GCP Owner and Administrator roles for organization

google-cloud-platform google-iam

I am assigned "Owner" role on the whole GCP organization, yet I cannot access organization IAM or billing accounts. I've tried running a query on principal, I can see my account as a member of "roles/owner" role, but still nothing. Is it a bug or is it really intended do be so that owner role has less permissions than resourcemanager.organizationAdministrator? Thanks!


The basic difference between owner role and admin role is that:

An owner of an Organization is the member that has purchased the subscription. An owner has all privileges which include buying, upgrading, downgrading and cancelling subscriptions, modifying product access privileges, inviting and removing members from an Organization, and changing member roles. Each Organization can only have one owner.

Whereas, an admin of an Organization is a member that has privileges which include modifying product access privileges for other members, inviting and removing members from an Organization and changing member roles. An Organization can have more than one admin.

To confirm which role you have, you can run the below command:
gcloud iam roles describe ROLE_ID [--organization=ORGANIZATION | --project=PROJECT_ID] [GCLOUD_WIDE_FLAG …]

You can refer 1 for any clarification on the above parameters or if you find any error.

To check what exact role you want for your billing account, you can refer the below link. https://cloud.google.com/iam/docs/understanding-roles#billing-roles

By default, the resource manager admin have project only authority, refer the below link. https://cloud.google.com/iam/docs/understanding-roles#resource-manager-roles


I gone through this troubleshooting and finally able to add the standard support offerings by giving myself all these permissions.

  1. cloud support admin permission

gcloud organizations add-iam-policy-binding organizational_id --member='user:[email protected]' --role=roles/cloudsupport.admin

  1. organization admin permission

gcloud organizations add-iam-policy-binding organizational_id --member='user:[email protected]' --role=roles/resourcemanager.organizationAdmin

  1. Billing admin

gcloud organizations add-iam-policy-binding organizational_id --member='user:[email protected]' --role=roles/billing.admin

  1. Tech support editor needed to create/view support cases

gcloud organizations add-iam-policy-binding organizational_id --member='user:[email protected]' --role=roles/cloudsupport.techSupportEditor

In addition to that you may need super admin permission.

Note: roles/owner is just the owner of the organization with access to all resources, this role does not give access to add standard support or view all IAM policies/roles

To find the organization ID

gcloud organizations list

Related

What is Ad Hoc Query?
What does "The code generator has deoptimised the styling of [some file] as it exceeds the max of "100KB"" mean?
Do I need a content-type header for HTTP GET requests?
How can I pass artifacts to another stage?
Step-by-step debugging with IPython
Cannot use ref or out parameter in lambda expressions
Gradle: Could not determine java version from '11.0.2'
How to version control a record in a database [closed]
nil detection in Go
It is more efficient to use if-return-return or if-else-return?
Git: Pull from other remote
matplotlib does not show my drawings although I call pyplot.show()