In this demo, we'll create custom roles in the GCP console. First, let's open the Roles page. We can get to the Roles page by going to IAM admin and clicking Roles. Select the checkbox for resources admin role to view all the permissions that you can apply to that resource. For example, when you select the compute instance admin role, this displays all the permissions on the right side panel that you can apply on a compute engine instance. In this case, let's first search for compute admin, Compute Instance Admin. There's two beta and v one. Let's go to beta. In clicking the checkbox, we see all the assigned permissions that come with that role. Before you create a custom role, you might want to get the metadata for both predefined in custom roles. Role metadata includes the role ID and permissions contained in the role. You can view the metadata using the Google Cloud platform console, or the IAM API. So in this case, we can add multiple roles to view the role permissions, the icons beside the role indicate if it's a custom role, you'll have a factory icon or a predefined role, a hexagon icon. To create a custom role, a color must possess. IAM dot roles dot create permission. By default, the owner of a project or an organization has this permission and can create and manage custom roles. Users who are not owners, including organization admins must be assigned either the organization role administrator role, or the IAM role administrator role. To create an overall from scratch, you go to the roles page, which you are currently on, we'll click Create Role. Then, enter a name, a title and the description for the role. In this case ,we'll stick with the test the default custom role, created on the state and then the ID. Double-click Add Permissions. Select the permissions you want to include in the role and click Add Permissions. Use all services and all types drop downs to filter and select permissions based on services and types. In this case, we'll go to compute. And click several roles to add. Then we'll click this check box and click Add. Lastly, we'll scroll to the bottom and press the Create button. Lastly, we'll create a custom role based on an existing created role. On the role page, go ahead and select the role, in this case, we go to Compute Instance Admin Data. Click the select, the check box and click Create Role From Selection. In this case, you'll see the new title, Custom Compute Instance Admin, the new description and the new ID. Uncheck the permissions that you want to exclude from this role. And click Add Permissions to include any more permissions. Lastly, scroll to the bottom and click the Create button to create this new custom role, which is based on the existing created role.