Fix GCP IAM Role Basic Errors
When working with GCP IAM, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with role basic and shows the exact fix.
A Common Mistake
Granting a basic role (Owner) to a service account is far too permissive. Basic roles grant unfettered access to every resource in the project, which violates least privilege and opens you to security risks if the account is compromised.
The incorrect command:
gcloud projects add-iam-policy-binding my-project --member=serviceAccount:sa@my-project.iam.gserviceaccount.com --role=roles/owner
Error output:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Basic roles (roles/owner, roles/editor, roles/viewer) should be avoided. Use roles/storage.admin instead.
- '@type': type.googleapis.com/google.cloud.iam.v1.BindingDelta
role: roles/owner
member: serviceAccount:sa@my-project.iam.gserviceaccount.com
- The policy analyzer flagged this as a security risk. Basic roles allow access to ALL services including billing and IAM management, which is far beyond what a service account needs.
The Correct Approach
The right way to configure role basic in GCP IAM:
gcloud projects add-iam-policy-binding my-project --member=serviceAccount:sa@my-project.iam.gserviceaccount.com --role=roles/storage.objectViewer
Successful result:
Updated IAM policy for project [my-project].
bindings:
- members:
- serviceAccount:sa@my-project.iam.gserviceaccount.com
role: roles/storage.objectViewer
The service account now has read-only access to Cloud Storage objects following least privilege.
How to Prevent This
Audit existing IAM bindings with gcloud projects get-iam-policy my-project --format=json | jq '.bindings[] | {role, members}'. Replace any basic roles with scoped predefined roles. Use gcloud iam roles list --project=my-project to view available role options.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro