A group of permissions that can be assigned to a user, group, or a service account is called a role. In GCP, permissions for user resources cannot be directly assigned to users; they will have to grant those permissions to a role and attach the role to the user. There are three broad classifications of roles: primitive roles, predefined roles, and custom roles.

Primitive roles are viewer, editor, and owner roles, which have a broad usage and can be assigned at the project level. The predefined roles come into play when we need more fine-grained permissions. A user can be assigned to be an editor of a service, viewer of a service, a viewer plus editor of only one action, and so on. Multiple predefined roles can be assigned to a user. When the existing primitive roles do not suffice the business needs of an organization, GCP offers to create custom roles for us. With custom roles, we can go to the highest level of granularity provided by IAM. We can pick and choose the list of permissions for a role and create a custom role.

In this recipe, we'll create a custom role for a storage reviewer. A storage reviewer is someone who reviews the work of the storage admin and provides feedback. As he/she is an external reviewer, we'll not provide any editor access to the storage resource.