I have the following service account
my-sa@my-project.iam.gserviceaccount.com
Which seems to have the following custom role
▶ gcloud projects get-iam-policy my-project \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:my-sa@my-project.iam.gserviceaccount.com.iam.gserviceaccount.com"
ROLE
organizations/123456789/roles/my_custom_role
This custom role has the following permissions
▶ gcloud iam roles describe my_custom_role --organization 123456789
description: My custom role
etag: kdkdkdkd=
includedPermissions:
- container.clusters.get
- container.clusters.list
- container.clusters.update
- container.nodes.delete
- container.nodes.list
- container.operations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
name: organizations/123456789/roles/my_custom_role
stage: GA
title: my_custom_role-
However, when assuming this role (I create, download and login using a json private key)
and listing projects, I cannot see all the organisation’s projects but rather only the project the SA belongs to, although I should, given that
- the SA has an org level role
- it has the
resourcemanager.projects.getandresourcemanager.projects.listpermissions
Why is that?
>Solution :
To see other projects, you need a higher level permission on your org.
and listing projects, I cannot see all the organisation’s projects but rather only the project the SA belongs to, although I should, given that
This is expected, because the project can only control who sees this project.