How can you create a new user with GCP full admin and not billing access?

Question

It seems reasonable to want to grant an administrator access to create any and all resources without being able to pull / change / delete billing info.

I seem to recall there was a role something like "project owner" that had full admin but couldn't control billing (and maybe couldn't create new projects). Does anyone know of a role like that? It has been a while since I set up a new GCP account. I've searched around a bit and can't immediately lay hands on the information.

The documentation is not super helpful.

Answer 1

In Google Cloud, there is no single role that grants permissions to everything. Some roles do have enough power to support granting themselves more roles.

There are multiple admin-level roles and this evolves as Google creates and modifies services. You will need to review the services that you are using and then grant roles to that identity.

The Organization Administrator has the power to grant itself and any other identity any role. However, this role itself has few permissions.

The Owner account has the power to grant itself and any other identity in the same project any role. The Owner role has a vast number of permissions but does not have all of them. The Owner must grant itself permissions for some resource types.

Note: Only a billing account admin can grant permissions to the billing account. That privilege is separate from Google Cloud permissions. Billing accounts are not part of Google Cloud and have their own management structure.