Google Cloud Platform service account not getting permissions from organisation custom role

Question

I have the following service account

my-sa@my-project.iam.gserviceaccount.com

Which seems to have the following custom role

▶ gcloud projects get-iam-policy my-project  \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:my-sa@my-project.iam.gserviceaccount.com.iam.gserviceaccount.com"
ROLE
organizations/123456789/roles/my_custom_role

This custom role has the following permissions

▶ gcloud iam roles describe my_custom_role --organization 123456789
description: My custom role
etag: kdkdkdkd=
includedPermissions:
- container.clusters.get
- container.clusters.list
- container.clusters.update
- container.nodes.delete
- container.nodes.list
- container.operations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
name: organizations/123456789/roles/my_custom_role
stage: GA
title: my_custom_role-

However, when assuming this role (I create, download and login using a json private key)

and listing projects, I cannot see all the organisation's projects but rather only the project the SA belongs to, although I should, given that

the SA has an org level role
it has the resourcemanager.projects.get and resourcemanager.projects.list permissions

Why is that?

Joseph Lust · Accepted Answer

To see other projects, you need a higher level permission on your org.

and listing projects, I cannot see all the organisation's projects but rather only the project the SA belongs to, although I should, given that

This is expected, because the project can only control who sees this project.

Google Cloud Platform service account not getting permissions from organisation custom role

Answers (2)

Related Questions