Custom IAM Roles

Scoped least-privilege roles — Azure · AWS · GCP

Concept

Custom roles define exactly which permissions a principal gets, avoiding overly broad predefined roles (Editor/Contributor = 3,000+ permissions).

Definition Format
JSON (Actions/NotActions)
JSON (Allow/Deny statements)
YAML or CLI permission list
Scope
Management Group / Subscription
Account (managed policy)
Organization / Project
Limit
5,000 roles per Entra tenant
1,500 managed policies / account
300 per org + 300 per project
Max Permissions
~2,000 per role (perf)
Policy doc max 6,144 chars
3,000 per custom role

Create a Custom Role

○ Azure — JSON Definition

az role definition create --role-definition '{"Name":"StorageReader","Actions":["Microsoft.Storage/storageAccounts/read","Microsoft.Storage/storageAccounts/blobServices/containers/read"],"AssignableScopes":["/subscriptions/SUB_ID"]}'

○ AWS — IAM Policy JSON

aws iam create-policy --policy-name StorageReader --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Resource":["arn:aws:s3:::prod-bucket/*"]}]}'

○ GCP — gcloud CLI

gcloud iam roles create custom_storage_reader --organization=ORG_ID --stage=GA --title="Custom Storage Reader" --permissions="storage.objects.get,storage.objects.list,storage.buckets.get"

Lifecycle Stages

StageAzureAWSGCP
AlphaN/AN/ADisabled — not usable
Testing/BetaN/AN/ATesting only — warnings
GAAvailableAvailableProduction-ready
DeprecatedStays usableCan be detachedDEPRECATED with replacement
DeletedRemovedPolicy detached30-day undelete window