Open fmichaelobrien opened 2 years ago
P1 assigned to fmichaelobrien
I'll upload repro, docs and PR shortly TLDR is - the script exits by design on no super admin SATC role found - so that TF does not fail later - but i did not make it clear to the user or the last PR test in june https://github.com/canada-ca/accelerators_accelerateurs-gcp/issues/24#issuecomment-1148142629 - will add this to role automation - hesitated modifying permissions automatically for the SA like we do for the TF SA. Ideally the roles on the super admin are at the org level. The other issues around reentrant bootstrap and undo capabilities are in the issue queue on the repo under 38 (dual billing/iam billing admin Claudia mentioned) - specific to cloud brokerage accounts only), 25.
procedure to document and code into bootstrap.sh with "apply roles to user account at org level y/n" dialog
admin_root@cloudshell:~ (biometric-ncorg)$ SUPER_ADMIN_EMAIL=admin-root@nuag...g
admin_root@cloudshell:~ (biometric-ncorg)$ gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/iam.serviceAccountTokenCreator
Updated IAM policy for organization [47...].
bindings:
- members:
- user:admin-root@nuage-cloud.org
role: roles/iam.serviceAccountTokenCreator
before
after
also verify the validation https://github.com/canada-ca/cloud-guardrails-gcp/pull/9#pullrequestreview-1027886748
port PBMM TF already has apply_roles in
ORGID=$(gcloud organizations list --format="get(name)" --filter=displayName=$DOMAIN)
ROLES=("roles/billing.projectManager" "roles/orgpolicy.policyAdmin" "roles/resourcemanager.folderCreator" "roles/resourcemanager.organizationViewer" "roles/resourcemanager.projectCreator" "roles/billing.projectManager" "roles/billing.viewer")
# Loop through each Role in Roles and apply to Organization node.
echo "INFO - Applying roles to Organization Node"
for i in "${ROLES[@]}" ; do
gcloud organizations add-iam-policy-binding $ORGID --member=user:$USER --role=$i --quiet > /dev/null 1>&1
done
}
in our case
ORGID=$(gcloud organizations list --format="get(name)" --filter=displayName=$DOMAIN)
ROLES=("iam.serviceAccountTokenCreator" "roles/resourcemanager.folderAdmin" "roles/resourcemanager.organizationAdmin" "orgpolicy.policyAdmin" "resourcemanager.projectCreator" "billing.projectManager" )
#ROLES=("roles/billing.projectManager" "roles/orgpolicy.policyAdmin" "roles/resourcemanager.folderCreator" "roles/resourcemanager.organizationViewer" "roles/resourcemanager.projectCreator" "roles/billing.projectManager" "roles/billing.viewer")
# Loop through each Role in Roles and apply to Organization node.
echo "INFO - Applying roles to Organization Node"
for i in "${ROLES[@]}" ; do
gcloud organizations add-iam-policy-binding $ORGID --member=user:$USER --role=$i --quiet > /dev/null 1>&1
done
}
BUG: Noticed that the role list has a 4 missing roles/ prefixes - the account under test would need to already have 3 of these roles set - which they would orgadmin, project creator, billing admin - but service token creator would miss a check
I will put a PR in
adjust for
#ROLES=("iam.serviceAccountTokenCreator" "roles/resourcemanager.folderAdmin" "roles/resourcemanager.organizationAdmin" "orgpolicy.policyAdmin" "resourcemanager.projectCreator" "billing.projectManager" )
ROLES=("roles/iam.serviceAccountTokenCreator" "roles/resourcemanager.folderAdmin" "roles/resourcemanager.organizationAdmin" "roles/orgpolicy.policyAdmin" "roles/resourcemanager.projectCreator" "roles/billing.projectManager" )
Verified not a bug for read - but would be for write for example I deleted org policy admin - we catch it But I will adjust the array for role writing
with 1 missing role = ok
array=( roles/iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin roles/orgpolicy.policyAdmin roles/resourcemanager.projectCreator roles/billing.projectManager )
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
seed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
roles/iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
roles/orgpolicy.policyAdmin
roles/roles/orgpolicy.policyAdmin role missing
testing write
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ export PROJECT_ID=$(gcloud config list --format 'value(core.project)')export REGION=northamerica-northeast1
export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
export EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
export BILLING_ID=$(gcloud alpha billing projects describe $PROJECT_ID '--format=value(billingAccountName)' | sed 's/.*\///')
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ echo $EMAIL
admin-root@nuage-cloud.info
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ echo $BILLING_ID
01522C-BEE0DC-529989
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$EMAIL --role=roles/orgpolicy.policyAdmin
Updated IAM policy for organization [93413315325].
auditConfigs:
- auditLogConfigs:
- logType: DATA_WRITE
- logType: DATA_READ
- logType: ADMIN_READ
service: allServices
bindings:
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/accesscontextmanager.policyAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/bigquery.dataEditor
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/billing.admin
- members:
- domain:nuage-cloud.info
- user:admin-root@nuage-cloud.info
role: roles/billing.creator
- members:
- user:admin-root@nuage-cloud.info
role: roles/billing.projectManager
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/billing.user
- members:
- group:billing_data_users@nuage-cloud.info
- group:ssc_broker_users@nuage-cloud.info
role: roles/billing.viewer
- members:
- group:ssc_broker_users@nuage-cloud.info
role: roles/cloudasset.viewer
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/compute.networkAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/compute.xpnAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/iam.organizationRoleAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/iam.serviceAccountAdmin
- members:
- user:admin-root@nuage-cloud.info
role: roles/iam.serviceAccountTokenCreator
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/logging.configWriter
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/orgpolicy.policyAdmin
- members:
- user:admin-root@nuage-cloud.info
role: roles/owner
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/pubsub.admin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/resourcemanager.folderAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/resourcemanager.organizationAdmin
- members:
- domain:nuage-cloud.info
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/resourcemanager.projectCreator
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/resourcemanager.projectDeleter
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/resourcemanager.projectIamAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/resourcemanager.projectMover
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/serviceusage.serviceUsageAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/storage.admin
etag: BwXoueNl62g=
version: 1
verify
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
seed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
roles/iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
roles/orgpolicy.policyAdmin
ROLE: roles/orgpolicy.policyAdmin role set OK on super admin account
roles/resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
roles/billing.projectManager
ROLE: roles/billing.projectManager role set OK on super admin account
all roles set OK on super admin account: admin-root@nuage-cloud.info - proceeding
-- a/deployment-templates/Terraform/guardrails/0-bootstrap/bootstrap.sh
+++ b/deployment-templates/Terraform/guardrails/0-bootstrap/bootstrap.sh
@@ -31,7 +31,7 @@ usage()
getrole()
{
- array=( iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin orgpolicy.policyAdmin resourcemanager.projectCreator billing.projectManager )
+ array=( roles/iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin roles/orgpolicy.policyAdmin roles/resourcemanager.projectCreator roles/billing.projectManager )
for i in "${array[@]}"
use for now
export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
export EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$EMAIL --role=roles/iam.serviceAccountTokenCreator
gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$EMAIL --role=roles/orgpolicy.policyAdmin
gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$EMAIL --role=roles/resourcemanager.folderAdmin
gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$EMAIL --role=roles/resourcemanager.organizationAdmin
gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$EMAIL --role=roles/resourcemanager.projectCreator
gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$EMAIL --role=roles/billing.projectManager
testing
getrole()
{
array=( roles/iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin roles/orgpolicy.policyAdmin roles/resourcemanager.projectCreator roles/billing.projectManager )
for i in "${array[@]}"
do
echo "$i"
ROLE=`gcloud organizations get-iam-policy $1 --filter="bindings.members:$2" --flatten="bindings[].members" --format="table(bindings.role)" | grep $i`
if [ -z "$ROLE" ]
then
echo "roles/$i role missing - setting"
gcloud organizations add-iam-policy-binding $1 --member=user:$2 --role=$i
else
echo "${ROLE} role set OK on super admin account"
fi
done
}
result
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
seed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
roles/iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
roles/orgpolicy.policyAdmin
roles/roles/orgpolicy.policyAdmin role missing - setting
Updated IAM policy for organization [93413315325].
auditConfigs:
- auditLogConfigs:
- logType: DATA_WRITE
- logType: DATA_READ
- logType: ADMIN_READ
service: allServices
bindings:
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/accesscontextmanager.policyAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/bigquery.dataEditor
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/billing.admin
- members:
- domain:nuage-cloud.info
- user:admin-root@nuage-cloud.info
role: roles/billing.creator
- members:
- user:admin-root@nuage-cloud.info
role: roles/billing.projectManager
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/billing.user
- members:
- group:billing_data_users@nuage-cloud.info
- group:ssc_broker_users@nuage-cloud.info
role: roles/billing.viewer
- members:
- group:ssc_broker_users@nuage-cloud.info
role: roles/cloudasset.viewer
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/compute.networkAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/compute.xpnAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/iam.organizationRoleAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/iam.serviceAccountAdmin
- members:
- user:admin-root@nuage-cloud.info
role: roles/iam.serviceAccountTokenCreator
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/logging.configWriter
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/orgpolicy.policyAdmin
- members:
- user:admin-root@nuage-cloud.info
role: roles/owner
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/pubsub.admin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/resourcemanager.folderAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/resourcemanager.organizationAdmin
- members:
- domain:nuage-cloud.info
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
- user:admin-root@nuage-cloud.info
role: roles/resourcemanager.projectCreator
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/resourcemanager.projectDeleter
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/resourcemanager.projectIamAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/resourcemanager.projectMover
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/serviceusage.serviceUsageAdmin
- members:
- serviceAccount:tfadmin-sscncinfo@sscncinfo-seed-project.iam.gserviceaccount.com
role: roles/storage.admin
etag: BwXouf6_BgU=
version: 1
roles/resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
roles/billing.projectManager
ROLE: roles/billing.projectManager role set OK on super admin account
all roles set OK on super admin account: admin-root@nuage-cloud.info - proceeding
admin_root@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/0-bootstrap (accelerator-nc-info)$ ./bootstrap.sh -d sscncinfo -p accelerator-nc-info
seed project id: sscncinfo-seed-project
boostrap project id: accelerator-nc-info
org id: 93413315325
billing id: 01522C-BEE0DC-529989
Updated property [core/project].
checking roles of current account: admin-root@nuage-cloud.info
roles/iam.serviceAccountTokenCreator
ROLE: roles/iam.serviceAccountTokenCreator role set OK on super admin account
roles/resourcemanager.folderAdmin
ROLE: roles/resourcemanager.folderAdmin role set OK on super admin account
roles/resourcemanager.organizationAdmin
ROLE: roles/resourcemanager.organizationAdmin role set OK on super admin account
roles/orgpolicy.policyAdmin
ROLE: roles/orgpolicy.policyAdmin role set OK on super admin account
roles/resourcemanager.projectCreator
ROLE: roles/resourcemanager.projectCreator role set OK on super admin account
roles/billing.projectManager
ROLE: roles/billing.projectManager role set OK on super admin account
all roles set OK on super admin account: admin-root@nuage-cloud.info - proceeding
TL;DR; Shared billing accounts do not get shared IAM roles - they need to be set separately
see (needs update for shared billing) https://cloud.google.com/billing/docs/how-to/billing-access
Keep in mind that we need a workaround (see #47) for the fact that if the billing account is of type "shared" where it comes in under "No Organization, ID=0" then any service account created will not get inherited links from IAM set in Billing - these like Billing Account User - need to be set manually.
Example
michael@cloudshell:~$ gcloud config set project gcp-zone-landing-stg
Updated property [core/project].
michael@cloudshell:~ (gcp-zone-landing-stg)$ export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
michael@cloudshell:~ (gcp-zone-landing-stg)$ export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
michael@cloudshell:~ (gcp-zone-landing-stg)$ export SA_PREFIX=tfsa-example
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud iam service-accounts create "${SA_PREFIX}" --display-name "Terraform example service account" --project=${PROJECT_ID}
Created service account [tfsa-example].
michael@cloudshell:~ (gcp-zone-landing-stg)$ export SA_EMAIL=`gcloud iam service-accounts list --project="${PROJECT_ID}" --filter=tfsa --format="value(email)"`
michael@cloudshell:~ (gcp-zone-landing-stg)$ echo $SA_EMAIL
tfsa-example@gcp-zone-landing-stg.iam.gserviceaccount.com
check existing roles
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations get-iam-policy $ORG_ID --filter="bindings.members:$SA_EMAIL" --flatten="bindings[].members" --format="table(bindings.role)"
Set the billing role
gcloud organizations add-iam-policy-binding ${ORG_ID} --member=serviceAccount:${SA_EMAIL} --role=roles/billing.user
check again
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations add-iam-policy-binding ${ORG_ID} --member=serviceAccount:${SA_EMAIL} --role=roles/billing.user
Updated IAM policy for organization [925207728429].
...
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations get-iam-policy $ORG_ID --filter="bindings.members:$SA_EMAIL" --flatten="bindings[].members" --format="table(bindings.role)"
ROLE: roles/billing.user
It may take a couple min to show in IAM
Checking billing on the shared account
expected on billing accounts belonging to this org - via IAM inheritance in billing
not expected on billing accounts shared from other orgs
ref https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/177
before bootstrap.sh - pending PR to add it
export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
export EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$EMAIL --role=roles/iam.serviceAccountTokenCreator
gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$EMAIL --role=roles/orgpolicy.policyAdmin
gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$EMAIL --role=roles/resourcemanager.folderAdmin
gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$EMAIL --role=roles/resourcemanager.organizationAdmin
gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$EMAIL --role=roles/resourcemanager.projectCreator
gcloud organizations add-iam-policy-binding $ORG_ID --member=user:$EMAIL --role=roles/billing.projectManager
The following roles will be added to the readme and set automatically in bootstrap.sh to avoid a possible terraform permissions failure if the 6 are not set during bootstrap.sh checking
(iam.serviceAccountTokenCreator roles/resourcemanager.folderAdmin roles/resourcemanager.organizationAdmin orgpolicy.policyAdmin resourcemanager.projectCreator billing.projectManager )
see https://github.com/canada-ca/accelerators_accelerateurs-gcp/blob/main/deployment-templates/Terraform/guardrails/0-bootstrap/bootstrap.sh#L38
Script currently exits until all roles set - it should not be the responsibility of the client to add these - as the client may progress to terraform init - without the changes