Configuring IAM Permissions

Last Updated Oct 9, 2023


  1. Required IAM permissions
  2. Assign permissions using gcloud cli
  3. Assign permissions using Terraform
  4. Assign permissions using the GCP console

Before we can scan your infrastructure, our service account needs access to read limited metadata from your Google Cloud environment. You must grant us permissions via IAM and retain full control over what we can access and when.

The list of required permissions are:

  1. compute.images.list
    For reading metadata about your custom VM images.
  2. compute.disks.list
    Reading disk metadata helps us determine which images are in active use. We never have the ability to access disk or image contents.
  3. compute.images.delete
    Allows us to clean up unused images according to your rules.

Add permissions via gloud CLI

$ export PROJECT_ID="<your-project-id>"
$ export PRINCIPAL="serviceAccount:<unique email generated for you by DeclutterGCP>"

$ export ROLE_NAME="DeclutterGCP_Images"
$ export PERMISSIONS="compute.images.list,compute.disks.list,compute.images.delete"
// create a role containing the permissions we need
$ gcloud iam roles create "$ROLE_NAME" --project=$PROJECT_ID --title="$ROLE_NAME" \
  --permissions="$PERMISSIONS" --description="Used to analyse and recover custom VM image costs"
// grant the role to the DeclutterGCP service account
$ gcloud projects add-iam-policy-binding "$PROJECT_ID" \
  --member="$PRINCIPAL" --role="projects/$PROJECT_ID/roles/$ROLE_NAME"

Adding permissions via Terraform

locals {
  project          = "<replace-with-project-id>"
  declutter_member = "serviceAccount:<replace-with-email-supplied-by-us>"

resource "google_project_iam_custom_role" "decluttergcp_image_cleanup" {
  role_id     = "declutter.cleanup.images"
  permissions = [

  title       = "DeclutterGCP Custom Role"
  description = "These permissions are required to scan & delete custom VM images from Compute Engine"

resource "google_project_iam_member" "assign_decluttergcp_role" {
  role    = "projects/${local.project}/roles/${google_project_iam_custom_role.decluttergcp_image_cleanup.role_id}"
  member  = local.declutter_member
  project = local.project

Adding permissions via GCP console

Add a custom role

  1. Open up the Google Cloud console and navigate to the IAM & Admin > Roles section. We're going to add a custom role containing only the few permissions we need.Screenshot of the Google Cloud Console showing Roles subsection of the IAM & Admin section.
  2. Hit the create role button and fill in the title and description with something memorable and obvious - like DeclutterGCP.Screenshot showing the create role form of the Google Cloud Console.
  3. Assign the relevant permissions. These are:
    • compute.images.list
    • compute.disks.list
    • compute.images.delete
    Screenshot showing the three permissions being added to the new role from the previous steps.
  4. Hit 'Create' to save the role.Screenshot showing the create role form of the Google Cloud Console, this time with all required information entered.

Assign the role to our service account

Now we should have a role with permissions limited to the ones we need and nothing more. Let's assign the role to the relevant service account.
  1. Navigate to the IAM & Admin > IAM section of your Google Cloud project and press the 'Grant Access' button.Screenshot showing the IAM permissions view of the Google Cloud Console.
  2. Paste the email address of the appropriate service account. Each account is specific to a user-account - yours will be revealed during the scan setup process.Screenshot showing the 'Add Principals' form of the Google Cloud Console.
  3. Select the custom role we just created as part of the previous step and hit save.Screenshot showing the 'Add Principals' form of the Google Cloud Console with the appropriate sefvice account and role selected.
  4. Once your policy updates we should have the permissions we need and you can now begin your scan.Screenshot showing that the policy we've just configured has been added successfully.
Sign in
Terms of Service
© 2024 DeclutterGCP
All rights reserved