Skip to main content
All CollectionsAdding an account to Uniskai
Adding whole organization of GCP account with read/write access
Adding whole organization of GCP account with read/write access

Learn how to leverage the multi-account feature for GCP read-write

Updated yesterday

You need permission to create roles to add a GCP project!

Step 1

Skip to Step 6 if you came to this guide from the Connect Your GCP Project page.

Navigate to the ‘Account Manager’ tab and click the ‘Add new account’ button. If you already have multiple accounts, your Account Manager menu will appear as shown in the image below.

Step 2

Click on the ‘Google Cloud Platform’ button.

Step 3

You will be directed to the ‘Connect your GCP project’ page.

Enter a specific account name in the ‘Account Name’ field, or it will default to ‘GCP.’ The name should not exceed 32 characters.

Step 4

Click on the ‘Service Project’ button.

Step 5

Choose the Access type (The selected type will be marked with a white dot on a blue background):

  • Read/Write: Enables all functions such as converting to spot, scheduling resources, removing unused resources, and rightsizing your resources.

  • Read-Only: Allows you to view resources and possible actions but restricts the main functionality.

In this manual, we will proceed with the Read-write access type!

This is how the read-write policy appear:

Read-write policy looks like this:

title: Uniskai Service Role

stage: "GA"

includedPermissions:

- appengine.applications.get

- appengine.instances.get

- appengine.instances.list

- appengine.services.get

- appengine.services.list

- appengine.versions.get

- appengine.versions.list

- bigquery.datasets.get

- bigquery.tables.get

- bigquery.tables.list

- bigquery.tables.getData

- bigquery.jobs.create

- bigtable.backups.get

- bigtable.backups.list

- bigtable.clusters.get

- bigtable.clusters.list

- bigtable.instances.get

- bigtable.instances.list

- cloudfunctions.functions.get

- cloudfunctions.functions.list

- cloudfunctions.locations.get

- cloudfunctions.locations.list

- cloudsql.backupRuns.list

- cloudsql.instances.list

- compute.autoscalers.list

- compute.diskTypes.get

- compute.disks.get

- compute.disks.list

- compute.externalVpnGateways.get

- compute.externalVpnGateways.list

- compute.externalVpnGateways.list

- compute.firewalls.get

- compute.firewalls.list

- compute.images.get

- compute.images.list

- compute.instanceGroupManagers.get

- compute.instanceGroupManagers.list

- compute.instanceGroups.get

- compute.instanceGroups.list

- compute.instanceTemplates.get

- compute.instanceTemplates.list

- compute.instances.get

- compute.instances.list

- compute.machineImages.get

- compute.machineImages.list

- compute.machineTypes.get

- compute.networks.get

- compute.networks.list

- compute.regions.list

- compute.routers.get

- compute.routers.list

- compute.routes.get

- compute.routes.list

- compute.snapshots.get

- compute.snapshots.list

- compute.subnetworks.get

- compute.subnetworks.list

- compute.vpnGateways.list

- compute.vpnTunnels.list

- compute.zones.list

- compute.targetVpnGateways.get

- compute.targetVpnGateways.list

- compute.healthChecks.get

- compute.healthChecks.list

- compute.addresses.get

- compute.addresses.list

- compute.globalAddresses.get

- compute.globalAddresses.list

- compute.interconnects.get

- compute.interconnects.list

- compute.interconnectAttachments.get

- compute.interconnectAttachments.list

- compute.forwardingRules.get

- compute.forwardingRules.list

- container.clusters.get

- container.clusters.list

- dns.managedZones.list

- file.backups.list

- file.instances.list

- file.locations.get

- file.locations.list

- memcache.instances.get

- memcache.instances.list

- recommender.locations.get

- recommender.locations.list

- redis.instances.get

- redis.instances.list

- spanner.backups.get

- spanner.backups.list

- spanner.instanceConfigs.get

- spanner.instanceConfigs.list

- spanner.instances.get

- spanner.instances.list

- storage.buckets.get

- storage.buckets.list

- serviceusage.services.list

- resourcemanager.projects.getIamPolicy

- iam.roles.list

- iam.serviceAccounts.list

- iam.serviceAccountKeys.list

- cloudasset.assets.searchAllResources

- compute.instances.listReferrers

- compute.instances.start

- compute.instances.stop

- compute.regions.get

- logging.logEntries.list

- compute.machineImages.create

- compute.machineImages.delete

- compute.instances.setDiskAutoDelete

- compute.instances.delete

- compute.instances.create

- compute.instances.setScheduling

- compute.globalOperations.get

- compute.zoneOperations.get

- compute.disks.createSnapshot

- compute.instances.useReadOnly

- compute.disks.update

- compute.machineImages.useReadOnly

- compute.disks.create

- compute.subnetworks.use

- compute.subnetworks.useExternalIp

- compute.instances.setMetadata

- compute.networks.use

- compute.instances.setLabels

- compute.disks.setLabels

- compute.snapshots.setLabels

- compute.images.setLabels

- compute.forwardingRules.setLabels

- compute.addresses.delete

- compute.disks.delete

- compute.images.delete

- compute.globalAddresses.delete

- compute.instances.setServiceAccount

- iam.serviceAccounts.actAs

- container.operations.get

- container.clusters.update

- storage.buckets.update

- cloudfunctions.functions.update

- compute.addresses.setLabels

- compute.globalAddresses.setLabels

- compute.backendServices.list

- compute.targetPools.list

- eventarc.locations.list

- eventarc.providers.list

- eventarc.triggers.list

- eventarc.triggers.get

- eventarc.triggers.update

- eventarc.channels.list

- cloudkms.locations.list

- cloudkms.keyRings.list

- cloudkms.cryptoKeys.get

- cloudkms.cryptoKeys.list

- cloudkms.cryptoKeys.update

- cloudkms.cryptoKeyVersions.list

- cloudkms.importJobs.list

- monitoring.groups.get

- monitoring.groups.list

- monitoring.alertPolicies.get

- monitoring.alertPolicies.list

- monitoring.alertPolicies.update

- monitoring.notificationChannels.get

- monitoring.notificationChannels.list

- monitoring.notificationChannels.update

- monitoring.notificationChannelDescriptors.list

- monitoring.uptimeCheckConfigs.get

- monitoring.uptimeCheckConfigs.list

- monitoring.uptimeCheckConfigs.update

- monitoring.monitoredResourceDescriptors.list

- monitoring.timeSeries.list

- pubsub.topics.get

- pubsub.topics.list

- pubsub.topics.update

- pubsub.subscriptions.list

- pubsub.subscriptions.get

- pubsub.subscriptions.list

- pubsub.subscriptions.update

- pubsublite.topics.list

- pubsublite.reservations.list

- pubsublite.subscriptions.get

- pubsublite.subscriptions.list

Step 6

Login to GCP and open the Shell console.

Step 7

Select your organization and copy the ID.

Step 8

Copy Run.sh script below. Insert your GCP organization ID instead of “ORGANIZATION_ID”

sh <(curl -s https://gcp-uniskai-eu-templates.s3.eu-central-1.amazonaws.com/create_organization_role.sh) ORGANIZATION_ID

Step 9

Click Authorize to authorize Cloud Shell

Step 10

It takes some time for the script to complete. So, as soon as the script is running, you can continue with the next steps

Step 11

In the side menu or the search field, navigate to the IAM page. Then click Grant access

Step 12

Go back to Uniskai. Click Generate Email and copy it.

Step 13

Return to Google Cloud and paste the generated email into New Principals. Add Uniskai Service Role and Browser Role. Then click Save.

How to add billing permissions?

You need to add billing to each of your billing accounts. For each account, follow the appropriate method for adding billing, which is presented below. Repeat the process for each individual billing account.

Navigate to Billing accounts and click My Projects. Here you see mapping from the project to its billing account.

How to add billing permissions for the project?

You can add billing permissions only if you have access to the GCP root account.

Press on Billing account, then click Billing export

Way 1. Detailed usage cost is enabled on the project of your organization.

If the detailed usage cost is Enabled and your project from your organization – setup is done

Way 2. Detailed usage cost is disabled.

Step 1

If the detailed usage cost is Disabled, click on the Edit settings

Step 2

Select the project in your organization to which the billing will be exported. Then click Create new-dataset.

Step 3

Name the dataset ID and click Create Dataset

Step 4

Click Save. At this stage, the setup is done.

Way 3. Detailed usage cost is enabled, but the project is not from your organization.

Step 1

If the detailed usage cost is Enabled on the different project, click Billing in the Dataset name

Step 2

You will be redirected to the project where the billing export is configured.

Step 3

Open the menu and navigate to IAM

Step 4

Click on Grant access

Step 5

Paste the generated email from Step 12 into New Principals. Add Cloud Asset Viewer
and BigQuery Data Viewer roles. Then Click Save. Setup is done

Let's get back to Uniskai. The accounts will not appear immediately, they will appear in about 15 minutes after you add access to the generated email.

Related Articles
Adding a GCP Account with read-only access
Updating Your GCP Account
Adding whole organization of GCP account with read-only access
Google Cloud Platform. How to configure Cost Exports?
Adding a GCP Account with read/write access
Did this answer your question?