least privilege,
ensuring that the user and service accounts in your organization have only the
permissions essential to performing their intended functions. For information
about creating custom roles, see
Creating and managing custom roles.
Common user flows and permissions
The following table lists common user flows and the
required permissions for performing Binary Authorization operations.
The user flows and required permissions listed in the table are not exhaustive.
To learn more about Binary Authorization-related permissions, see
Permissions.
To learn more about all Google Cloud permissions, see
IAM Permissions.
User flow
Required permissions
Enable the API
On the attestor and deployer project: serviceusage.services.get serviceusage.services.list serviceusage.services.enable serviceusage.services.disable serviceusage.services.use serviceusage.services.generateServiceIdentity serviceusage.services.getServiceIdentity serviceusage.quotas.get serviceusage.quotas.update serviceusage.operations.cancel serviceusage.operations.delete serviceusage.operations.get serviceusage.operations.list
Configure a policy
On the deployer project: resourcemanager.projects.get resourcemanager.projects.list binaryauthorization.policy.get binaryauthorization.policy.update
On the attestor project: resourcemanager.projects.get resourcemanager.projects.list binaryauthorization.attestors.get binaryauthorization.attestors.list
Update a policy
On the deployer project: binaryauthorization.policy.update
Create an attestor
On the attestor project: containeranalysis.notes.list resourcemanager.projects.get resourcemanager.projects.list binaryauthorization.attestors.get binaryauthorization.attestors.list binaryauthorization.attestors.create
Update an attestor
On the containing attestor: binaryauthorization.attestors.update
Create an attestation
On the note resource (or project): containeranalysis.notes.get containeranalysis.notes.attachOccurrence
On the attestation project: containeranalysis.occurrences.create containeranalysis.occurrences.update containeranalysis.occurrences.get containeranalysis.occurrences.list
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eIAM allows the creation of custom roles with specific permissions that can be granted to users within an organization.\u003c/p\u003e\n"],["\u003cp\u003eCustom roles help enforce the principle of least privilege, ensuring users only have access to necessary permissions.\u003c/p\u003e\n"],["\u003cp\u003eVarious user flows require specific permissions for Binary Authorization operations, such as enabling the API, configuring a policy, creating attestors, and more.\u003c/p\u003e\n"],["\u003cp\u003eDifferent project permissions are required depending on if the task is a deployer task or an attestor task, such as enabling the API, which requires permissions on both the attestor and deployer projects.\u003c/p\u003e\n"],["\u003cp\u003eThe documented user flows and permissions presented are not exhaustive and more can be found by looking at the referenced documentation.\u003c/p\u003e\n"]]],[],null,["# Custom roles\n\nOverview\n--------\n\n[IAM](/iam/docs) provides the ability to create\n[custom roles](/iam/docs/understanding-custom-roles). You can create a custom\nIAM role with one or more permissions and then grant that custom\nrole to users who are part of your organization. Custom roles enable you to\nenforce the\n[principle of least privilege](/iam/docs/using-iam-securely#least_privilege),\nensuring that the user and service accounts in your organization have only the\npermissions essential to performing their intended functions. For information\nabout creating custom roles, see\n[Creating and managing custom roles](/iam/docs/creating-custom-roles).\n\nCommon user flows and permissions\n---------------------------------\n\nThe following table lists common user flows and the\nrequired permissions for performing Binary Authorization operations.\n\nThe user flows and required permissions listed in the table are not exhaustive.\nTo learn more about Binary Authorization-related permissions, see\n[Permissions](/binary-authorization/docs/reference/permissions-and-roles).\nTo learn more about all Google Cloud permissions, see\n[IAM Permissions](/iam/docs/permissions-reference)."]]
