How to prevent a user from creating GCP project
Permissions are inherited from the top, in this case from the organization:
By default, when the organization is created your entire domain is granted Project Creator and Billing Account Creator IAM roles at the organization level. This ensures that users in your domain will be able to continue creating projects as they did before and no disruption occurs.
The Organization Administrator will decide when they want to start actively using the organization. They can then change the default permissions and enforce more restrictive policies as needed.
In Using Resource Hierarchy for Access Control there's a gem at the very bottom:
If you want to limit project creation in your Organization, change the Organization access policy to grant the Project Creator role to a group that you manage.
Specifically, the role you want to disinherit is roles/resourcemanager.projectCreator:
Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.
I know this post is pretty old already, but the issue is still a valid one. To fix this in your GCP Org:
- Select the Org in the console
- Go to IAM & Admin > Manage Resources
- Select the Org
- Under Permissions, type "creator" to filter all other roles. You'll be left with "Billing account creator" and "Project Creator"
- For both of these, make sure you have and are signed in as a principal that has these roles (in my example I have groups for "gcp-billing-admins@..." and "gcp-organization-admins@..."
- You may see the Org icon and org name under each of these roles. Delete the org from each
Screenshot: