GCP : Custom role based on project Editor not working
mldmld1968
As tags manages applied FW rules, I would like to restrict their usage by providing a custom role.
So I would like to create a custom Project Editor role without the right to manage tags.
First I tried to create a custom role at Renault org level by copiing Editor role without touching the checkboxes of the allowed rights.
Then I apply the custom role on my personnal gmail account to see the effect of the rights. I do that because my professionnal user is org admin and project owner at renault.com org level on a project.
With this custom role and my personnal account , I can't create a new GCE. I get an error :
com...@developer.gserviceaccount.com'. User: 'xxx...@gmail.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
I don't understand why as this is a copy of Editor Role. I think Editor and copy of editor should give exactly the same rights .
Beside iam.serviceAccountUser is not listed in the Editor role.
I can create a GCE with my personnal account only if I add the service account user right on the project to my personnal user.
BTW, could you tell me why some role are checked but not recommended for production use. Other cannot be selected too.
Does it means theses roles are normaly included in Editor role, but not recommended or usuable in a custom role ?
Thank you
Fady (Google Cloud Platform)
As you mentioned, when creating a custom role from an existing role, some permissions cannot be replicated. The reasons as indicated in the page:
Not supported in custom roles (supported only in predefined roles)
These permissions cannot be added to custom roles. Instead, you can grant predefined roles that contain the permissions you need. For a list of predefined roles, see the documentation.
Not applicable for project-level custom roles
These permissions can only be added to custom roles at the organization level; they have no effect at the project level or below.
Not recommended for production use
These permissions might be changed in backward-incompatible ways and are not recommended for production use. They are not subject to any SLA or deprecation policy.
The latter simply means that the permissions may change or stop working at anytime, and theoretically if they are part of your custom role, and if deprecated, your users may have issues accessing the resource needed at the time without (you) being alerted. Furthermore, and after the sudden issue, you may have trouble pinpointing the permission causing it. Thus, “not recommended for production use” and only for testing. On the other hand, predefined roles get automatically updated, so if a permission gets deprecated, the necessary alternative for accessing the same resource is added.
As for the issue you are encountering and checking the iam.serviceAccountUser role permissions below, the first permission "iam.serviceAccounts.actAs" is not supported in a custom role. Hence, you need to add the predefined role to your gmail account.
iam.serviceAccounts.actAs Not supported
iam.serviceAccounts.get Testing
iam.serviceAccounts.list Testing
resourcemanager.projects.get Supported
resourcemanager.projects.list Non-applicable
I hope this helps.