Google Cloud IAM User doesn't Inherit Role from Organization

Question

There is User A under organization with role

• Kubernetes Engine Admin
• Editor
• Organization Role Viewer
• Project IAM Admin

There is project A under the organization.

However, User A does not appear under IAM of project A, when try gcloud projects get-iam-policy projectA --filter bindings.members:[User A Email], it will return 0 matches, because there is NO User A email in IAM of project A.

Isn't User A automatically inherited from the organization, and gets corresponding of any projects under?

Answer 1

Yes, any roles you assign to a user at the org level will be inherited by all the folders and projects within the org. So user A does have all the roles you listed on all the projects.

However,

gcloud projects get-iam-policy projectA

(corresponds to projects.getIamPolicy) only returns the policies you set on projectA directly through

gcloud projects set-iam-policy projectA

(corresponds to projects.setIamPolicy).

It won't return the inherited policies from the org.

You should be able to find userA in the org IAM policy through

gcloud organizations get-iam-policy 123

(assuming your org id is 123).

Answer 2

The role granted at the Organization level will be inherited by the Folder and Project levels. You should add the user to a Project though, and that will solve it.

If you want to find out more about the IAM policies refer to Using resource hierarchy for access control