Granting project creator permission to an SA when there is no organisation

[Rik Howard]

Hi

is it possible to do the above?  I'm working through https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform.  The bit that's tripping me up is the Add organization/folder-level permissions section, where gcloud organizations is used to bind a service account to the resource manager project creator and billing user roles.  Thing is, I have no organisation.  A work-around for the latter is to use gcloud beta billing accounts set-iam-policy; I haven't found a work-around for the former.  Is there a way to introduce this binding without having an organisation?

Best

Rik

P.S., I have checked several pages and tried various things to no avail.  Happy to list pages and elaborate on trials, if useful.

[Nicholas Elkaim]

Interesting question,

As long as a service account can be granted the project creator role, in theory, it should be able to create projects. However I found this doc that specifies that "Service accounts are not allowed to create projects outside of an organization", meaning that they must be within an org in order to systematically create projects, as they would need to specify the org.

Full text:

You can use a service account to automate project creation. Like user accounts, service accounts can be granted permission to create projects within an organization. Service accounts are not allowed to create projects outside of an organization and must specify the parent resource when creating a project. Service accounts can create a new project using the gcloud tool or the projects.create() method.

So it looks like even if you could assign the SA the role (perhaps on the billing account) you wouldn't be able to make projects with it.