search

GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
31 stars 28 forks source link

IAM role overlay (EOR/AND/OR) for dual landing zone (KCC + TF) single organization configs - super admin and TF/K8S service accounts #531

Open obriensystems opened 11 months ago

obriensystems commented 11 months ago

shadow: https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/321

Use Case

Requirements

fmichaelobrien commented 11 months ago

see #534

KCC organization Admin

root_@cloudshell:~ (kcc-kls)$ gcloud organizations get-iam-policy $ORG_ID --filter="bindings.members:ro...ems" --flatten="bindings[].members" --format="table(bindings.role)"
ROLE: roles/accesscontextmanager.policyAdmin
ROLE: roles/billing.admin
ROLE: roles/billing.projectManager
ROLE: roles/iam.securityAdmin
ROLE: roles/iam.serviceAccountTokenCreator
ROLE: roles/logging.admin
ROLE: roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.tagAdmin
ROLE: roles/securitycenter.admin
ROLE: roles/storage.admin

 gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/iam.serviceAccountTokenCreator
 gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.folderAdmin
 gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/orgpolicy.policyAdmin 
 gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.projectCreator
 gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/billing.projectManager
 gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/accesscontextmanager.policyAdmin
 gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/billing.admin
 gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/logging.admin
 gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.tagAdmin
 gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/securitycenter.admin
 gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/storage.admin

KCC Service Account