Jul
Jul

Reputation: 475

Organization Admin somehow doesn't have access to create a folder in GCP?

I'm pretty sure this is an actual bug with GCP at the moment. I'm the Organization Admin for the GCP organization (I've quadruple checked this, and that I'm signed in with the correct account).

But when I go to Manage Resources, And try to create a new folder, it doesn't let me select the organization as the location, because I "don't have the required resourcemanager.folders.create permission". If I try to create the folder in a project that's in the organization, I get "Unknown error".

I'm the user who created the organization and all projects in the first place, and the only G-Suite user that even exists on this domain.

Upvotes: 9

Views: 6216

Answers (3)

mimir
mimir

Reputation: 1

To create a subfolder directly under the organization you need to add Organization Administrator role to your user account Follow the same steps as before : go to

  1. Go to [Cloud Console Iam Admin][1] (this should take you to your org setting https://console.cloud.google.com/iam-admin/settings?organizationId= < your org Id > )
  2. On the left bar Open IAM, either select grant access (if the your user is not there) or edit principal (beside the your user) and add Organization Administrator role

Upvotes: 0

Marcin Stepien
Marcin Stepien

Reputation: 131

A quick fix for “You do not have the required "resourcemanager.folders.create" permission to create folders in this location.” at GCP resource manager. With Google Cloud console:

  1. Go to Cloud Resource Manager
  2. Select settings on your organization row, that will land you onto https://console.cloud.google.com/iam-admin/settings?organizationId= < your org Id >
  3. Open IAM, add Folder Admin role to your user account

More at Creating and managing Folders

Upvotes: 2

John Hanley
John Hanley

Reputation: 81444

If you review the permissions that Organization Administrator has, resourcemanager.folders.create is not one of them.

IAM Roles

Org Admin by itself has almost infinite power because it can set IAM policies. This means the Org Admin can grant any IAM permission to any identity.

Grant yourself the required role such as roles/resourcemanager.folderAdmin.

Note: I recommend keeping the Org Admin as a separate identity that you lock away and only use to manage the organization. Create separate identities for day-to-day operations, development, and deployment.

Upvotes: 10

Related Questions