Organization Admin somehow doesn't have access to create a folder in GCP?

4k views Asked by At

I'm pretty sure this is an actual bug with GCP at the moment. I'm the Organization Admin for the GCP organization (I've quadruple checked this, and that I'm signed in with the correct account).

But when I go to Manage Resources, And try to create a new folder, it doesn't let me select the organization as the location, because I "don't have the required resourcemanager.folders.create permission". If I try to create the folder in a project that's in the organization, I get "Unknown error".

I'm the user who created the organization and all projects in the first place, and the only G-Suite user that even exists on this domain.

2

There are 2 answers

0
John Hanley On BEST ANSWER

If you review the permissions that Organization Administrator has, resourcemanager.folders.create is not one of them.

IAM Roles

Org Admin by itself has almost infinite power because it can set IAM policies. This means the Org Admin can grant any IAM permission to any identity.

Grant yourself the required role such as roles/resourcemanager.folderAdmin.

Note: I recommend keeping the Org Admin as a separate identity that you lock away and only use to manage the organization. Create separate identities for day-to-day operations, development, and deployment.

1
Marcin Stepien On

A quick fix for “You do not have the required "resourcemanager.folders.create" permission to create folders in this location.” at GCP resource manager. With Google Cloud console:

  1. Go to Cloud Resource Manager
  2. Select settings on your organization row, that will land you onto https://console.cloud.google.com/iam-admin/settings?organizationId= < your org Id >
  3. Open IAM, add Folder Admin role to your user account

More at Creating and managing Folders