Unable to access organisations’s IAM and audit logs pages in Google Cloud

google-cloud-platformpermissions

I have been granted the "Security reviewer" role for my organization on Google Cloud Platform. Accorind to this page (https://cloud.google.com/iam/docs/understanding-roles#iam-roles) security reviewer has resourcemanager.organizations.getIamPolicy permission. However, when I visit the IAM or audit logs pages, I receive the error "You do not have sufficient permissions to view this page". On the bottom of the error page, it states that

"Minimum permissions required for this page:

resourcemanager.organizations.getIamPolicy

All permissions checked for the current organization:

resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy"

I should have fulfilled the Minimum permissions required.

Does it mean I also resourcemanager.organizations.setIamPolicy in order to view these pages?

Thank you.

Best Answer

Since those roles are granted at Organization Level, I would suggest to add the Organization Viewer role to your user and thus he can view all project's IAM menu in the Cloud Console.

The Organization Viewer role is part of the Resource Manager Roles and it provides access to view an organization and you should be able to explore the IAM in each project that is under your organization.

Related Solutions

Google Cloud – Unable to Access Organization’s IAM Settings

It looks like you may have removed the resourcemanager.organizationAdmin role from your super admin account. You can try these steps to set it back:

Navigate to https://console.cloud.google.com and ensure your are logged in with the same account that is your GSuite super admin account.
Launch the Cloud Shell by clicking on the '>_' icon next to the project name on the top right (it does not matter which project is selected).

Run the following command in the Cloud Shell, substituting your organization ID and super admin account email:

$ gcloud organizations add-iam-policy-binding <ORGANIZATION_ID_HERE> --member="user:<SUPER_ADMIN_EMAIL_HERE>" --role="roles/resourcemanager.organizationAdmin"

Refresh or sign in and out of the Cloud Console, and the organization dropdown should re-appear.

Permissions for creating OAuth credentials in Google Cloud

So I believe I've come across the solution. After failing to find a predefined role or any answers online, I started to delve into creating custom roles. If anyone has issues with this in the future, here is what I have done.

I went to Project Settings > Roles > Create Role. I then created 2 custom Roles, here are all the permissions I assigned to them:

"Custom API"

container.apiServices.create
container.apiServices.delete
container.apiServices.get
container.apiServices.list
container.apiServices.update
container.apiServices.updateStatus
serviceusage.apiKeys.create
serviceusage.apiKeys.delete
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.apiKeys.regenerate
serviceusage.apiKeys.revert
serviceusage.apiKeys.update

"Custom Client Auth"

clientauthconfig.brands.create
clientauthconfig.brands.delete
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update

*Note that at the time of writing, these individual permissions are in a "testing" state, and may not work as intended.

Best Answer

Related Solutions

Google Cloud – Unable to Access Organization’s IAM Settings

Permissions for creating OAuth credentials in Google Cloud

Related Topic