I am assigned "Owner" role on the whole GCP organization, yet I cannot access organization IAM or billing accounts.
I've tried running a query on principal, I can see my account as a member of "roles/owner" role, but still nothing. Is it a bug or is it really intended do be so that owner role has less permissions than resourcemanager.organizationAdministrator? Thanks!
GCP Owner and Administrator roles for organization
google-cloud-platformgoogle-iam
Best Answer
The basic difference between owner role and admin role is that:
An owner of an Organization is the member that has purchased the subscription. An owner has all privileges which include buying, upgrading, downgrading and cancelling subscriptions, modifying product access privileges, inviting and removing members from an Organization, and changing member roles. Each Organization can only have one owner.
Whereas, an admin of an Organization is a member that has privileges which include modifying product access privileges for other members, inviting and removing members from an Organization and changing member roles. An Organization can have more than one admin.
To confirm which role you have, you can run the below command:
gcloud iam roles describe ROLE_ID [--organization=ORGANIZATION | --project=PROJECT_ID] [GCLOUD_WIDE_FLAG …]
You can refer 1 for any clarification on the above parameters or if you find any error.
To check what exact role you want for your billing account, you can refer the below link. https://cloud.google.com/iam/docs/understanding-roles#billing-roles
By default, the resource manager admin have project only authority, refer the below link. https://cloud.google.com/iam/docs/understanding-roles#resource-manager-roles