gdcloud iam roles create

gdcloud iam roles create ROLE_NAME
    { --file=ROLE_FILE |
    --description=DESCRIPTION
    --title=TITLE
    [--scope=[PROJECT | ORGANIZATION]]
    [--permissions=[permissions1,...]]
    [--stage=[ALPHA | BETA | GA | DISABLED]]
    [--projects=[project1,...]]
    [--namespace=NAMESPACE]
    } [flags]

To create an organization-level custom role with specific permissions, run:

    gdcloud iam roles create org-viewer --scope=organization --title="Organization Viewer" --description="Grants read-only access to storage buckets and compute instances at the organization level" --permissions=storageAdmin:compute:instances.get,storageAdmin:storage:buckets.list --stage=<BETA|GA|ALPHA>

To create a project-level custom role for deploying resources in specific project namespaces, run:

    gdcloud iam roles create project-resource-manager --scope=project --title="Project Resource Manager" --description="Allows managing compute instances and disks within specific projects" --permissions=storageAdmin:compute:instances.get,storageAdmin:compute:disks.create --stage=<BETA|GA|ALPHA> --projects=project-id-1,project-id-2...

To create a project-level custom role applicable to all projects, run:

    gdcloud iam roles create project-instance-operator --scope=project --title="Project Instance Operator" --description=""Grants permissions to start and stop compute instances across all projects" --permissions=admin:compute:instances.start,admin:compute:instances.stop --stage=<BETA|GA|ALPHA>

To create a custom role in a specific system namespace, run:

    gdcloud iam roles create iam-role-manager --scope=organization --title="IAM Role Manager" --description="Allows creating and updating IAM roles" --permissions=iamAdmin:iam:roles:create,iamAdmin:iam:roles:update --stage=<BETA|GA|ALPHA> --namespace=<namespace-name>

To create a custom role from a YAML configuration file, run:

    gdcloud iam roles create my_role --file=ROLE_FILE

      --description string                               Description of the CustomRole custom resource.
      --permissions iamRoleName:apiGroup:resource:verb   A list of permissions granted to this CustomRole. Each permission must be specified in one of the following formats: iamRoleName:apiGroup:resource:verb (for resource that don't have individual name) or `iamRoleName:apiGroup:resource:resourceName:verb` (for resource with specific name). Wildcards (`*`) are explicitly prohibited in any part of the permission string (apiGroup, resource, verb, or resourceName) to enforce the principle of least privilege.
      --title string                                     Title of the CustomRole custom resource.

      --file string        Path to a file containing YAML configuration for a CustomRole custom resource. If set, the gdcloud CLI creates the CustomRole from the YAML configuration and ignores the other flags. The YAML must include 'title', 'description', and 'permissions' (formatted as 'iamRoleName:apiGroup:resource:verb' or 'iamRoleName:apiGroup:resource:resourceName:verb', no wildcards). Optional fields: 'stage', 'scope', 'projects', 'namespace' (if applicable). These fields, if present, must follow the same format as their corresponding command-line flags.
      --namespace string   Namespace of the CustomRole custom resource, required only when defining permissions in organization scope.
      --projects strings   Comma-separated list of project IDs where the CustomRole will be applied. Required when the scope is 'project'; not applicable for 'organization' scope. Example: --projects=project-id-1,project-id-2,project-id-3
      --scope string       Scope of the CustomRole (organization or project). Use 'organization' for system-level permissions and 'project' for project-specific permissions. (default "organization")
      --stage string       Release stage of the CustomRole (ALPHA, BETA, or GA). (default "ALPHA")