Skip to main content

How to Update Permissions for an Existing Manually Connected GCP Account

Updated this week

This guide explains how to update access permissions (Read or Write) for a GCP account connected using the Manual connection method.

To apply the latest configuration, you need to update the existing custom IAM role used for the integration and then refresh the connection in the platform.

Before You Start

You will need:

  • Access to Google Cloud Console

  • Permission to manage IAM custom roles

  • Your Project ID or Organization ID

  • The custom role created during the initial setup of the integration

Step-by-Step Guide

1. Open Google Cloud Console

  • Sign in to Google Cloud Console

  • Select the project used for the connection

2. Open Cloud Shell

Click Activate Cloud Shell

3. Download role templates

This command downloads the specified role-template.yaml file from the provided URL and saves it in your current directory. It requests a specific version of the file and will overwrite any existing local file with the same name.

It does not make any changes in your account and does not create resources or modify roles.

Run the following commands:

curl -o full-role-template.yaml \
  "https://uniskai-eu-templates.s3.eu-central-1.amazonaws.com/gcp/full-role-template.yaml?versionId=kxI6vglugnYawMdfMjMCBotEhXKUe6Mn"

curl -o role-template.yaml \
  "https://uniskai-eu-templates.s3.eu-central-1.amazonaws.com/gcp/role-template.yaml?versionId=du7HFyHAUefOCCV2WMtz_U5rHlvrOCV8"

You only need to download the template that matches the access level you want to apply (Read-only or Read/Write). Downloading both files is optional.

4. Update the existing role

Use the custom role that was created during the initial setup.

The role name may vary depending on your setup

This step updates the existing custom role you specify by changing its permissions to match the selected access level. It does not create a new role and does not affect any other roles in your environment.

Project level

Change from Read/Write β†’ Read-only

gcloud iam roles update "YOUR_ROLE_ID" \
  --project="YOUR_PROJECT_ID" \
  --file=role-template.yaml

Change from Read-only β†’ Read/Write

gcloud iam roles update "YOUR_ROLE_ID" \
  --project="YOUR_PROJECT_ID" \
  --file=full-role-template.yaml

Organization level

Change from Read/Write β†’ Read-only

gcloud iam roles update "YOUR_ROLE_ID" \
  --organization="YOUR_ORGANIZATION_ID" \
  --file=role-template.yaml

Change from Read-only β†’ Read/Write

gcloud iam roles update "YOUR_ROLE_ID" \
  --organization="YOUR_ORGANIZATION_ID" \
  --file=full-role-template.yaml

Confirm changes in Cloud Shell

After running the command:

  • Type Y and press Enter to confirm

  • Confirm again if prompted

After running the command, you will be prompted to confirm the changes in Cloud Shell.

  • Type Y and press Enter to proceed

  • Confirm again if prompted

Replace:

  • YOUR_ROLE_ID with your custom role name

  • YOUR_PROJECT_ID with your project ID

  • YOUR_ORGANIZATION_ID with your organization ID

5. Refresh the connection in the platform

  • Return to the platform

  • Open your connected GCP account

  • Click Refresh now

6. Verify updated access

  • Navigate to CloudSitter

  • Confirm that:

    • Resources are visible (Read access)

    • Actions are available (Write access)

Expected Result

  • The existing custom role is updated with the required permissions

  • The platform reflects the updated access level after refresh

Notes

  • Always update the existing role, do not create a new one

  • Make sure you are using the correct Project ID or Organization ID

  • Changes will not appear in the platform until you click Refresh now

Related Articles
Account Manager
Add a GCP Single Account Automatically with read-only access
Adding whole organization of GCP account with read-only access
Adding a GCP Single Account with read/write access
Did this answer your question?