IAM & Admin (Google Cloud Platform)

1
votes

I am working on google cloud platform and i have faced the issue below. (I would also like inputs from aws and azure platforms as well.)

  • Created a new user in gsuite admin console with no roles assigned in gsuite admin.
  • Added that user in gcp IAM console and gave 2 roles : compute security admin and compute network admin at organization level, meaning these permissions are inherited from organization level.

Should my user be able to create projects having only compute secuirty admin and compute network admin roles ?

1
google-cloud-platform
This article describes the permissions required to create a project. cloud.google.com/resource-manager/docs/…Kolban
This depends on the IAM roles assigned to the IAM member domain: example.com (replace with your G Suite domain). All G Suite members inherit those roles.John Hanley

1 Answers

0
votes

No. With only those two roles assigned, your user would not be able to create Projects in GCP. You would need to assign a role with the resourcemanager.projects.create Permission. The correct role to assign according to the Principle of Least Privilege would be roles/resourcemanager.projectCreator, also known as the "Project Creator" role.

meaning these permissions are inherited from organization level.

That's not quite what this means. In GCP, resources that are below the Organization (e.g. Folders, Projects) will inherit Permissions defined at the Org level, and lower-level resources cannot further restrict permissions already granted at higher levels.

See also: