Creating a Custom Role for GCP Standalone Application

A custom role needs to be created for Britive to perform operations within GCP. The custom role can be created at one of the following locations: 

• Organization level: In this scenario custom role can be created at the organization level and the role can be granted to the service account at folder or projects that need to be managed in Britive.
• Project level: If creating the role at the organization level is not possible then a custom role needs to be created at every project that needs to be managed within Britive and all the roles have to be assigned to the service account. 

Follow these steps to create a custom role:

1. Login to GCP Console using the administrative privileges.
2. Select either Organization level or Project from the project selector drop-down on the top. If a project is selected then the following steps need to be repeated for all the projects managed within Britive.
3. Select IAM & Admin -> Roles from the navigation menu.
4. Click + CREATE ROLE.
5. Enter the following values on the Create Role page.
   1. Enter the Title as Britive Integration Role.
   2. Enter the ID as BritiveIntegrationRole.
   3. Click ADD PERMISSIONS to add the following permissions:
      • iam.roles.get 
      • iam.roles.list 
      • iam.serviceAccountKeys.create 
      • iam.serviceAccountKeys.delete 
      • iam.serviceAccountKeys.get 
      • iam.serviceAccountKeys.list 
      • iam.serviceAccounts.create 
      • iam.serviceAccounts.delete 
      • iam.serviceAccounts.disable
      • iam.serviceAccounts.enable 
      • iam.serviceAccounts.get 
      • iam.serviceAccounts.getIamPolicy 
      • iam.serviceAccounts.list 
      • iam.serviceAccounts.setIamPolicy 
      • iam.serviceAccounts.undelete 
      • iam.serviceAccounts.update 
      • resourcemanager.projects.get 
      • resourcemanager.projects.getIamPolicy 
      • resourcemanager.projects.list (This permission is not required if the role is created at project level.) 
      • resourcemanager.projects.setIamPolicy
   4. The following permissions are required if Britive is managing a set of folders. If there are no folders these permissions can be ignored.
      • resourcemanager.folders.get
      • resourcemanager.folders.getIamPolicy
      • resourcemanager.folders.list
      • resourcemanager.folders.setIamPolicy
   5. The following permissions are required to support BigQuery constraint management. These permissions can be ignored if you are not using this feature.
      • bigquery.datasets.get
      • bigquery.datasets.update
      • bigquery.tables.get
      • bigquery.tables.getIamPolicy
      • bigquery.tables.setIamPolicy
   6. The following permissions are required to support Apigee environment constraint management. These permissions can be ignored if you are not using this feature.
      • apigee.environments.get
      • apigee.environments.getIamPolicy
      • apigee.environments.setIamPolicy
   7. Click ADD.
6. Click CREATE.
   

For more information about custom roles in GCP, see Creating and managing custom roles.