In GCP, what is the smallest set of IAM roles that grant all permissions?

0
votes

Per the title, what is the smallest set of IAM roles in GCP, set at the top-level org node, that grants all permissions over an entire organization hierarchy.

For example, a set containing resourcemanager.folderCreator and resourcemanager.folderAdmin would not be a smallest set, because the permissions comprising resourcemanager.folderCreator are contained in resourcemanager.folderAdmin.

For another example, the set [resourcemanager.organizationAdmin, owner] would not be a smallest set, because it does not grant all permissions (e.g. it is missing orgpolicy.*, among others).

What is it?

1
google-cloud-platformgoogle-iam
What is ALL? org and billing permission included? Or only project permissions? - guillaume blaquiere
Every permission there is. Including billing, and so much more. - Thomas Ruble
org admin role should be the highest. But it's against the least privilege principle. Use with caution. - guillaume blaquiere

1 Answers

0
votes

As I understand from the title of your question. There isn't a role that grants all permissions.

You could consider using the organization admin role cause is the highest privilege to self assign permissions, is the only one that could grant you all the permissions.