How-To: Adding a Viewer Role in GCP

Last updated: June 3, 2026

Introduction

To grant a user a Viewer role in Google Cloud Platform (GCP), you can use either the Google Cloud Console or the gcloud command-line tool. This role allows the specified user to view resources within your project without making any modifications.

Prerequisites

  • Project Selection: Ensure you have the correct project selected in your GCP console.

  • Required IAM Permission: You must have the Project IAM Admin role (roles/resourcemanager.projectIamAdmin) on the project to grant roles to other users.

  • Astra Security Lead: For Pentest or manual cloud review cases, you must grant access to Astra's security team lead. This step is not required if you are only using automated cloud scan plans.

Instructions

  1. Access the Console: Log in to the Google Cloud Console.

  2. Select Your Project: Choose the specific project you wish to work with from the project dropdown menu located in the top navigation bar.

  3. Navigate to IAM: Open the IAM & Admin page by selecting IAM from the left-hand navigation sidebar.

  4. Initiate Access Grant: Click the GRANT ACCESS button located at the top of the IAM page.

  5. Identify the Principal: In the New principals field, enter the email address of the user you want to grant the role to. This can be a Google Account, a Google Group, a Service Account, or a G Suite domain.

    For Pentest or manual cloud review: Enter Astra's security team lead email: jinson.varghese@getastra.com. Jinson Varghese is Astra's designated security lead who conducts the hands-on review of your cloud environment. Granting him Viewer access ensures the review can be completed without requiring any elevated or write permissions on your project. This step is not required for automated cloud scan plans.

  6. Assign the Role: Click on the Select a role dropdown menu. You can scroll through the list or type Viewer to quickly find and select the Viewer role (roles/viewer).

  7. Finalize: Click Save to apply the changes.

Expected Outcome

Once you click Save, the user will be added to your project's IAM list with the Viewer role assigned, providing them with the necessary read-only permissions across your GCP project resources.

Related Tasks

  • Create a Service Account: If you need to grant programmatic access to Astra for automated scanning, you may also need to create a service account in GCP and generate a JSON key.

  • Google API Reference

    For programmatic access or automation, Google's IAM REST API can be used to grant roles without the console. The relevant method is projects.setIamPolicy, documented in the Google Cloud IAM API reference. Access in GCP is managed through allow policies attached to resources, where role bindings associate principals such as users or service accounts with an IAM role. You can manage this via the Google Cloud Console, the gcloud CLI, the REST API, or the Resource Manager client libraries.

  • Cloud Target Setup: After granting access, you can proceed to the Astra dashboard to finish your Cloud Target Setup by providing your project's credentials.