Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document and add to bootstrap.sh 6 super admin required roles required to prepare for terraform service account permissions #42

Open
fmichaelobrien opened this issue Jul 22, 2022 · 10 comments
Open

Document and add to bootstrap.sh 6 super admin required roles required to prepare for terraform service account permissions #42

fmichaelobrien opened this issue Jul 22, 2022 · 10 comments

Comments

@fmichaelobrien
Copy link
Contributor

The following roles will be added to the readme and set automatically in bootstrap.sh to avoid a possible terraform permissions failure if the 6 are not set during bootstrap.sh checking

(iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin orgpolicy.policyAdmin resourcemanager.projectCreator billing.projectManager )

see
https://github.com/canada-ca/accelerators_accelerateurs-gcp/blob/main/deployment-templates/Terraform/guardrails/0-bootstrap/bootstrap.sh#L38

Script currently exits until all roles set - it should not be the responsibility of the client to add these - as the client may progress to terraform init - without the changes

getrole()
{
    array=( iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin orgpolicy.policyAdmin resourcemanager.projectCreator billing.projectManager )
    for i in "${array[@]}"
    do
	    echo "$i"
        ROLE=`gcloud organizations get-iam-policy $1 --filter="bindings.members:$2" --flatten="bindings[].members" --format="table(bindings.role)" | grep $i`
        if [ -z "$ROLE" ]
        then
            echo "roles/$i role missing"
            exit 1
        else
            echo "${ROLE} role set OK on super admin account"
        fi  
done
}
@obriensystems
Copy link
Contributor

P1 assigned to fmichaelobrien

@fmichaelobrien
Copy link
Contributor Author

I'll upload repro, docs and PR shortly
TLDR is - the script exits by design on no super admin SATC role found - so that TF does not fail later - but i did not make it clear to the user or the last PR test in june #24 (comment) - will add this to role automation - hesitated modifying permissions automatically for the SA like we do for the TF SA. Ideally the roles on the super admin are at the org level. The other issues around reentrant bootstrap and undo capabilities are in the issue queue on the repo under 38 (dual billing/iam billing admin Claudia mentioned) - specific to cloud brokerage accounts only), 25.

@obriensystems
Copy link
Contributor

procedure to document and code into bootstrap.sh with "apply roles to user account at org level y/n" dialog

admin_root@cloudshell:~ (biometric-ncorg)$ SUPER_ADMIN_EMAIL=admin-root@nuag...g
admin_root@cloudshell:~ (biometric-ncorg)$ gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/iam.serviceAccountTokenCreator
Updated IAM policy for organization [47...].
bindings:
- members:
  - user:admin-root@nuage-cloud.org
  role: roles/iam.serviceAccountTokenCreator

before
Screen Shot 2022-07-31 at 5 12 23 PM

after
Screen Shot 2022-07-31 at 5 12 43 PM

@fmichaelobrien
Copy link
Contributor Author

also verify the validation
canada-ca/cloud-guardrails-gcp#9 (review)

@obriensystems obriensystems mentioned this issue Sep 7, 2022
Open
@fmichaelobrien
Copy link
Contributor Author

port PBMM TF already has apply_roles in

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/environments/bootstrap/bootstrap.sh#L90
around

ORGID=$(gcloud organizations list --format="get(name)" --filter=displayName=$DOMAIN)
ROLES=("roles/billing.projectManager" "roles/orgpolicy.policyAdmin" "roles/resourcemanager.folderCreator" "roles/resourcemanager.organizationViewer" "roles/resourcemanager.projectCreator" "roles/billing.projectManager" "roles/billing.viewer")

# Loop through each Role in Roles and apply to Organization node. 
echo "INFO - Applying roles to Organization Node"
for i in "${ROLES[@]}" ; do
  gcloud organizations add-iam-policy-binding $ORGID  --member=user:$USER --role=$i --quiet > /dev/null 1>&1
done
}

in our case

ORGID=$(gcloud organizations list --format="get(name)" --filter=displayName=$DOMAIN)
ROLES=("iam.serviceAccountTokenCreator" "roles/resourcemanager.folderAdmin" "roles/resourcemanager.organizationAdmin" "orgpolicy.policyAdmin" "resourcemanager.projectCreator" "billing.projectManager" )
#ROLES=("roles/billing.projectManager" "roles/orgpolicy.policyAdmin" "roles/resourcemanager.folderCreator" "roles/resourcemanager.organizationViewer" "roles/resourcemanager.projectCreator" "roles/billing.projectManager" "roles/billing.viewer")

# Loop through each Role in Roles and apply to Organization node. 
echo "INFO - Applying roles to Organization Node"
for i in "${ROLES[@]}" ; do
  gcloud organizations add-iam-policy-binding $ORGID  --member=user:$USER --role=$i --quiet > /dev/null 1>&1
done
}

@fmichaelobrien
Copy link
Contributor Author

BUG: Noticed that the role list has a 4 missing roles/ prefixes - the account under test would need to already have 3 of these roles set - which they would orgadmin, project creator, billing admin - but service token creator would miss a check

I will put a PR in

59856bf#diff-87abc6dccd3053818bc94f025af8394366a2a0eca101a0de3133f67256664543R34

adjust for

#ROLES=("iam.serviceAccountTokenCreator" "roles/resourcemanager.folderAdmin" "roles/resourcemanager.organizationAdmin" "orgpolicy.policyAdmin" "resourcemanager.projectCreator" "billing.projectManager" )
ROLES=("roles/iam.serviceAccountTokenCreator" "roles/resourcemanager.folderAdmin" "roles/resourcemanager.organizationAdmin" "roles/orgpolicy.policyAdmin" "roles/resourcemanager.projectCreator" "roles/billing.projectManager" )

@obriensystems
Copy link
Contributor

obriensystems commented Sep 15, 2022
edited
Loading

Verified not a bug for read - but would be for write
for example I deleted org policy admin - we catch it
But I will adjust the array for role writing
Screen Shot 2022-09-15 at 12 34 10

with 1 missing role = ok

    array=( roles/iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin roles/orgpolicy.policyAdmin roles/resourcemanager.projectCreator roles/billing.projectManager )



admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
seed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
roles/iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
roles/orgpolicy.policyAdmin
roles/roles/orgpolicy.policyAdmin role missing

testing write

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ export PROJECT_ID=$(gcloud config list --format 'value(core.project)')export REGION=northamerica-northeast1
export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
export EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
export BILLING_ID=$(gcloud alpha billing projects describe $PROJECT_ID '--format=value(billingAccountName)' | sed 's/.*\///')
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ echo $EMAIL
admin-root@nuage-cloud.info
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ echo $BILLING_ID
01522C-BEE0DC-529989


admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/orgpolicy.policyAdmin
Updated IAM policy for organization [93413315325].
auditConfigs:
- auditLogConfigs:
  - logType: DATA_WRITE
  - logType: DATA_READ
  - logType: ADMIN_READ
  service: allServices
bindings:
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/accesscontextmanager.policyAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/bigquery.dataEditor
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/billing.admin
- members:
  - domain:nuage-cloud.info
  - user:admin-root@nuage-cloud.info
  role: roles/billing.creator
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/billing.projectManager
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/billing.user
- members:
  - group:billing_data_users@nuage-cloud.info
  - group:ssc_broker_users@nuage-cloud.info
  role: roles/billing.viewer
- members:
  - group:ssc_broker_users@nuage-cloud.info
  role: roles/cloudasset.viewer
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/compute.networkAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/compute.xpnAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/iam.organizationRoleAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/iam.serviceAccountAdmin
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/iam.serviceAccountTokenCreator
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/logging.configWriter
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/orgpolicy.policyAdmin
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/owner
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/pubsub.admin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.folderAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.organizationAdmin
- members:
  - domain:nuage-cloud.info
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.projectCreator
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectDeleter
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectIamAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectMover
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/serviceusage.serviceUsageAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/storage.admin
etag: BwXoueNl62g=
version: 1



verify
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
seed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
roles/iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
roles/orgpolicy.policyAdmin
ROLE: roles/orgpolicy.policyAdmin role set OK on super admin account
roles/resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
roles/billing.projectManager
ROLE: roles/billing.projectManager role set OK on super admin account
all roles set OK on super admin account:  admin-root@nuage-cloud.info - proceeding


-- a/deployment-templates/Terraform/guardrails/0-bootstrap/bootstrap.sh
+++ b/deployment-templates/Terraform/guardrails/0-bootstrap/bootstrap.sh
@@ -31,7 +31,7 @@ usage()

 getrole()
 {
-    array=( iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin orgpolicy.policyAdmin resourcemanager.projectCreator billing.projectManager )
+    array=( roles/iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin roles/orgpolicy.policyAdmin roles/resourcemanager.projectCreator roles/billing.projectManager )
     for i in "${array[@]}"

use for now


export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
export EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/iam.serviceAccountTokenCreator
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/orgpolicy.policyAdmin
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.folderAdmin
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.organizationAdmin
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.projectCreator
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/billing.projectManager

@obriensystems
Copy link
Contributor

testing

getrole()
{
    array=( roles/iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin roles/orgpolicy.policyAdmin roles/resourcemanager.projectCreator roles/billing.projectManager )
    for i in "${array[@]}"
    do
	    echo "$i"
        ROLE=`gcloud organizations get-iam-policy $1 --filter="bindings.members:$2" --flatten="bindings[].members" --format="table(bindings.role)" | grep $i`
        if [ -z "$ROLE" ]
        then
            echo "roles/$i role missing - setting"
            gcloud organizations add-iam-policy-binding $1  --member=user:$2 --role=$i
        else
            echo "${ROLE} role set OK on super admin account"
        fi  
done
}

result

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
seed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
roles/iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
roles/orgpolicy.policyAdmin
roles/roles/orgpolicy.policyAdmin role missing - setting
Updated IAM policy for organization [93413315325].
auditConfigs:
- auditLogConfigs:
  - logType: DATA_WRITE
  - logType: DATA_READ
  - logType: ADMIN_READ
  service: allServices
bindings:
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/accesscontextmanager.policyAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/bigquery.dataEditor
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/billing.admin
- members:
  - domain:nuage-cloud.info
  - user:admin-root@nuage-cloud.info
  role: roles/billing.creator
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/billing.projectManager
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/billing.user
- members:
  - group:billing_data_users@nuage-cloud.info
  - group:ssc_broker_users@nuage-cloud.info
  role: roles/billing.viewer
- members:
  - group:ssc_broker_users@nuage-cloud.info
  role: roles/cloudasset.viewer
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/compute.networkAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/compute.xpnAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/iam.organizationRoleAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/iam.serviceAccountAdmin
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/iam.serviceAccountTokenCreator
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/logging.configWriter
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/orgpolicy.policyAdmin
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/owner
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/pubsub.admin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.folderAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.organizationAdmin
- members:
  - domain:nuage-cloud.info
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.projectCreator
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectDeleter
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectIamAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectMover
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/serviceusage.serviceUsageAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/storage.admin
etag: BwXouf6_BgU=
version: 1
roles/resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
roles/billing.projectManager
ROLE: roles/billing.projectManager role set OK on super admin account
all roles set OK on super admin account:  admin-root@nuage-cloud.info - proceeding
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
seed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
roles/iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
roles/orgpolicy.policyAdmin
ROLE: roles/orgpolicy.policyAdmin role set OK on super admin account
roles/resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
roles/billing.projectManager
ROLE: roles/billing.projectManager role set OK on super admin account
all roles set OK on super admin account:  admin-root@nuage-cloud.info - proceeding

@obriensystems obriensystems mentioned this issue Sep 16, 2022
Open
@obriensystems
Copy link
Contributor

obriensystems commented Sep 18, 2022
edited
Loading

TL;DR; Shared billing accounts do not get shared IAM roles - they need to be set separately

code change in https://github.com/canada-ca/accelerators_accelerateurs-gcp/blob/main/deployment-templates/Terraform/guardrails/0-bootstrap/bootstrap.sh#L127

see (needs update for shared billing)
https://cloud.google.com/billing/docs/how-to/billing-access

Keep in mind that we need a workaround (see #47) for the fact that if the billing account is of type "shared" where it comes in under "No Organization, ID=0" then any service account created will not get inherited links from IAM set in Billing - these like Billing Account User - need to be set manually.

Example

michael@cloudshell:~$ gcloud config set project gcp-zone-landing-stg
Updated property [core/project].
michael@cloudshell:~ (gcp-zone-landing-stg)$ export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
michael@cloudshell:~ (gcp-zone-landing-stg)$ export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
michael@cloudshell:~ (gcp-zone-landing-stg)$ export SA_PREFIX=tfsa-example
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud iam service-accounts create "${SA_PREFIX}" --display-name "Terraform example service account" --project=${PROJECT_ID}
Created service account [tfsa-example].
michael@cloudshell:~ (gcp-zone-landing-stg)$ export SA_EMAIL=`gcloud iam service-accounts list --project="${PROJECT_ID}" --filter=tfsa --format="value(email)"`
michael@cloudshell:~ (gcp-zone-landing-stg)$ echo $SA_EMAIL
tfsa-example@gcp-zone-landing-stg.iam.gserviceaccount.com

check existing roles
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations get-iam-policy $ORG_ID --filter="bindings.members:$SA_EMAIL" --flatten="bindings[].members" --format="table(bindings.role)"

Set the billing role
gcloud organizations add-iam-policy-binding ${ORG_ID}  --member=serviceAccount:${SA_EMAIL} --role=roles/billing.user

check again

michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations add-iam-policy-binding ${ORG_ID}  --member=serviceAccount:${SA_EMAIL} --role=roles/billing.user
Updated IAM policy for organization [925207728429].
...
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations get-iam-policy $ORG_ID --filter="bindings.members:$SA_EMAIL" --flatten="bindings[].members" --format="table(bindings.role)"

ROLE: roles/billing.user

It may take a couple min to show in IAM

Screen Shot 2022-09-18 at 19 01 36

Checking billing on the shared account

expected on billing accounts belonging to this org - via IAM inheritance in billing
Screen Shot 2022-09-18 at 19 04 02

not expected on billing accounts shared from other orgs
Screen Shot 2022-09-18 at 19 04 49

ref GoogleCloudPlatform/pbmm-on-gcp-onboarding#177

fmichaelobrien added a commit to fmichaelobrien/accelerators_accelerateurs-gcp that referenced this issue Oct 3, 2022
@fmichaelobrien
canada-ca#42 - add 6 Super admin role add instructions
ab3c7b0
@fmichaelobrien
Copy link
Contributor Author

before bootstrap.sh - pending PR to add it

export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
export EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/iam.serviceAccountTokenCreator
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/orgpolicy.policyAdmin
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.folderAdmin
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.organizationAdmin
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.projectCreator
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/billing.projectManager

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@obriensystems @fmichaelobrien