0

I am assigned "Owner" role on the whole GCP organization, yet I cannot access organization IAM or billing accounts. I've tried running a query on principal, I can see my account as a member of "roles/owner" role, but still nothing. Is it a bug or is it really intended do be so that owner role has less permissions than resourcemanager.organizationAdministrator? Thanks!

Improve this question
3
  • The IAM role Owner is a legacy role. This role does not have all roles/permissions. You can, however, add additional roles to your identity.
    – John Hanley
    May 24, 2021 at 16:52
  • The problem is, I can't even read organization IAM permissions with my current role bindings, so it should be someone with superadmin or org admin roles to add those roles to my account... A bit strange
    – Victor
    May 25, 2021 at 11:53
  • Since you mention billing accounts, I can assume that you are not the actual account owner, and you just have the role owner attached to a project granted by someone else? Edit your question with more details.
    – John Hanley
    May 25, 2021 at 16:28

2 Answers 2

Reset to default
1

The basic difference between owner role and admin role is that:

An owner of an Organization is the member that has purchased the subscription. An owner has all privileges which include buying, upgrading, downgrading and cancelling subscriptions, modifying product access privileges, inviting and removing members from an Organization, and changing member roles. Each Organization can only have one owner.

Whereas, an admin of an Organization is a member that has privileges which include modifying product access privileges for other members, inviting and removing members from an Organization and changing member roles. An Organization can have more than one admin.

To confirm which role you have, you can run the below command:
gcloud iam roles describe ROLE_ID [--organization=ORGANIZATION | --project=PROJECT_ID] [GCLOUD_WIDE_FLAG …]

You can refer 1 for any clarification on the above parameters or if you find any error.

To check what exact role you want for your billing account, you can refer the below link. https://cloud.google.com/iam/docs/understanding-roles#billing-roles

By default, the resource manager admin have project only authority, refer the below link. https://cloud.google.com/iam/docs/understanding-roles#resource-manager-roles

Improve this answer
1

I gone through this troubleshooting and finally able to add the standard support offerings by giving myself all these permissions.

  1. cloud support admin permission

gcloud organizations add-iam-policy-binding organizational_id --member='user:[email protected]' --role=roles/cloudsupport.admin

  1. organization admin permission

gcloud organizations add-iam-policy-binding organizational_id --member='user:u[email protected]' --role=roles/resourcemanager.organizationAdmin

  1. Billing admin

gcloud organizations add-iam-policy-binding organizational_id --member='user:[email protected]' --role=roles/billing.admin

  1. Tech support editor needed to create/view support cases

gcloud organizations add-iam-policy-binding organizational_id --member='user:[email protected]' --role=roles/cloudsupport.techSupportEditor

In addition to that you may need super admin permission.

Note: roles/owner is just the owner of the organization with access to all resources, this role does not give access to add standard support or view all IAM policies/roles

To find the organization ID

gcloud organizations list

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .