Adding whole organization of GCP account with read-only access

To add a GCP project, you need permission to create roles!

Step 1

You can just skip to Step 7 if you come to this guide from the Connect Your GCP Project page.

Navigate to the ‘Account Manager’ tab and click the ‘Add new account’ button. If you already have multiple accounts, your Account Manager menu will appear as shown in the image below.

Step 2

Click on the ‘Google Cloud Platform’ button.

Step 3

You will be directed to the ‘Connect your GCP project’ page.

Step 4

Enter a specific account name in the ‘Account Name’ field, or it will default to ‘GCP.’ The name should not exceed 32 characters.

Step 5

Click on the ‘Service Project’ button.

Step 6

Choose the Access type (The selected type will be marked with a white dot on a blue background):

Read/Write: Enables all functions such as converting to spot, scheduling resources, removing unused resources, and rightsizing your resources.
Read-Only: Allows you to view resources and possible actions but restricts the main functionality.

In this manual, we will proceed with the Read-only access type!

This is how the read-only policy appear:

Read-only policy

title: Uniskai Service Role

stage: "GA"

includedPermissions:

- appengine.applications.get

- appengine.instances.get

- appengine.instances.list

- appengine.services.get

- appengine.services.list

- appengine.versions.get

- appengine.versions.list

- bigquery.datasets.get

- bigquery.tables.get

- bigquery.tables.list

- bigquery.tables.getData

- bigquery.jobs.create

- bigtable.backups.get

- bigtable.backups.list

- bigtable.clusters.get

- bigtable.clusters.list

- bigtable.instances.get

- bigtable.instances.list

- cloudfunctions.functions.get

- cloudfunctions.functions.list

- cloudfunctions.locations.get

- cloudfunctions.locations.list

- cloudsql.backupRuns.list

- cloudsql.instances.list

- compute.autoscalers.list

- compute.diskTypes.get

- compute.disks.get

- compute.disks.list

- compute.externalVpnGateways.get

- compute.externalVpnGateways.list

- compute.firewalls.get

- compute.firewalls.list

- compute.images.get

- compute.images.list

- compute.instanceGroupManagers.get

- compute.instanceGroupManagers.list

- compute.instanceGroups.get

- compute.instanceGroups.list

- compute.instanceTemplates.get

- compute.instanceTemplates.list

- compute.instances.get

- compute.instances.list

- compute.machineImages.get

- compute.machineImages.list

- compute.machineTypes.get

- compute.networks.get

- compute.networks.list

- compute.regions.list

- compute.routers.get

- compute.routers.list

- compute.routes.get

- compute.routes.list

- compute.snapshots.get

- compute.snapshots.list

- compute.subnetworks.get

- compute.subnetworks.list

- compute.vpnGateways.list

- compute.vpnTunnels.list

- compute.zones.list

- compute.targetVpnGateways.get

- compute.targetVpnGateways.list

- compute.healthChecks.get

- compute.healthChecks.list

- compute.addresses.get

- compute.addresses.list

- compute.globalAddresses.get

- compute.globalAddresses.list

- compute.interconnects.get

- compute.interconnects.list

- compute.interconnectAttachments.get

- compute.interconnectAttachments.list

- compute.forwardingRules.get

- compute.forwardingRules.list

- container.clusters.get

- container.clusters.list

- dns.managedZones.list

- file.backups.list

- file.instances.list

- file.locations.get

- file.locations.list

- memcache.instances.get

- memcache.instances.list

- recommender.locations.get

- recommender.locations.list

- redis.instances.get

- redis.instances.list

- spanner.backups.get

- spanner.backups.list

- spanner.instanceConfigs.get

- spanner.instanceConfigs.list

- spanner.instances.get

- spanner.instances.list

- storage.buckets.get

- storage.buckets.list

- serviceusage.services.list

- resourcemanager.projects.getIamPolicy

- iam.roles.list

- iam.serviceAccounts.list

- iam.serviceAccountKeys.list

- cloudasset.assets.searchAllResources

- compute.instances.listReferrers

- compute.instances.setServiceAccount

- iam.serviceAccounts.actAs

- compute.backendServices.list

- compute.targetPools.list

- eventarc.locations.list

- eventarc.providers.list

- eventarc.triggers.list

- eventarc.triggers.get

- eventarc.channels.list

- cloudkms.locations.list

- cloudkms.keyRings.list

- cloudkms.cryptoKeys.get

- cloudkms.cryptoKeys.list

- cloudkms.cryptoKeyVersions.list

- cloudkms.importJobs.list

- monitoring.groups.get

- monitoring.groups.list

- monitoring.alertPolicies.get

- monitoring.alertPolicies.list

- monitoring.notificationChannels.get

- monitoring.notificationChannels.list

- monitoring.notificationChannelDescriptors.list

- monitoring.uptimeCheckConfigs.get

- monitoring.uptimeCheckConfigs.list

- monitoring.monitoredResourceDescriptors.list

- monitoring.timeSeries.list

- pubsub.topics.get

- pubsub.topics.list

- pubsub.subscriptions.list

- pubsub.subscriptions.get

- pubsub.subscriptions.list

- pubsublite.topics.list

- pubsublite.reservations.list

- pubsublite.subscriptions.get

- pubsublite.subscriptions.list

Step 7

Step 8

Select your organization and copy the ID.

Step 9

Copy Run.sh script below. Insert your GCP organization ID instead of “ORGANIZATION_ID”

sh <(curl -s https://gcp-uniskai-eu-templates.s3.eu-central-1.amazonaws.com/create_organization_role.sh) ORGANIZATION_ID read

Step 10

Click Authorize to authorize Cloud Shell

Step 11

It takes some time for the script to complete. So, as soon as the script is running, you can continue with the next steps

Step 12

In the side menu or the search field, navigate to the IAM page. Then click Grant access.

Step 13

Go back to Uniskai. Click Generate Email and copy it.

Step 14

Return to Google Cloud and paste the generated email into New Principals. Add Uniskai Service Role and Browser Role. Then click Save.

How to add billing permissions?

You need to add billing to each of your billing accounts. For each account, follow the appropriate method for adding billing, which is presented below. Repeat the process for each billing account.

Navigate to Billing accounts and click My Project. Here you see mapping from the project to its billing account.

How to add billing permissions for the project?

You can add billing permissions only if you have access to the GCP root account.

Press on Billing account, then click Billing export

Way 1. Detailed usage cost is enabled on the project of your organization

If the detailed usage cost is Enabled and your project from your organization – setup is done

Way 2. Detailed usage cost is disabled.

Step 1

If the detailed usage cost is Disabled, click on the Edit settings

Step 2

Select the project in your organization to which the billing will be exported. Then click Create new-dataset.

Step 3

Name the dataset ID and click Create Dataset

Step 4

Click Save. At this stage, the setup is done.

Way 3. Detailed usage cost is enabled, but the project is not from your organization

Step 1

If the detailed usage cost is Enabled on the different projects, click Billing in the Dataset name

Step 2

You will be redirected to the project where the billing export is configured.

Step 3

Open the menu and navigate to IAM

Step 4

Click on Grant access

Step 5

Paste the generated email from Step 13 into New Principals. Add Cloud Asset Viewer
and BigQuery Data Viewer roles. Then Click Save. The setup is done.

Let's get back to Uniskai. The accounts will not appear immediately, they will appear in about 15 minutes after you add access to the generated email.