How to prevent a user from creating GCP project

google-cloud-platform

In GCP, any user is able to create a project. An organisation may end up having a lot of projects in its hierarchy.

How to we disable all the users from being able to create projects, and only allow a few authorized to do so?

Best Answer

Permissions are inherited from the top, in this case from the organization:

By default, when the organization is created your entire domain is granted Project Creator and Billing Account Creator IAM roles at the organization level. This ensures that users in your domain will be able to continue creating projects as they did before and no disruption occurs.

The Organization Administrator will decide when they want to start actively using the organization. They can then change the default permissions and enforce more restrictive policies as needed.

In Using Resource Hierarchy for Access Control there's a gem at the very bottom:

If you want to limit project creation in your Organization, change the Organization access policy to grant the Project Creator role to a group that you manage.

Specifically, the role you want to disinherit is roles/resourcemanager.projectCreator:

Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.

Best Answer

Related Solutions

Unable to create new Project in GCP. Cloud Service disabled by admin. Please contact admin to restore service

Google Cloud Platform – Cannot Create New Project Even if No Other Project is Active

Related Topic