Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions required by setup-sa.sh not documented #192

Closed
chrislovecnm opened this issue May 3, 2019 · 5 comments
Closed

Permissions required by setup-sa.sh not documented #192

chrislovecnm opened this issue May 3, 2019 · 5 comments
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@chrislovecnm
Copy link

chrislovecnm commented May 3, 2019
edited
Loading

I have a user that does not have the correct permissions to run the setup-sa.sh script. The documentation does not tell me what permissions I need in order to run this scripts. Here is my error:

 $ ./helpers/setup-sa.sh my-org my-project
Verifying organization...
Verifying project...
Skipping billing account verification... (parameter not passed)
Creating Seed Service Account...
Created service account [project-factory-6999].
Downloading key to credentials.json...
Applying permissions for org org-number and project chlove-baseproject...
ERROR: (gcloud.organizations.add-iam-policy-binding) User [[email protected]] does not have permission to access organization [org-number:getIamPolicy] (or it may not exist): The caller does not have permission

I removed org number and project id for security sake.

What permissions does the user need to run the setup-sa.sh script?
@aaron-lane aaron-lane added the bug Something isn't working label May 3, 2019
@morgante
Copy link
Contributor

morgante commented May 3, 2019

I believe Organization Admin should be sufficient, we should add this under the script helper documentation.

@aaron-lane aaron-lane changed the title Unable to run setup-sa.sh script Permissions required by setup-sa.sh not documented May 3, 2019
@aaron-lane aaron-lane added the good first issue Good for newcomers label May 3, 2019
@chrislovecnm
Copy link
Author

Many ops people will not have .org admin. Do we know the perms?

@morgante
Copy link
Contributor

morgante commented May 3, 2019

I believe the org permissions required are:

  • resourcemanager.organizations.get
  • resourcemanager.organizations.getIamPolicy
  • resourcemanager.organizations.setIamPolicy

Additional perms are required on the seed project.

@aaron-lane
Copy link
Contributor

@chrislovecnm can you please confirm if these permissions were sufficient to unblock your user?

@chrislovecnm
Copy link
Author

Have not had a chance to validate

@ivankorn ivankorn mentioned this issue Jun 19, 2019
Merged
aaron-lane added a commit that referenced this issue Jul 8, 2019
@aaron-lane
Merge pull request #230 from ivankorn/192
fc315e8 
Fixes #192 Permissions required by setup-sa.sh not documented
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chrislovecnm @morgante @aaron-lane