I am trying to give Project Creator role to a service account from IAM in GCP

Asked 20/11, 2019 at 15:30 Answered 5/7, 2022 at 18:5

I am trying to give Project Creator role to a service account from IAM, I do not see a role named Project Creator as explained here https://cloud.google.com/iam/docs/understanding-roles#resource-manager-roles

I am not getting Project creator as a role in Service Account Role

Anetteaneurin answered 20/11, 2019 at 15:30 Comment(8)

You cannot assign Project Creator at the project level. In the Google Cloud Console, select your organization while in the Resource Manager page. Then you can assign this permission. The permission must be assigned at the level which will be the parent of any new projects. – Nnw 20/11, 2019 at 15:40

Hey John, thanks for the answer. I was actually looking in to get organization level role exposure and just then after reading your comment and digging more docs i found that i need to associate my cloud identity account to see organization level roles. I am in to that process now. I am just getting started with gcp iam. – Anetteaneurin 20/11, 2019 at 17:32

If you have a Pluralsight subscription, watch this course: app.pluralsight.com/library/courses/… – Nnw 20/11, 2019 at 17:36

For YouTube, watch this session: youtu.be/tNG4RUpBUso – Nnw 20/11, 2019 at 17:37

To add to my comment "The permission must be assigned or inherited at the level which will be the parent of any new projects" – Nnw 20/11, 2019 at 18:2

What i am still missing is ability to add Service account and Project Creator Role on Org/Folder level, I am able to give Project Creator role to Individual User Account on Org or Folder level but Service account is grey out (What i am getting it is Project level resoruce), so i am still not able to add a service account with Project Creator role. Is it even possible to have a SA on org/folder level ? In the mean while I am going through pluralsight course as well, thanks for the link and all the suggestions. – Anetteaneurin 21/11, 2019 at 11:11

Have you seen any evidence anywhere that a service account CAN have permissions to create projects? It may simply be that a project can ONLY be associated with a real user account. – Synchrocyclotron 21/11, 2019 at 15:12

That's what I see in gcp, but let's relate with some infrastructure architecture perspective of another cloud, project in gcp is pretty what we call resource group in azure. You can have a service principal (service account in gcp) to create resource group and use IAM to define a user boundary to deploy resources in that resource group. Now from a practical example in gcp, I have seen qwiklabs create projects on demand, does it create using a user context? Or how it does because that is what I want to achieve in self service model – Anetteaneurin 21/11, 2019 at 16:5

Its roles/resourcemanager.projectCreator and lowest resource hierarchy where it can be given is Folder. So if you have a Folder then create an IAM role at Folder level(you need to have permissions at Folder level) or else create at Org level(again, you need to have org level perms).

Ref: https://cloud.google.com/iam/docs/understanding-roles#resource-manager-roles

roles/
resourcemanager.projectCreator  Project Creator     Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.   resourcemanager.organizations.get
resourcemanager.projects.create
    Folder ```


Hope this helps

Paries answered 20/11, 2019 at 15:37 Comment(0)

If you do not see the project creator role in IAM, you will have to contact the Organization admin who should have the ability to add that particular role.

Glide answered 20/11, 2019 at 15:48 Comment(0)

Rather than think of giving a user/service account permissions "globally", think about giving those permissions contextually. Imagine a user with the identity of [email protected]. You want that user to be able to create projects ... but it isn't as simple as that. Within GCP, you have the concept of folders which can contain projects. If I have two folders folder1 and folder2, and I want to the user to be able to create projects in folder1 but not folder2, we seem to have a problem. If I said that the user could just create projects, that would be too broad.

The better way to think about it is that there is a hierarchy of resources ... these start at the root (the organization) and then we have folders beneath that (optionally) and we end up with projects. Now we have enough to complete the story.

What GCP allows us to do is state:

At this level (organization or folder) I wish to give this user this permission. This then propagates downwards from that tree level but does not propagate horizontally.

And thus we get to the root of your question. When you go to IAM, you are trying to associate roles to a user "globally" as opposed to "contextually". There is no concept of giving a user project create globally ... instead you give it contextually either at an organization or folder level. Note that if you assign a permission at the organization level, that is effectively global as everything nests down from the organization.

Synchrocyclotron answered 20/11, 2019 at 15:56 Comment(1)

Right, i also dont want any user account to give this role but rather give it to a service account and use it to automate project creation project. The problem here i see is the role is available above project level in hierarchy but SA seems not to be available above project level to assign this role. – Anetteaneurin 21/11, 2019 at 13:55

As John Hanley mentioned before it should be done under organization level. I have attache a photo.

Resource manager > Project creator

Caveman answered 20/11, 2019 at 16:38 Comment(5)

Yes i am getting this now on org/folder level for user accounts but i do not see a way for doing this for a Service Account on org/folder level. – Anetteaneurin 21/11, 2019 at 11:14

First search for your service account then at organization level assign "Resource manager > Project creator" role to it. – Caveman 22/11, 2019 at 13:2

Thank you so much @Caveman !! initially it was giving some error while i was adding SA from IAM but now i am able to add and deploy resources using the key for SA. – Anetteaneurin 26/11, 2019 at 10:15

How did you get this to work? I can't seem to find a way to give that permission to a service account – Pensionary 19/3, 2021 at 7:50

That role is not available for in the GUI for me :thinking-face: (project deleter and mover is there, but not creator) – Deirdre 26/9, 2022 at 11:28

Create your Service Account at Project Level;
Copy the email of your Service Account;
Go to your Organization and Add a new principal to it with the role Project Creator and use the copied email taken in step 2.

Plat answered 5/7, 2022 at 18:5 Comment(0)

You can create org/folder with Project Creator role, and then grant this role to a Service Account in a project under this org/folder. To do it using the console:

Create a Service Account in a project that is under the org/folder
Go to the "Manage resources" page and select the org/folder
On the Info panel on the right under Permissions, enter the Service Account email address
In the select role drop down, select Resource Manager > Project Creator

Pickard answered 24/3, 2022 at 5:31 Comment(0)

Recommended topics

Hot tags