I have created a GCP service account with org viewer permissions (I assume therefore having read rights in all projects)
▶ gcloud organizations get-iam-policy 83838383838383 --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:my-sa@my-project-id.iam.gserviceaccount.com"
ROLE
roles/resourcemanager.organizationViewer
I then activate this locally
▶ gcloud auth activate-service-account my-sa@my-project-id.iam.gserviceaccount.com --key-file=keyfile.json
Activated service account credentials for: [my-sa@my-project-id.iam.gserviceaccount.com]
and then try to perform a compute disk list (on the same project the SA was created)
▶ gcloud compute disks list
ERROR: (gcloud.compute.disks.list) Some requests did not succeed:
- Required 'compute.disks.list' permission for 'projects/my-project-id'
Why is that?
The error messages states that the service account does not have the permission compute.disks.list.
What permissions does the role roles/resourcemanager.organizationViewer have?
gcloud iam roles describe roles/resourcemanager.organizationViewer --format=json
Notice that the role only has one permission resourcemanager.organizations.get
{
"description": "Access only to view an Organization.",
"etag": "AA==",
"includedPermissions": [
"resourcemanager.organizations.get"
],
"name": "roles/resourcemanager.organizationViewer",
"stage": "GA",
"title": "Organization Viewer"
}
That permssions allows viewing the organization details, but not the resources of the organization.