Due to the hierarchical nature of resources in GCP (projects are at a lower level - they are always LEAVES , never branches), there are many types of IAM Admins that come into play. Also read - Org level admin policies in GCP

What about a PROJECT level IAM admin?

There is a specific role - Project IAM Admin (resourcemanager.projectIamAdmin)  that maps to this role. Whether you use this role or the primitive Project OWNER role depends upon your exact needs.

What is an Org Admin?

  • Organization Admins have the resourcemanager.organizationAdmin role for the top level organization.
  • They are the only ones allowed to nominate Shared VPC Admins (see below) by granting them appropriate project creation and deletion roles, and the Shared VPC Admin role for the organization.
  • These admins can define organization-level policies, but specific folder and project actions require additional folder and project roles.

Is an Org Admin different from an Org IAM Admin?

  • No - there is only single role for  the  Org Admin that allows IAM and resource level administration.

Can an Org Admin create projects?

No. The Org Admin by itself, lacks the Project Creator permission. Same for the Folder Admins – the folder admin is not granted the project creator by default.

Solution : If you would like to create projects anywhere under the Org, you need to grant yourself the Project Creator role  AT THE ORG LEVEL. Same for Folder Admins that need to create projects under their specific folder (for ANY folder, you would need to grant at the Org level).

Shared VPC Admin

This is probably the admin role that you will work with more often than others

 Service Project (not VPC) admin

Why is it a service PROJECT admin and not a VPC admin? For starters, Service Projects are not even required to have a VPC. That's right - you can have resources (VMs) inside a Service Project that do not belong to a VPC.

Summary

The different levels in a GCP resource hierarchy can call for different levels of Admin roles. This post tries to distinguish between when to use which role.





Need an experienced Cloud Networking or a Cloud Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.