英文:
Which permissions are required to edit Organization policies on folder
问题
我正在尝试使用Terraform资源 google_folder_organization_policy,但我只遇到了这个错误:
Error: googleapi: Error 403: 调用者没有权限,被禁止
所以我不确定我缺少哪些权限。
SA的文件夹级别权限包括:
Project IAM Admin, Organisation Administrator, Folder Admin,以及其他与此不太相关的权限。
示例代码:
resource "google_folder_organization_policy" "disable_service_account_creation" {
folder = "1234567890"
constraint = "iam.disableServiceAccountCreation"
restore_policy {
default = true
}
}
英文:
I'm trying to use terraform resource google_folder_organization_policy and I only have this error:
Error: googleapi: Error 403: The caller does not have permission, forbidden
So I'm not sure which permissions I'm missing.
Folder level permissions of SA's are:
Project IAM Admin, Organisation Administrator, Folder Admin, and others but rather not related.
example code:
resource "google_folder_organization_policy" "disable_service_account_creation" {
folder = "1234567890"
constraint = "iam.disableServiceAccountCreation"
restore_policy {
default = true
}
}
答案1
得分: 2
服务帐户必须是“组织策略管理员”。
但要注意这个技巧:您必须在组织级别授予“组织策略管理员”角色。当然,不要在组织本身上授予任何其他权限。然后将文件夹管理员角色授予SA,以允许访问层次结构中的该文件夹级别。
工程团队正在开发一个名为“权限委派”的功能,以避免在顶层授予权限,仅在文件夹/项目级别授予权限。目前没有估计时间,不要指望年底前完成。
英文:
The service account must be "Organization Policy Administrator".
But, take care of this trick: You have to grant the "Organization Policy Administrator" role at the organisation level. Of course, without any other permissions on the organization itself. And then grant the folder admin role to the SA to allow access to that folder level in the hierarchy
The engineering team is working on a feature named Authority Delegation, to avoid the grant at the top level, and only at the folder/project level. No ETA for now, don't expect it by the end of the year.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论