Cloud IAM controls who can do what on which GCP resources. The "what" part is defined by roles, which are collections of permissions bundled together. Every role assignment in GCP uses one of three role types: basic, predefined, or custom. The Associate Cloud Engineer exam tests all three, and it tests your judgment about which type is appropriate for a given scenario. Getting this right means understanding not just what each role type is, but why you would choose one over another.
Basic roles are the broadest and oldest role type in GCP. There are three of them: Owner, Editor, and Viewer, applied at the project level.
Owner grants full access to all resources in the project and the ability to manage roles and billing. Editor grants read and write access to most resources but cannot manage IAM roles or billing. Viewer grants read-only access to all resources in the project.
Basic roles are useful for getting started quickly and for small projects where granular access control is not a priority. However, Google explicitly discourages using them in production environments. The reason is scope: Owner and Editor grant permissions across every service in the project. A developer with Editor access can accidentally modify production databases, storage buckets, or network configurations that they have no business touching.
The exam often presents basic roles in the context of what not to use. A question describes a contractor who needs to view logs but nothing else, and one of the wrong answers is to grant them Viewer on the project. That would work, but it gives more access than necessary. The correct answer typically involves a predefined role scoped to the specific service.
Predefined roles are curated by Google for specific services and use cases. Each one contains exactly the permissions needed for a particular job function on a particular GCP service. BigQuery Data Viewer lets someone read BigQuery datasets but not modify them. Cloud Run Developer lets someone deploy and manage Cloud Run services but not administer IAM for them. Storage Object Creator lets someone upload objects to buckets but not read or delete existing objects.
Predefined roles are the recommended choice for most situations. They give you specific, auditable access without requiring you to manage which individual permissions are included. Google maintains them as the services evolve, adding permissions to predefined roles when new service features are released.
The naming convention is fairly consistent: roles that end in Admin grant full control over the service, roles ending in Developer or Editor grant read-write access without administrative control, and roles ending in Viewer grant read-only access. This pattern holds across most GCP services.
For the exam, the most important predefined roles to recognize by name are the ones for the core services: BigQuery Admin, BigQuery Data Editor, BigQuery Data Viewer, BigQuery Job User, Storage Admin, Storage Object Admin, Storage Object Viewer, Compute Admin, Compute Instance Admin, Logging Admin, Monitoring Admin, and the service account roles. You do not need to memorize every permission in each role, but you need to know what each role enables at a high level.
Custom roles are defined and managed by you. You select the exact set of individual permissions to include, give the role a name, and then grant it like any other role. Custom roles exist because sometimes no predefined role matches your requirement precisely. You might need a role that grants exactly BigQuery Data Viewer plus the ability to create Dataflow jobs but nothing else. No predefined role bundles those specific permissions together.
The trade-off with custom roles is maintenance overhead. When GCP adds new permissions to a service, predefined roles are updated automatically. Custom roles are not. If a new BigQuery feature adds a permission that your users need, you have to manually add it to your custom role. For organizations that are already managing dozens of custom roles, this adds operational burden.
Custom roles are also restricted in what permissions they can include. Some permissions are not available in custom roles, particularly permissions that carry elevated risk. Google marks these as not supported in custom roles in the IAM documentation.
The decision framework for the exam is straightforward. If a scenario describes a small team or a non-production environment where convenience matters more than security precision, basic roles might be acceptable. If a scenario describes a specific job function that maps to a GCP service, use the matching predefined role. If a scenario describes permissions that do not match any predefined role, or explicitly requires the minimum necessary permissions across multiple services, use a custom role.
The principle of least privilege, which the Associate Cloud Engineer exam emphasizes throughout the IAM section, pushes toward predefined and custom roles and away from basic roles in any environment where data security matters.
When you need to understand exactly what permissions a predefined role contains, you can view them in the Cloud Console under IAM and Admin, then Roles. Select any role to see its full permission list. The gcloud CLI provides the same information:
gcloud iam roles describe roles/bigquery.dataViewerThis outputs the full list of permissions in the role. Running this command for predefined roles before granting them helps you confirm the role is appropriate for the use case. For custom roles, the same command works with the custom role ID. Understanding how to inspect role contents is a useful skill for the exam because scenario questions sometimes test whether a particular predefined role includes a specific permission, and knowing where to look is part of the answer.
My Associate Cloud Engineer course walks through the full set of IAM role scenarios from the exam, including the specific predefined roles most likely to appear and the judgment calls around when custom roles are worth the maintenance cost.
