I am trying to give Project Creator role to a service account from IAM in GCP

4
votes

I am trying to give Project Creator role to a service account from IAM, I do not see a role named Project Creator as explained here https://cloud.google.com/iam/docs/understanding-roles#resource-manager-roles

I am not getting Project creator as a role in Service Account Role

4
google-cloud-platformgoogle-iam
You cannot assign Project Creator at the project level. In the Google Cloud Console, select your organization while in the Resource Manager page. Then you can assign this permission. The permission must be assigned at the level which will be the parent of any new projects.John Hanley
Hey John, thanks for the answer. I was actually looking in to get organization level role exposure and just then after reading your comment and digging more docs i found that i need to associate my cloud identity account to see organization level roles. I am in to that process now. I am just getting started with gcp iam.Ashish Raj Srivastava
If you have a Pluralsight subscription, watch this course: app.pluralsight.com/library/courses/…John Hanley
For YouTube, watch this session: youtu.be/tNG4RUpBUsoJohn Hanley
To add to my comment "The permission must be assigned or inherited at the level which will be the parent of any new projects"John Hanley

4 Answers

4
votes

Its roles/resourcemanager.projectCreator and lowest resource hierarchy where it can be given is Folder. So if you have a Folder then create an IAM role at Folder level(you need to have permissions at Folder level) or else create at Org level(again, you need to have org level perms).

Ref: https://cloud.google.com/iam/docs/understanding-roles#resource-manager-roles

roles/
resourcemanager.projectCreator  Project Creator     Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.   resourcemanager.organizations.get
resourcemanager.projects.create
    Folder ```


Hope this helps
2
votes

Rather than think of giving a user/service account permissions "globally", think about giving those permissions contextually. Imagine a user with the identity of [email protected]. You want that user to be able to create projects ... but it isn't as simple as that. Within GCP, you have the concept of folders which can contain projects. If I have two folders folder1 and folder2, and I want to the user to be able to create projects in folder1 but not folder2, we seem to have a problem. If I said that the user could just create projects, that would be too broad.

The better way to think about it is that there is a hierarchy of resources ... these start at the root (the organization) and then we have folders beneath that (optionally) and we end up with projects. Now we have enough to complete the story.

What GCP allows us to do is state:

At this level (organization or folder) I wish to give this user this permission. This then propagates downwards from that tree level but does not propagate horizontally.

And thus we get to the root of your question. When you go to IAM, you are trying to associate roles to a user "globally" as opposed to "contextually". There is no concept of giving a user project create globally ... instead you give it contextually either at an organization or folder level. Note that if you assign a permission at the organization level, that is effectively global as everything nests down from the organization.

1
votes

If you do not see the project creator role in IAM, you will have to contact the Organization admin who should have the ability to add that particular role.

1
votes

As John Hanley mentioned before it should be done under organization level. I have attache a photo.

Resource manager > Project creator