需要编辑文件夹上的组织策略需要哪些权限?

huangapple go评论54阅读模式
英文:

Which permissions are required to edit Organization policies on folder

问题

我正在尝试使用Terraform资源 google_folder_organization_policy,但我只遇到了这个错误:
Error: googleapi: Error 403: 调用者没有权限,被禁止

所以我不确定我缺少哪些权限。

SA的文件夹级别权限包括:
Project IAM Admin, Organisation Administrator, Folder Admin,以及其他与此不太相关的权限。

示例代码:

resource "google_folder_organization_policy" "disable_service_account_creation" {
  folder     = "1234567890"
  constraint = "iam.disableServiceAccountCreation"

  restore_policy {
    default = true
  }
}
英文:

I'm trying to use terraform resource google_folder_organization_policy and I only have this error:
Error: googleapi: Error 403: The caller does not have permission, forbidden

So I'm not sure which permissions I'm missing.

Folder level permissions of SA's are:
Project IAM Admin, Organisation Administrator, Folder Admin, and others but rather not related.

example code:

resource "google_folder_organization_policy" "disable_service_account_creation" {
  folder = "1234567890"
  constraint = "iam.disableServiceAccountCreation"

  restore_policy {
    default = true
  }
}

答案1

得分: 2

服务帐户必须是“组织策略管理员”。

但要注意这个技巧:您必须在组织级别授予“组织策略管理员”角色。当然,不要在组织本身上授予任何其他权限。然后将文件夹管理员角色授予SA,以允许访问层次结构中的该文件夹级别。

工程团队正在开发一个名为“权限委派”的功能,以避免在顶层授予权限,仅在文件夹/项目级别授予权限。目前没有估计时间,不要指望年底前完成。

英文:

The service account must be "Organization Policy Administrator".

But, take care of this trick: You have to grant the "Organization Policy Administrator" role at the organisation level. Of course, without any other permissions on the organization itself. And then grant the folder admin role to the SA to allow access to that folder level in the hierarchy

The engineering team is working on a feature named Authority Delegation, to avoid the grant at the top level, and only at the folder/project level. No ETA for now, don't expect it by the end of the year.

huangapple
  • 本文由 发表于 2023年7月12日 20:39:50
  • 转载请务必保留本文链接:https://go.coder-hub.com/76670648.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定