GCP Owner and Administrator roles for organization
I am assigned "Owner" role on the whole GCP organization, yet I cannot access organization IAM or billing accounts. I've tried running a query on principal, I can see my account as a member of "roles/owner" role, but still nothing. Is it a bug or is it really intended do be so that owner role has less permissions than resourcemanager.organizationAdministrator? Thanks!
The basic difference between owner role and admin role is that:
An owner of an Organization is the member that has purchased the subscription. An owner has all privileges which include buying, upgrading, downgrading and cancelling subscriptions, modifying product access privileges, inviting and removing members from an Organization, and changing member roles. Each Organization can only have one owner.
Whereas, an admin of an Organization is a member that has privileges which include modifying product access privileges for other members, inviting and removing members from an Organization and changing member roles. An Organization can have more than one admin.
To confirm which role you have, you can run the below command:
gcloud iam roles describe ROLE_ID [--organization=ORGANIZATION | --project=PROJECT_ID] [GCLOUD_WIDE_FLAG …]
You can refer 1 for any clarification on the above parameters or if you find any error.
To check what exact role you want for your billing account, you can refer the below link. https://cloud.google.com/iam/docs/understanding-roles#billing-roles
By default, the resource manager admin have project only authority, refer the below link. https://cloud.google.com/iam/docs/understanding-roles#resource-manager-roles
I gone through this troubleshooting and finally able to add the standard support offerings by giving myself all these permissions.
- cloud support admin permission
gcloud organizations add-iam-policy-binding organizational_id --member='user:[email protected]' --role=roles/cloudsupport.admin
- organization admin permission
gcloud organizations add-iam-policy-binding organizational_id --member='user:[email protected]' --role=roles/resourcemanager.organizationAdmin
- Billing admin
gcloud organizations add-iam-policy-binding organizational_id --member='user:[email protected]' --role=roles/billing.admin
- Tech support editor needed to create/view support cases
gcloud organizations add-iam-policy-binding organizational_id --member='user:[email protected]' --role=roles/cloudsupport.techSupportEditor
In addition to that you may need super admin permission.
Note: roles/owner is just the owner of the organization with access to all resources, this role does not give access to add standard support or view all IAM policies/roles
To find the organization ID
gcloud organizations list