Document and add to bootstrap.sh 6 super admin required roles required to prepare for terraform service account permissions

[fmichaelobrien]

The following roles will be added to the readme and set automatically in bootstrap.sh to avoid a possible terraform permissions failure if the 6 are not set during bootstrap.sh checking

(iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin orgpolicy.policyAdmin resourcemanager.projectCreator billing.projectManager )

see https://github.com/canada-ca/accelerators_accelerateurs-gcp/blob/main/deployment-templates/Terraform/guardrails/0-bootstrap/bootstrap.sh#L38

Script currently exits until all roles set - it should not be the responsibility of the client to add these - as the client may progress to terraform init - without the changes

getrole()
{
    array=( iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin orgpolicy.policyAdmin resourcemanager.projectCreator billing.projectManager )
    for i in "${array[@]}"
    do
        echo "$i"
        ROLE=`gcloud organizations get-iam-policy $1 --filter="bindings.members:$2" --flatten="bindings[].members" --format="table(bindings.role)" | grep $i`
        if [ -z "$ROLE" ]
        then
            echo "roles/$i role missing"
            exit 1
        else
            echo "${ROLE} role set OK on super admin account"
        fi  
done
}

[obriensystems]

P1 assigned to fmichaelobrien

[fmichaelobrien]

I'll upload repro, docs and PR shortly TLDR is - the script exits by design on no super admin SATC role found - so that TF does not fail later - but i did not make it clear to the user or the last PR test in june https://github.com/canada-ca/accelerators_accelerateurs-gcp/issues/24#issuecomment-1148142629 - will add this to role automation - hesitated modifying permissions automatically for the SA like we do for the TF SA. Ideally the roles on the super admin are at the org level. The other issues around reentrant bootstrap and undo capabilities are in the issue queue on the repo under 38 (dual billing/iam billing admin Claudia mentioned) - specific to cloud brokerage accounts only), 25.

[obriensystems]

procedure to document and code into bootstrap.sh with "apply roles to user account at org level y/n" dialog

admin_root@cloudshell:~ (biometric-ncorg)$ SUPER_ADMIN_EMAIL=admin-root@nuag...g
admin_root@cloudshell:~ (biometric-ncorg)$ gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/iam.serviceAccountTokenCreator
Updated IAM policy for organization [47...].
bindings:
- members:
  - user:admin-root@nuage-cloud.org
  role: roles/iam.serviceAccountTokenCreator

before

after

[fmichaelobrien]

also verify the validation https://github.com/canada-ca/cloud-guardrails-gcp/pull/9#pullrequestreview-1027886748

[fmichaelobrien]

port PBMM TF already has apply_roles in

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/environments/bootstrap/bootstrap.sh#L90 around

ORGID=$(gcloud organizations list --format="get(name)" --filter=displayName=$DOMAIN)
ROLES=("roles/billing.projectManager" "roles/orgpolicy.policyAdmin" "roles/resourcemanager.folderCreator" "roles/resourcemanager.organizationViewer" "roles/resourcemanager.projectCreator" "roles/billing.projectManager" "roles/billing.viewer")

# Loop through each Role in Roles and apply to Organization node. 
echo "INFO - Applying roles to Organization Node"
for i in "${ROLES[@]}" ; do
  gcloud organizations add-iam-policy-binding $ORGID  --member=user:$USER --role=$i --quiet > /dev/null 1>&1
done
}

in our case

ORGID=$(gcloud organizations list --format="get(name)" --filter=displayName=$DOMAIN)
ROLES=("iam.serviceAccountTokenCreator" "roles/resourcemanager.folderAdmin" "roles/resourcemanager.organizationAdmin" "orgpolicy.policyAdmin" "resourcemanager.projectCreator" "billing.projectManager" )
#ROLES=("roles/billing.projectManager" "roles/orgpolicy.policyAdmin" "roles/resourcemanager.folderCreator" "roles/resourcemanager.organizationViewer" "roles/resourcemanager.projectCreator" "roles/billing.projectManager" "roles/billing.viewer")

# Loop through each Role in Roles and apply to Organization node. 
echo "INFO - Applying roles to Organization Node"
for i in "${ROLES[@]}" ; do
  gcloud organizations add-iam-policy-binding $ORGID  --member=user:$USER --role=$i --quiet > /dev/null 1>&1
done
}

[fmichaelobrien]

BUG: Noticed that the role list has a 4 missing roles/ prefixes - the account under test would need to already have 3 of these roles set - which they would orgadmin, project creator, billing admin - but service token creator would miss a check

I will put a PR in

https://github.com/canada-ca/accelerators_accelerateurs-gcp/commit/59856bf43ea91bb9e06d4e5472389a3ad4180f36#diff-87abc6dccd3053818bc94f025af8394366a2a0eca101a0de3133f67256664543R34

adjust for

#ROLES=("iam.serviceAccountTokenCreator" "roles/resourcemanager.folderAdmin" "roles/resourcemanager.organizationAdmin" "orgpolicy.policyAdmin" "resourcemanager.projectCreator" "billing.projectManager" )
ROLES=("roles/iam.serviceAccountTokenCreator" "roles/resourcemanager.folderAdmin" "roles/resourcemanager.organizationAdmin" "roles/orgpolicy.policyAdmin" "roles/resourcemanager.projectCreator" "roles/billing.projectManager" )

[obriensystems]

Verified not a bug for read - but would be for write for example I deleted org policy admin - we catch it But I will adjust the array for role writing

with 1 missing role = ok

    array=( roles/iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin roles/orgpolicy.policyAdmin roles/resourcemanager.projectCreator roles/billing.projectManager )

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
seed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
roles/iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
roles/orgpolicy.policyAdmin
roles/roles/orgpolicy.policyAdmin role missing

testing write

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ export PROJECT_ID=$(gcloud config list --format 'value(core.project)')export REGION=northamerica-northeast1
export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
export EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
export BILLING_ID=$(gcloud alpha billing projects describe $PROJECT_ID '--format=value(billingAccountName)' | sed 's/.*\///')
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ echo $EMAIL
admin-root@nuage-cloud.info
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ echo $BILLING_ID
01522C-BEE0DC-529989

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/orgpolicy.policyAdmin
Updated IAM policy for organization [93413315325].
auditConfigs:
- auditLogConfigs:
  - logType: DATA_WRITE
  - logType: DATA_READ
  - logType: ADMIN_READ
  service: allServices
bindings:
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/accesscontextmanager.policyAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/bigquery.dataEditor
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/billing.admin
- members:
  - domain:nuage-cloud.info
  - user:admin-root@nuage-cloud.info
  role: roles/billing.creator
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/billing.projectManager
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/billing.user
- members:
  - group:billing_data_users@nuage-cloud.info
  - group:ssc_broker_users@nuage-cloud.info
  role: roles/billing.viewer
- members:
  - group:ssc_broker_users@nuage-cloud.info
  role: roles/cloudasset.viewer
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/compute.networkAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/compute.xpnAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/iam.organizationRoleAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/iam.serviceAccountAdmin
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/iam.serviceAccountTokenCreator
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/logging.configWriter
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/orgpolicy.policyAdmin
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/owner
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/pubsub.admin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.folderAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.organizationAdmin
- members:
  - domain:nuage-cloud.info
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.projectCreator
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectDeleter
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectIamAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectMover
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/serviceusage.serviceUsageAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/storage.admin
etag: BwXoueNl62g=
version: 1

verify
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
seed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
roles/iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
roles/orgpolicy.policyAdmin
ROLE: roles/orgpolicy.policyAdmin role set OK on super admin account
roles/resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
roles/billing.projectManager
ROLE: roles/billing.projectManager role set OK on super admin account
all roles set OK on super admin account:  admin-root@nuage-cloud.info - proceeding

-- a/deployment-templates/Terraform/guardrails/0-bootstrap/bootstrap.sh
+++ b/deployment-templates/Terraform/guardrails/0-bootstrap/bootstrap.sh
@@ -31,7 +31,7 @@ usage()

 getrole()
 {
-    array=( iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin orgpolicy.policyAdmin resourcemanager.projectCreator billing.projectManager )
+    array=( roles/iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin roles/orgpolicy.policyAdmin roles/resourcemanager.projectCreator roles/billing.projectManager )
     for i in "${array[@]}"

use for now

export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
export EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/iam.serviceAccountTokenCreator
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/orgpolicy.policyAdmin
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.folderAdmin
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.organizationAdmin
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.projectCreator
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/billing.projectManager

[obriensystems]

testing

getrole()
{
    array=( roles/iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin roles/orgpolicy.policyAdmin roles/resourcemanager.projectCreator roles/billing.projectManager )
    for i in "${array[@]}"
    do
        echo "$i"
        ROLE=`gcloud organizations get-iam-policy $1 --filter="bindings.members:$2" --flatten="bindings[].members" --format="table(bindings.role)" | grep $i`
        if [ -z "$ROLE" ]
        then
            echo "roles/$i role missing - setting"
            gcloud organizations add-iam-policy-binding $1  --member=user:$2 --role=$i
        else
            echo "${ROLE} role set OK on super admin account"
        fi  
done
}

result

admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
seed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
roles/iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
roles/orgpolicy.policyAdmin
roles/roles/orgpolicy.policyAdmin role missing - setting
Updated IAM policy for organization [93413315325].
auditConfigs:
- auditLogConfigs:
  - logType: DATA_WRITE
  - logType: DATA_READ
  - logType: ADMIN_READ
  service: allServices
bindings:
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/accesscontextmanager.policyAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/bigquery.dataEditor
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/billing.admin
- members:
  - domain:nuage-cloud.info
  - user:admin-root@nuage-cloud.info
  role: roles/billing.creator
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/billing.projectManager
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/billing.user
- members:
  - group:billing_data_users@nuage-cloud.info
  - group:ssc_broker_users@nuage-cloud.info
  role: roles/billing.viewer
- members:
  - group:ssc_broker_users@nuage-cloud.info
  role: roles/cloudasset.viewer
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/compute.networkAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/compute.xpnAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/iam.organizationRoleAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/iam.serviceAccountAdmin
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/iam.serviceAccountTokenCreator
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/logging.configWriter
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/orgpolicy.policyAdmin
- members:
  - user:admin-root@nuage-cloud.info
  role: roles/owner
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/pubsub.admin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.folderAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.organizationAdmin
- members:
  - domain:nuage-cloud.info
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  - user:admin-root@nuage-cloud.info
  role: roles/resourcemanager.projectCreator
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectDeleter
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectIamAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/resourcemanager.projectMover
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/serviceusage.serviceUsageAdmin
- members:
  - serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
  role: roles/storage.admin
etag: BwXouf6_BgU=
version: 1
roles/resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
roles/billing.projectManager
ROLE: roles/billing.projectManager role set OK on super admin account
all roles set OK on super admin account:  admin-root@nuage-cloud.info - proceeding
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
seed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
roles/iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
roles/orgpolicy.policyAdmin
ROLE: roles/orgpolicy.policyAdmin role set OK on super admin account
roles/resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
roles/billing.projectManager
ROLE: roles/billing.projectManager role set OK on super admin account
all roles set OK on super admin account:  admin-root@nuage-cloud.info - proceeding

[obriensystems]

TL;DR; Shared billing accounts do not get shared IAM roles - they need to be set separately

code change in https://github.com/canada-ca/accelerators_accelerateurs-gcp/blob/main/deployment-templates/Terraform/guardrails/0-bootstrap/bootstrap.sh#L127

see (needs update for shared billing) https://cloud.google.com/billing/docs/how-to/billing-access

Keep in mind that we need a workaround (see #47) for the fact that if the billing account is of type "shared" where it comes in under "No Organization, ID=0" then any service account created will not get inherited links from IAM set in Billing - these like Billing Account User - need to be set manually.

Example

michael@cloudshell:~$ gcloud config set project gcp-zone-landing-stg
Updated property [core/project].
michael@cloudshell:~ (gcp-zone-landing-stg)$ export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
michael@cloudshell:~ (gcp-zone-landing-stg)$ export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
michael@cloudshell:~ (gcp-zone-landing-stg)$ export SA_PREFIX=tfsa-example
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud iam service-accounts create "${SA_PREFIX}" --display-name "Terraform example service account" --project=${PROJECT_ID}
Created service account [tfsa-example].
michael@cloudshell:~ (gcp-zone-landing-stg)$ export SA_EMAIL=`gcloud iam service-accounts list --project="${PROJECT_ID}" --filter=tfsa --format="value(email)"`
michael@cloudshell:~ (gcp-zone-landing-stg)$ echo $SA_EMAIL
tfsa-example@gcp-zone-landing-stg.iam.gserviceaccount.com

check existing roles
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations get-iam-policy $ORG_ID --filter="bindings.members:$SA_EMAIL" --flatten="bindings[].members" --format="table(bindings.role)"

Set the billing role
gcloud organizations add-iam-policy-binding ${ORG_ID}  --member=serviceAccount:${SA_EMAIL} --role=roles/billing.user

check again

michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations add-iam-policy-binding ${ORG_ID}  --member=serviceAccount:${SA_EMAIL} --role=roles/billing.user
Updated IAM policy for organization [925207728429].
...
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations get-iam-policy $ORG_ID --filter="bindings.members:$SA_EMAIL" --flatten="bindings[].members" --format="table(bindings.role)"

ROLE: roles/billing.user

It may take a couple min to show in IAM

Checking billing on the shared account

expected on billing accounts belonging to this org - via IAM inheritance in billing

not expected on billing accounts shared from other orgs

ref https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/177

[fmichaelobrien]

before bootstrap.sh - pending PR to add it

export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
export EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/iam.serviceAccountTokenCreator
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/orgpolicy.policyAdmin
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.folderAdmin
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.organizationAdmin
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/resourcemanager.projectCreator
gcloud organizations add-iam-policy-binding $ORG_ID  --member=user:$EMAIL --role=roles/billing.projectManager