Assigned
Status Update
No update yet.
Comments
ba...@google.com
ma...@google.com
Hello,
Thank you for reaching out. I'm going to create an internal feature request. Please keep in mind that this feature request has to be analyzed and considered by the product team and I can't provide you ETA for it to be delivered. However, you can keep track of the status by following this thread.
Description
We would like to have real read-only predefined roles for each gcp service. Currently, there is no way to assign a set of roles to a service account or a user to enable this service account to run an operation that requires read-only on all resources within a project. In other words, we should be able to grant a role that gives read-only permissions on all resources for a given service.
How this might work:
For example, roles/pubsub.viewer doesn't include pubsub.subscriptions.getIamPolicy or projects.snapshots.getIamPolicy permissions and roles/spanner.viewer doesn't include spanner.databases.get permission. In order to get those permissions, we may need to create custom roles or assign other roles.
So, we expect roles/pubsub.viewer, roles/spanner.viewer and other relevant viewer roles should include all the necessary read-only permissions so that the viewer roles become more comprehensive.
If applicable, reasons why alternative solutions are not sufficient:
We can create custom roles with the necessary permissions as an alternative and then assign it to the users/service accounts. However, having predefined roles with read-only permissions is more helpful.
Other information (workarounds you have tried, documentation consulted, etc): n/a