Stay organized with collections
Save and categorize content based on your preferences.
NAME
gdcloud iam roles - Manage custom roles for projects or organizations.
SYNOPSIS
gdcloud iam roles COMMAND [flags]
DESCRIPTION
Manage custom roles for projects or organizations. This command provides a unified way to operate custom roles, allowing you to define roles for customized access level.
EXAMPLES
To create an organization-level custom role with specific permissions, run:
gdcloud iam roles create org-viewer --scope=organization --title="Organization Viewer" --description="Grants read-only access to storage buckets and compute instances at the organization level" --permissions=storageAdmin:compute:instances.get,storageAdmin:storage:buckets.list --stage=<BETA|GA|ALPHA>
To create a project-level custom role for deploying resources in specific project namespaces, run:
gdcloud iam roles create project-resource-manager --scope=project --title="Project Resource Manager" --description="Allows managing compute instances and disks within specific projects" --permissions=storageAdmin:compute:instances.get,storageAdmin:compute:disks.create --stage=<BETA|GA|ALPHA> --projects=project-id-1,project-id-2...
To create a project-level custom role applicable to all projects, run:
gdcloud iam roles create project-instance-operator --scope=project --title="Project Instance Operator" --description=""Grants permissions to start and stop compute instances across all projects" --permissions=admin:compute:instances.start,admin:compute:instances.stop --stage=<BETA|GA|ALPHA>
To create a custom role in a specific system namespace, run:
gdcloud iam roles create iam-role-manager --scope=organization --title="IAM Role Manager" --description="Allows creating and updating IAM roles" --permissions=iamAdmin:iam:roles:create,iamAdmin:iam:roles:update --stage=<BETA|GA|ALPHA> --namespace=<namespace-name>
To create a custom role from a YAML configuration file, run:
gdcloud iam roles create my_role --file=ROLE_FILE
To describe a role at organization scope, run:
gdcloud iam roles describe org-role
To describe a role at project scope, run:
gdcloud iam roles describe project-role --project my-project
To delete a custom role at organization scope, run:
gdcloud iam roles delete org-role
To delete a custom role at project scope, run:
gdcloud iam roles delete project-role --project my-project
To update an organization-level custom role with specific permissions, run:
gdcloud iam roles update org-viewer --permissions=storageAdmin:compute:instances.get,storageAdmin:storage:buckets.list
To update a project-level custom role for deploying resources in specific project namespaces, run:
gdcloud iam roles update project-resource-manager --permissions=storageAdmin:compute:instances.get,storageAdmin:compute:disks.create --projects=project-id-1,project-id-2
To update a project-level custom role applicable to all projects, run:
gdcloud iam roles update project-instance-operator --permissions=admin:compute:instances.start,admin:compute:instances.stop
To update title and description of a custom role, run:
gdcloud iam roles update org-viewer --title="Organization Viewer v2" --description="Grants read-only access to storage buckets and compute instances at the organization level v2"
To add additional projects to an existing project-level custom role, run:
gdcloud iam roles update project-resource-manager --projects=project-id-3,project-id-4
To update a custom role from a YAML configuration file, run:
gdcloud iam roles update my_role --file=ROLE_FILE
To list all roles, run:
gdcloud iam roles list
To list predefined roles, run:
gdcloud iam roles list --type=predefined
To list custom roles, run:
gdcloud iam roles list --type=custom
To list all roles for a specific project, run:
gdcloud iam roles list --project=my-project
To list predefined roles for a specific project, run:
gdcloud iam roles list --type=predefined --project=my-project
To list custom roles for a specific project, run:
gdcloud iam roles list --type=custom --project=my-project
GDCLOUD WIDE FLAGS
These flags are available to all commands: --help.
create
Create a custom role.
delete
Delete a custom role.
describe
Describe a role[custom/predefined].
list
List roles[custom/predefined/all].
update
Update a custom role.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThe \u003ccode\u003egdcloud iam roles\u003c/code\u003e command allows for the management of custom roles at both the project and organization level, enabling tailored access control.\u003c/p\u003e\n"],["\u003cp\u003eYou can create custom roles with specific permissions, titles, and descriptions, either at the organization level or for specific projects, or even applicable to all projects.\u003c/p\u003e\n"],["\u003cp\u003eCustom roles can be created from the command line or from a YAML file, offering flexibility in role definition.\u003c/p\u003e\n"],["\u003cp\u003eExisting custom roles can be updated by adding or removing permissions, modifying descriptions and titles, and adjusting the projects to which they apply.\u003c/p\u003e\n"],["\u003cp\u003eYou can list, describe, create, delete, or update roles, and also filter the list by type (custom or predefined) and scope (organization or project).\u003c/p\u003e\n"]]],[],null,["# gdcloud iam roles\n\nNAME\n----\n\ngdcloud iam roles - Manage custom roles for projects or organizations.\n\nSYNOPSIS\n--------\n\n gdcloud iam roles COMMAND [flags]\n\nDESCRIPTION\n-----------\n\nManage custom roles for projects or organizations. This command provides a unified way to operate custom roles, allowing you to define roles for customized access level.\n\n### EXAMPLES\n\n\n To create an organization-level custom role with specific permissions, run:\n\n gdcloud iam roles create org-viewer --scope=organization --title=\"Organization Viewer\" --description=\"Grants read-only access to storage buckets and compute instances at the organization level\" --permissions=storageAdmin:compute:instances.get,storageAdmin:storage:buckets.list --stage=\u003cBETA|GA|ALPHA\u003e\n\n To create a project-level custom role for deploying resources in specific project namespaces, run:\n\n gdcloud iam roles create project-resource-manager --scope=project --title=\"Project Resource Manager\" --description=\"Allows managing compute instances and disks within specific projects\" --permissions=storageAdmin:compute:instances.get,storageAdmin:compute:disks.create --stage=\u003cBETA|GA|ALPHA\u003e --projects=project-id-1,project-id-2...\n\n To create a project-level custom role applicable to all projects, run:\n\n gdcloud iam roles create project-instance-operator --scope=project --title=\"Project Instance Operator\" --description=\"\"Grants permissions to start and stop compute instances across all projects\" --permissions=admin:compute:instances.start,admin:compute:instances.stop --stage=\u003cBETA|GA|ALPHA\u003e\n\n To create a custom role in a specific system namespace, run:\n\n gdcloud iam roles create iam-role-manager --scope=organization --title=\"IAM Role Manager\" --description=\"Allows creating and updating IAM roles\" --permissions=iamAdmin:iam:roles:create,iamAdmin:iam:roles:update --stage=\u003cBETA|GA|ALPHA\u003e --namespace=\u003cnamespace-name\u003e\n\n To create a custom role from a YAML configuration file, run:\n\n gdcloud iam roles create my_role --file=ROLE_FILE\n\n To describe a role at organization scope, run:\n\n gdcloud iam roles describe org-role\n\n To describe a role at project scope, run:\n\n gdcloud iam roles describe project-role --project my-project\n\n To delete a custom role at organization scope, run:\n\n gdcloud iam roles delete org-role\n\n To delete a custom role at project scope, run:\n\n gdcloud iam roles delete project-role --project my-project\n\n To update an organization-level custom role with specific permissions, run:\n\n gdcloud iam roles update org-viewer --permissions=storageAdmin:compute:instances.get,storageAdmin:storage:buckets.list\n\n To update a project-level custom role for deploying resources in specific project namespaces, run:\n\n gdcloud iam roles update project-resource-manager --permissions=storageAdmin:compute:instances.get,storageAdmin:compute:disks.create --projects=project-id-1,project-id-2\n\n To update a project-level custom role applicable to all projects, run:\n\n gdcloud iam roles update project-instance-operator --permissions=admin:compute:instances.start,admin:compute:instances.stop\n\n To update title and description of a custom role, run:\n\n gdcloud iam roles update org-viewer --title=\"Organization Viewer v2\" --description=\"Grants read-only access to storage buckets and compute instances at the organization level v2\"\n\n To add additional projects to an existing project-level custom role, run:\n\n gdcloud iam roles update project-resource-manager --projects=project-id-3,project-id-4\n\n To update a custom role from a YAML configuration file, run:\n\n gdcloud iam roles update my_role --file=ROLE_FILE\n\n To list all roles, run:\n\n gdcloud iam roles list\n\n To list predefined roles, run:\n\n gdcloud iam roles list --type=predefined\n\n To list custom roles, run:\n\n gdcloud iam roles list --type=custom\n\n To list all roles for a specific project, run:\n\n gdcloud iam roles list --project=my-project\n\n To list predefined roles for a specific project, run:\n\n gdcloud iam roles list --type=predefined --project=my-project\n\n To list custom roles for a specific project, run:\n\n gdcloud iam roles list --type=custom --project=my-project\n\n### GDCLOUD WIDE FLAGS\n\nThese flags are available to all commands: `--help`.\n\nFor more information, see the [gdcloud CLI reference overview](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-reference/gdcloud) page.\n\n### COMMANDS\n\n`COMMAND` is one of the following: \n\n create\n Create a custom role.\n delete\n Delete a custom role.\n describe\n Describe a role[custom/predefined].\n list\n List roles[custom/predefined/all].\n update\n Update a custom role."]]