I'm currently listed as an admin on the Google Workspace, but for some reason, there still seem to be certain operations that I can't do, like create a folder to organize projects. We're using terraform to generate some projects, and the generated projects only give access to those directly specified in the permissions.
I see inherited permissions / access referenced on the website. How would we set it up so that I, and a few other people always inherit access to see every project that's created for the organization?
I see inherited permissions / access referenced on the website. How would we set it up so that I, and a few other people always inherit access to see every project that's created for the organization?
Permissions are inherited. If you want access to all projects in an organization including future projects, grant the identities roles at the organization level.
For example, to grant the ability to view all folders projects in an organization, the appropriate role is roles/resourcemanager.organizationViewer. The next level up which allows the identity to browse the folders, projects and IAM policies is roles/browser.
To grant a role to an identity:
gcloud RESOURCE_TYPE add-iam-policy-binding RESOURCE_ID \
--member=PRINCIPAL_TYPE:ID \
--role=ROLE_ID
Example command: (replace $ORG_ID with the Organization ID)
gcloud organizations add-iam-policy-binding $ORG_ID \
--member=user:[email protected] \
--role=roles/resourcemanager.organizationViewer
Access control for organizations using IAM
You can accomplish the above using the Google Cloud Console GUI and via SDKs and APIs.