Skip to main content

Adding whole organization of GCP account with read/write access

Learn how to leverage the multi-account feature for GCP read-write

Updated today

Start Adding Your GCP Organization Account

You need permission to create roles to add a GCP project!

Step 1

Skip to Step 6 if you came to this guide from the Connect Your GCP Project page.

Navigate to the ‘Account Manager’ tab and click the ‘Add new account’ button. If you already have multiple accounts, your Account Manager menu will appear as shown in the image below.

Step 2

Click on the ‘Google Cloud Platform’ button.

Step 3

You will be directed to the ‘Connect your GCP project’ page.

Enter a specific account name in the ‘Account Name’ field, or it will default to ‘GCP.’ The name should not exceed 32 characters.

Step 4

Click on the ‘Organization’ button.

Step 5

Choose the Access type (The selected type will be marked with a white dot on a blue background):

  • Read/Write: Enables all functions such as converting to spot, scheduling resources, removing unused resources, and rightsizing your resources.

  • Read-Only: Allows you to view resources and possible actions but restricts the main functionality.

In this manual, we will proceed with the Read-write access type!

This is how the read-write policy appear:

Read-write policy looks like this:

title: Uniskai Service Role

stage: "GA"

includedPermissions:

- appengine.applications.get

- appengine.instances.get

- appengine.instances.list

- appengine.services.get

- appengine.services.list

- appengine.versions.get

- appengine.versions.list

- bigquery.datasets.get

- bigquery.tables.get

- bigquery.tables.list

- bigquery.readsessions.create
- bigquery.readsessions.getData

- bigquery.tables.getData

- bigquery.jobs.create

- bigtable.backups.get

- bigtable.backups.list

- bigtable.clusters.get

- bigtable.clusters.list

- bigtable.instances.get

- bigtable.instances.list

- cloudfunctions.functions.get

- cloudfunctions.functions.list

- cloudfunctions.locations.get

- cloudfunctions.locations.list

- cloudsql.backupRuns.list

- cloudsql.instances.list

- compute.autoscalers.list

- compute.diskTypes.get

- compute.disks.get

- compute.disks.list

- compute.externalVpnGateways.get

- compute.externalVpnGateways.list

- compute.externalVpnGateways.list

- compute.firewalls.get

- compute.firewalls.list

- compute.images.get

- compute.images.list

- compute.instanceGroupManagers.get

- compute.instanceGroupManagers.list

- compute.instanceGroups.get

- compute.instanceGroups.list

- compute.instanceTemplates.get

- compute.instanceTemplates.list

- compute.instances.get

- compute.instances.list

- compute.machineImages.get

- compute.machineImages.list

- compute.machineTypes.get

- compute.networks.get

- compute.networks.list

- compute.regions.list

- compute.routers.get

- compute.routers.list

- compute.routes.get

- compute.routes.list

- compute.snapshots.get

- compute.snapshots.list

- compute.subnetworks.get

- compute.subnetworks.list

- compute.vpnGateways.list

- compute.vpnTunnels.list

- compute.zones.list

- compute.targetVpnGateways.get

- compute.targetVpnGateways.list

- compute.healthChecks.get

- compute.healthChecks.list

- compute.addresses.get

- compute.addresses.list

- compute.globalAddresses.get

- compute.globalAddresses.list

- compute.interconnects.get

- compute.interconnects.list

- compute.interconnectAttachments.get

- compute.interconnectAttachments.list

- compute.forwardingRules.get

- compute.forwardingRules.list

- container.clusters.get

- container.clusters.list

- dns.managedZones.list

- file.backups.list

- file.instances.list

- file.locations.get

- file.locations.list

- memcache.instances.get

- memcache.instances.list

- recommender.locations.get

- recommender.locations.list

- redis.instances.get

- redis.instances.list

- spanner.backups.get

- spanner.backups.list

- spanner.instanceConfigs.get

- spanner.instanceConfigs.list

- spanner.instances.get

- spanner.instances.list

- storage.buckets.get

- storage.buckets.list

- serviceusage.services.list

- resourcemanager.projects.getIamPolicy

- iam.roles.list

- iam.serviceAccounts.list

- iam.serviceAccountKeys.list

- cloudasset.assets.searchAllResources

- compute.instances.listReferrers

- compute.instances.start

- compute.instances.stop

- compute.regions.get

- logging.logEntries.list

- compute.machineImages.create

- compute.machineImages.delete

- compute.instances.setDiskAutoDelete

- compute.instances.delete

- compute.instances.create

- compute.instances.setScheduling

- compute.globalOperations.get

- compute.zoneOperations.get

- compute.disks.createSnapshot

- compute.instances.useReadOnly

- compute.disks.update

- compute.machineImages.useReadOnly

- compute.disks.create

- compute.subnetworks.use

- compute.subnetworks.useExternalIp

- compute.instances.setMetadata

- compute.networks.use

- compute.instances.setLabels

- compute.disks.setLabels

- compute.snapshots.setLabels

- compute.images.setLabels

- compute.forwardingRules.setLabels

- compute.addresses.delete

- compute.disks.delete

- compute.images.delete

- compute.globalAddresses.delete

- compute.instances.setServiceAccount

- iam.serviceAccounts.actAs

- container.operations.get

- container.clusters.update

- storage.buckets.update

- cloudfunctions.functions.update

- compute.addresses.setLabels

- compute.globalAddresses.setLabels

- compute.backendServices.list

- compute.targetPools.list

- eventarc.locations.list

- eventarc.providers.list

- eventarc.triggers.list

- eventarc.triggers.get

- eventarc.triggers.update

- eventarc.channels.list

- cloudkms.locations.list

- cloudkms.keyRings.list

- cloudkms.cryptoKeys.get

- cloudkms.cryptoKeys.list

- cloudkms.cryptoKeys.update

- cloudkms.cryptoKeyVersions.list

- cloudkms.importJobs.list

- monitoring.groups.get

- monitoring.groups.list

- monitoring.alertPolicies.get

- monitoring.alertPolicies.list

- monitoring.alertPolicies.update

- monitoring.notificationChannels.get

- monitoring.notificationChannels.list

- monitoring.notificationChannels.update

- monitoring.notificationChannelDescriptors.list

- monitoring.uptimeCheckConfigs.get

- monitoring.uptimeCheckConfigs.list

- monitoring.uptimeCheckConfigs.update

- monitoring.monitoredResourceDescriptors.list

- monitoring.timeSeries.list

- pubsub.topics.get

- pubsub.topics.list

- pubsub.topics.update

- pubsub.subscriptions.list

- pubsub.subscriptions.get

- pubsub.subscriptions.list

- pubsub.subscriptions.update

- pubsublite.topics.list

- pubsublite.reservations.list

- pubsublite.subscriptions.get

- pubsublite.subscriptions.list

Step 6

Login to GCP and open the Shell console.

Step 7

Select your organization and copy the ID.

Step 8

Copy Run.sh script below. Insert your GCP organization ID instead of “ORGANIZATION_ID”

sh <(curl -s https://uniskai-eu-templates.s3.eu-central-1.amazonaws.com/gcp/create_organization_role.sh?versionId=ZFHODlkrCSRsNgtZkcSYFK0u6aes8u5A) ORGANIZATION_ID

Step 9

Click Authorize to authorize Cloud Shell

Step 10

It takes some time for the script to complete. So, as soon as the script is running, you can continue with the next steps

Step 11

In the side menu or the search field, navigate to the IAM page. Then click Grant access

Step 12

Go back to Uniskai. Click Generate Email and copy it.

Step 13

Return to Google Cloud and paste the generated email into New Principals. Add Uniskai Service Role and Browser Role. Then click Save.

in about 15 minutes after you add access to the generated email.

How to add billing permissions?

Please refer to this manual.

Related Articles
Adding a GCP Single Account with read-only access
Updating Your GCP Account
Adding whole organization of GCP account with read-only access
Adding a GCP Single Account with read/write access
Adding an Azure account with Read/Write access with a Single subscription using Automatic connection
Did this answer your question?