Three useful Admin roles in GCP IAM
Due to the hierarchical nature of resources in GCP (projects are at a lower level - they are always LEAVES , never branches), there are many types of IAM Admins that come into play. Also read - Org level admin policies in GCP
What about a PROJECT level IAM admin?
There is a specific role - Project IAM Admin (resourcemanager.projectIamAdmin
) that maps to this role. Whether you use this role or the primitive Project OWNER role depends upon your exact needs.
What is an Org Admin?
- Organization Admins have the
resourcemanager.
role for the top level organization.organizationAdmin - They are the only ones allowed to nominate Shared VPC Admins (see below) by granting them appropriate project creation and deletion roles, and the Shared VPC Admin role for the organization.
- These admins can define organization-level policies, but specific folder and project actions require additional folder and project roles.
Is an Org Admin different from an Org IAM Admin?
- No - there is only single role for the Org Admin that allows IAM and resource level administration.
Can an Org Admin create projects?
No. The Org Admin by itself, lacks the Project Creator permission. Same for the Folder Admins – the folder admin is not granted the project creator by default.
Solution : If you would like to create projects anywhere under the Org, you need to grant yourself the Project Creator role AT THE ORG LEVEL. Same for Folder Admins that need to create projects under their specific folder (for ANY folder, you would need to grant at the Org level).
Shared VPC Admin
This is probably the admin role that you will work with more often than others
- The Shared VPC Admin role includes the Compute Shared VPC Admin (
compute.xpnAdmin
) and the Project IAM Admin (resourcemanager.projectIamAdmin
) role (at a higher level - i.e. at the organization level or a folder level). - A shared VPC admin can set up a Shared VPC, which includes enabling host projects, attaching service projects to host projects, and delegating access to some or all of the subnets in Shared VPC networks to Service Project Admins.
- A Shared VPC Admin for a given host project is typically its project owner as well.
Service Project (not VPC) admin
Why is it a service PROJECT admin and not a VPC admin? For starters, Service Projects are not even required to have a VPC. That's right - you can have resources (VMs) inside a Service Project that do not belong to a VPC.
Summary
The different levels in a GCP resource hierarchy can call for different levels of Admin roles. This post tries to distinguish between when to use which role.
Need an experienced Cloud Networking or a Cloud Data Protection Expert? Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.
Leave a Reply