Scoped least-privilege roles — Azure · AWS · GCP
Custom roles define exactly which permissions a principal gets, avoiding overly broad predefined roles (Editor/Contributor = 3,000+ permissions).
az role definition create --role-definition '{"Name":"StorageReader","Actions":["Microsoft.Storage/storageAccounts/read","Microsoft.Storage/storageAccounts/blobServices/containers/read"],"AssignableScopes":["/subscriptions/SUB_ID"]}'aws iam create-policy --policy-name StorageReader --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Resource":["arn:aws:s3:::prod-bucket/*"]}]}'gcloud iam roles create custom_storage_reader --organization=ORG_ID --stage=GA --title="Custom Storage Reader" --permissions="storage.objects.get,storage.objects.list,storage.buckets.get"
| Stage | Azure | AWS | GCP |
|---|---|---|---|
| Alpha | N/A | N/A | Disabled — not usable |
| Testing/Beta | N/A | N/A | Testing only — warnings |
| GA | Available | Available | Production-ready |
| Deprecated | Stays usable | Can be detached | DEPRECATED with replacement |
| Deleted | Removed | Policy detached | 30-day undelete window |