stackoom
  简体   繁体   中英

create service account and assign permissions/roles at the organization level in GCP

 原文  2022-09-05 11:39:56       google-cloud-platform

Question

I need to fetch all the projects and associated resources details underneath an org in GCP. What is the best way to do this. Can i create a service account bound to an organization and what type of roles need to be assigned to the Service account to control all type of resources under an organization.

2 answers

solution1
 0  2022-09-05 13:42:33

  1. Can i create a service account bound to an organization?

    Yes, you can bound a service account to an organization

  2. What type of roles need to be assigned to the service account to control all type of resources under an organization.

    If you need to control resources under your organization only, "owner" role is enough. But if you need to control folder and organization itself too, "owner" + "organization administrator" role is necessary.

solution2
 0  2022-09-06 15:38:29

The service account can be granted IAM roles that let it access resources. The service account is used as the identity of the application, and the service account's roles control which resources the application can access.

You can grant users permissions using custom roles . These roles operate on the principle of least privilege, and generally provide only the minimum necessary permissions required to do a particular task.Because of their restricted permissions, however, custom roles may cause many resources in your hierarchy to be omitted when executing a list operation. When performing searches as a user that has been granted a custom role, it can be difficult to tell why certain resources are not appearing.

To get the permissions that you need to create and manage custom roles, ask your administrator to grant you the following IAM roles:

  • To manage roles for a project: Role Administrator (roles/iam.roleAdmin) on the project that you want to manage roles for
  • To manage roles for an organization: Organization Role Administrator (roles/iam.organizationRoleAdmin) on the organization that you want to manage roles for.

As mentioned there is no single role that can be given to a service account to control all types of resources. If a user needs access to a specific Google Cloud resource, you can grant the user a role for that resource. Some examples of resources are projects , Compute Engine instances , and Cloud Storage buckets .

Some services support granting IAM permissions at a granularity finer than the project level. For example, you can grant the Storage Admin role (roles/storage.admin) to a user for a particular Cloud Storage bucket, or you can grant the Compute Instance Admin role (roles/compute.instanceAdmin) to a user for a specific Compute Engine instance.

To list all the resources in the resource hierarchy , Grant a service account the list and get permissions for Organizations, Folders, and Projects on the Organization resource.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to granting permissions to randomly create service account on GCP? GCP-IAM - How to grant access to all service account in organization? How to assign multiple roles to multiple service accounts in GCP using Terraform? Get list of assets/resource for a given project in GCP without any organization level permissions GCP service account naming GCP - can we create service account for Load Balancer / CDN? Create GCP service account and store service account key in secret manager in terraform GCP - Storage Service Account Access Issue GCP - Impersonate Service Account from Local Machine Gcp support binding service account from firebase?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM