Problem you have encountered:

Currently, roles/viewer triggers the Convenience Values for Cloud Storage, BQ, and many other GCP services. This is not acceptable from a Security and Compliance perspective since the Convenience Values grant access to data.

We really need a general purpose viewer role that we can grant to SREs, Security, and other team members that regularly need to jump into projects all across our organization and be able to see and help debug the contents of the project, which can be using all kinds of different GCP services, without being able to see the data itself. Right now, the only options are:

1. roles/viewer which has ~4,400 permissions and the problems I mentioned above that make this unviable.
2. roles/iam.securityReviewer which has ~2,000 permissions and is missing many permissions that we regularly need and use.
3. Adding 50+ separate roles of the viewer equivalent role for each service to every single IAM principal we need to grant this access to.
4. A combination of roles/iam.securityReviewer and service specific viewer roles or a custom role to fill in the gaps.

These are all substantially worse user experience and much more painful than simply adding a single role that meets this extremely common use case.

Failed Workarounds:

Custom Role

Creating a custom role that has the same permissions as roles/viewer but would not trigger the Convenience Values. Besides this creating a huge maintenance burden as GCP adds new services and updates roles/viewer over time, this encountered multiple technical roadblocks:

1. Some permissions in roles/viewer cannot be included in a custom role so we had to trim those permissions.
2. The 3,000 permissions per role limit is less than the ~4,400 permissions that roles/viewer has so we had to trim a bunch of additional permissions for GCP services we do not currently use.
3. Once we got under the 3,000 permission limit, it was still over 150kb, which greatly exceeds the 64kb limit.

At this point we had to give up on this path and are following the request to raise that 64kb limit, which we have been told is unlikely to occur anytime in the reasonable future.

Disabling Convenience Values.

Unfortunately, there is no way in Terraform or otherwise to disable Convenience Values, either on the organization, folder, project, or resource level. It is possible to disable Convenience Values on a Storage Bucket once it exists, but that is not possible via Terraform or during the creation of the bucket itself and would require substantial custom tooling. There is not for example an Organization Policy that we could set to disable it in a scalable manner and we have also been informed that that separate feature request is unlikely to happen in the next year.

IAM Deny

We also cannot do an IAM Deny since those are absolute and would override any other roles/permissions that the IAM Principal has that explicitly grant access to the data.

The request:

Add a new role (I don't care what it is called but some suggestions might be roles/viewerV2 or roles/reader) that contains the same permissions that roles/viewer currently has (since we are totally fine with all of the permissions listed on roles/viewer itself), but does not trigger Convenience Values. While I understand that GCP does not want to add new "basic" roles, our conversations through our TAM with Google SMEs indicate that this is the only option that is technically feasible in less than a year. This solution would resolve this very serious security issue with an option that would take Google less than a month to implement.

We are happy to jump on a call and discuss this further.