Yesterday, I signed up for a Google Cloud Account. Since I want to link the user access with our own identity platform, I followed the instructions from this article:
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platform
I got as far as the account is created but in the GCP Console, on several screens, I get errors of missing permissions to view things, let alone change things. Here is an example:
I was the one who created the account and in IAM I am listed as the Organization Administrator. How come I am missing so much permissions? Who within Google Cloud Support is listening/reading this and is able to help me?
This is not a bug that needs to be fixed. As the Owner, you can add any roles that you need to your account. Neither the Owner nor the Organization Administrator have all roles assigned. You can, however, add desired roles to grant your identity more permissions. Consult the documentation for permissions assigned to each role. Then add the required roles to your identity (email address).
However, I recommend that you do not use an account with Owner or Organization Admin roles. Lock that identity in your safe after creating several new identities that use the principles of least privilege and have MFA enabled.
Related
Within an organization of which I am the sole admin, I am unable to enumerate and therefore manage the organizational policies from within the GCP console. Does anyone know why this might be and/or how I'd go about fixing it? Any guidance as to documentation that was perhaps missed during setup, etc. would be appreciated.
Organization Administrator includes the missing permissions resourcemanager.organizations.get along with orgpolicy.constraints.list and orgpolicy.policies.list.
Do note that this role is not automatically granted for being the sole user on the account, this has to be assigned via the IAM menu.
The Owner role does not have these permissions as the Owner is only limited on a Project level.
I am attempting to expand my usage of Google Cloud and running into issues. When I go to IAM & Admin -> IAM and select my organization, I get an error: "You do not have sufficient permissions to view this page". A bit lower: "You are missing the following required permissions: resourcemanager.organizations.getIamPolicy".
I'm confused by this because if I select a project IN the organization I see I have the "Organization Administrator" role which has that exact permission assigned. I also have "Owner" role.
I also cannot upgrade from Basic support to any paid support due to this issue, so I literally cannot get any help from anyone at Google.
I created this org! Do I need to delete everything and start over? (ugh)
Based on what #JohnHanley's shared on the comments:
Organization Admin must be applied (bound) at the organization level. If you created the organization, then you have a Workspace or Identity account. Use that account to login. The problem should be easy to solve once you are using the correct account to authenticate.
In addittion to that;
To administer a particular project or product on GCP, you must ask your organization or the team managing your Google Workspace Admin to increase your role and authorization to a higher hierarchy.
It seems reasonable to want to grant an administrator access to create any and all resources without being able to pull / change / delete billing info.
I seem to recall there was a role something like "project owner" that had full admin but couldn't control billing (and maybe couldn't create new projects).
Does anyone know of a role like that? It has been a while since I set up a new GCP account. I've searched around a bit and can't immediately lay hands on the information.
The documentation is not super helpful.
In Google Cloud, there is no single role that grants permissions to everything. Some roles do have enough power to support granting themselves more roles.
There are multiple admin-level roles and this evolves as Google creates and modifies services. You will need to review the services that you are using and then grant roles to that identity.
The Organization Administrator has the power to grant itself and any other identity any role. However, this role itself has few permissions.
The Owner account has the power to grant itself and any other identity in the same project any role. The Owner role has a vast number of permissions but does not have all of them. The Owner must grant itself permissions for some resource types.
Note: Only a billing account admin can grant permissions to the billing account. That privilege is separate from Google Cloud permissions. Billing accounts are not part of Google Cloud and have their own management structure.
Is it recommended for a small organization to have more than one Owner role in GCP? My Google results seem to be too broad. Please could anyone advise me on that?
The owner role is a legacy role and has too wide range of permissions. It's not recommended to use it but it's the default role with your create a project.
In your question you talk about Organization. I don't know what is it, but there 2 cases:
You are talking about a Google Cloud Organization. if so, you have a Google Workspace account, with an admin. You have at least free identity that allow you to log into Google Cloud. In that case, I don't recommend you to have several users with the owner role, the Google Workspace admin is also the Google Cloud Organization admin and is able to recover the project if the owner looses their credentials
You are a small company and you haven't Google Cloud Organization, only independent projects. It's not a good practice and having a Google Cloud Organization is better, but in that case, I recommend to have at least one additional user with the IAM security admin role. That role allows the user granting anyone owner or with any other role in the project.
In both situation, the principle is not to loose the control of GCP project in case of owner credential loss. That way, I recommend to always have a backup, but not especially another OWNER user.
The Owner role is one of the Basic Roles existing in GCP. As you can see in the following Official GCP’s documentation for IAM and Roles, it is not recommended by Google to give the Owner role to more than one user, unless it is really needed to be done. And, I quote:
“Caution: Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant basic roles unless there is no alternative. Instead, grant the most limited predefined roles or custom roles that meet your needs.”
Plus, I recommend you to use this Official GCP’s Documentation for more reference and better understanding of GCP’s IAM and roles.
We're trying to give a google cloud platform user account permission to change its own permissions and the permissions/roles of service accounts that it creates. Currently, the user account only has the default editor permission for the project it exists on. Essentially, we want to give it every permission that the owner account has except for viewing or modifying billing information. Is this possible?
We have looked at this video but there doesn't exist a role selection dropdown on service accounts anymore. When trying to edit the service account permissions to try and give it the roles/storage.admin permission, I get this notification:
The project owner has also tried to add the storage admin role to the service account, but roles don't show as they do in the video. All that is shown on his screen are these options:
I have two questions:
How can we give my google account permission to mess around with my own roles and permissions as well as the roles for the service accounts?
What is the current process for adding roles to a service account? Neither the docs nor the video from google seem to be up to date.
Your second screenshot shows you attempting to grant roles on the service account (as a resource, i.e. who can access the service account). You're trying to give the service account the storage admin role on the project. To do that, go to the IAM page, click "add" then provide the service account's email address as the member and select the storage admin role.
I'm not certain if this completely answers #1, but Custom Roles (currently in alpha) will give you the ability to create roles with custom sets of permissions. This will allow you to copy the Owner role and remove the billing permissions.
As for #2 - The screenshot shows the policy for the service account, not the project policy. The policy for the service account determines who has permissions to use that service account, not what permissions the service account has. You can find the project policy on the 'IAM & Admin > IAM' tab (instead of the IAM & Admin > Service accounts' tab).