I hired someone to temporarily work in my project hosted in GCP (Google Cloud Platform), he requested to have the Project IAM Admin role.
I want him to be able to create, delete, edit new users, but not change the existent users. Is that possible? Will this person be able to create/remove/edit owner roles with the Project IAM Admin? I would like to know what is the best approach regarding the security/permissions in this case.
Oldest first — sorts top-level replies by their creation dates, with the oldest at the top.
Newest first — sorts top-level replies by their creation dates, with the newest at the top.
Latest activity — sorts top-level replies with recent threaded replies or edits at the top.
Highest score — sorts top-level replies by their total votes (highest first).
Your sorting method preferences will be saved.
I mean, given how important account ownership is wouldn't it be better to ask a google employee who specializes in this than randoms on the internet?
Yes, in Google Cloud Platform (GCP), a Project IAM Admin has the ability to change or remove the owner of a project. The Project IAM Admin role (roles/resourcemanager.projectIamAdmin) grants full control over Identity and Access Management (IAM) policies for a project, including the ability to:
Assign and remove roles, including the Owner role (roles/owner).
Modify IAM policies, meaning they can add or revoke permissions for any user, including owners.
View and manage all roles and permissions for the project.
Thus, a Project IAM Admin can either:
Add a new owner by assigning the Owner role to another user.
Remove an existing owner by revoking the Owner role from the current user(s).
However, a Project IAM Admin cannot delete the last remaining owner, as GCP requires at least one owner per project to maintain project management access.
It’s important to ensure that the removal of an owner does not lock out essential users from critical project management capabilities, as the Owner role also grants permissions to manage billing and set IAM policies.
You probably did hire the person to carry out a task on contract, which means they would work on the project for a while. Following the principle of least priviledge, you should only grant the user the neccessary permissions they need to carry out their task & nothing more. You should create a group for this, and assign the user to that group.
Yes, they'll be able to create, delete, edit new users as well as change existent users.
Two things that you can do here are,
1. Instead of granting the Project IAM Admin role, create a custom role with specific permissions that align with the tasks the person needs to perform.
2. Grant this permission - roles.resourcemanager.projectIamAdmin, this will allow users to add new roles.
3. Exclude permissions such as resourcemanager.projects.setIamPolicy to prevent editing existing roles/policies.
All the best!
Hello @Tito
If you want your new coworker to to only create create and delete IAM roles
You can basically create a new custom role with necessary permission. say
go to IAM -> Roles -> create role
iam.roles.create
iam.roles.delete
and assign the custom role to the co worker
eg of available roles
iam.roles.create
iam.roles.delete
iam.roles.get
iam.roles.list
iam.roles.undelete
iam.roles.update
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
Hi, granting Project IAM Admin to an account gives it full control over IAM in your project. You can create a custom role with specific permissions, but there's no setting to differentiate actions on new vs. existing accounts.
A possible workaround is to create a separate GCP project (free of charge) and assign IAM Admin there. However, depending on the service, permissions for accessing resources in your main project may behave differently.
I'm not sure however a collaborative admin would be handy... throw it out to GCP they probably know your pain
