diff --git a/.gitignore b/.gitignore
new file mode 100644
index 00000000..7a6353d6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.envrc
diff --git a/README.md b/README.md
index db37f014..f9cc694d 100644
--- a/README.md
+++ b/README.md
@@ -4,9 +4,21 @@
 
 This repository fetches the ~1,170 primitive and predefined IAM Roles in JSON format to the `roles` directory.  A GitHub Action is configured to refresh them daily.  This allows for automatic tracking of changes as they are made by GCP.
 
+## Scripts
+
 A couple of helper scripts are provided to aid in searching/listing of the output:
 
+### Roles
+
+* `list-{alpha,beta,ga}-roles.sh` lists the roles labeled by GCP as alpha, beta, or GA (generally available)
+* `list-roles-with-permission.sh <api.resource.verb>` lists the roles that contain a specific permission passed by the first argument
+    * e.g.: `./list-roles-with-permission.sh container.clusters.get`
+
+### Permissions
+
+* `diff-role-permissions.sh <role1.name> <role2.name>` shows the permission differences between 2 roles
+    * this script uses the built-in `diff` by default, but you can customize this by setting the `DIFF` environment variable
+        * ex. `export DIFF='git diff --no-index'`
+        * improve this even further by installing [direnv](https://direnv.net/) and throwing the export in an `.envrc` file
 * `list-all-permissions.sh` grabs the unique list of all permissions contained in all roles fetched
-* `list-alpha/beta/ga-roles.sh` lists the roles labeled by GCP as alpha, beta, or GA (generally available)
-* `list-roles-with-permission.sh <api.resource.verb>` lists the roles that contain a specific permission passed by the first argument. e.g.: `./list-roles-with-permission.sh container.clusters.get`
 * `list-permissions-of-role.sh <role.name>` lists the permissions contained by the role named `<role.name>`.  e.g. `./list-roles-with-permission.sh container.admin` (no need to prepend the `roles/`)
diff --git a/diff-role-permissions.sh b/diff-role-permissions.sh
new file mode 100755
index 00000000..4c3c1a37
--- /dev/null
+++ b/diff-role-permissions.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+if [ "$#" -ne 2 ]
+then
+  cat << EOF
+Error: Must specify the 2 roles to diff
+
+e.g: $0 artifactregistry.writer artifactregistry.repoAdmin
+EOF
+  exit 1
+fi
+
+source ./lib/helper.sh
+
+FROM=$(mktemp)
+TO=$(mktemp)
+
+./list-permissions-of-role.sh "$1" | sort -u > "$FROM"
+./list-permissions-of-role.sh "$2" | sort -u > "$TO"
+
+# allow customized output styling. see README
+${DIFF:-diff} "$FROM" "$TO"