zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/fast/stages/0-bootstrap/IAM.md

7.8 KiB
Raw Blame History

IAM bindings reference

Legend: + additive, conditional.

Organization [org_id #0]

members roles
GCP organization domain
domain		 roles/browser
gcp-billing-admins
group		 roles/billing.admin +
roles/billing.costsManager +
gcp-devops
group		 roles/cloudsupport.techSupportEditor
roles/logging.viewer
roles/monitoring.viewer
gcp-network-admins
group		 roles/cloudasset.owner
roles/cloudsupport.techSupportEditor
roles/compute.orgFirewallPolicyAdmin +
roles/compute.xpnAdmin +
gcp-organization-admins
group		 roles/cloudasset.owner
roles/cloudsupport.admin
roles/compute.osAdminLogin
roles/compute.osLoginExternalUser
roles/owner
roles/resourcemanager.folderAdmin
roles/resourcemanager.organizationAdmin
roles/resourcemanager.projectCreator
roles/billing.admin +
roles/billing.costsManager +
roles/orgpolicy.policyAdmin +
gcp-security-admins
group		 roles/cloudasset.owner
roles/cloudsupport.techSupportEditor
roles/iam.securityReviewer
roles/logging.admin
roles/securitycenter.admin
roles/accesscontextmanager.policyAdmin +
roles/iam.organizationRoleAdmin +
roles/orgpolicy.policyAdmin +
prod-bootstrap-0
serviceAccount		 roles/logging.admin
roles/resourcemanager.organizationAdmin
roles/resourcemanager.projectCreator
roles/resourcemanager.projectMover
roles/billing.admin +
roles/billing.costsManager +
roles/iam.organizationRoleAdmin +
prod-resman-0
serviceAccount		 organizations/[org_id #0]/roles/organizationIamAdmin
roles/resourcemanager.folderAdmin
roles/resourcemanager.tagAdmin
roles/resourcemanager.tagUser
roles/billing.admin +
roles/billing.costsManager +
roles/orgpolicy.policyAdmin +

Project prod-audit-logs-0

members roles
prod-bootstrap-0
serviceAccount		 roles/owner

Project prod-billing-exp-0

members roles
prod-bootstrap-0
serviceAccount		 roles/owner

Project prod-iac-core-0

members roles
gcp-devops
group		 roles/iam.serviceAccountAdmin
roles/iam.serviceAccountTokenCreator
gcp-organization-admins
group		 roles/iam.serviceAccountTokenCreator
roles/iam.workloadIdentityPoolAdmin
SERVICE_IDENTITY_service-networking
serviceAccount		 roles/servicenetworking.serviceAgent +
prod-bootstrap-0
serviceAccount		 roles/owner
prod-bootstrap-1
serviceAccount		 roles/logging.logWriter +
prod-resman-0
serviceAccount		 roles/cloudbuild.builds.editor
roles/iam.serviceAccountAdmin
roles/iam.workloadIdentityPoolAdmin
roles/source.admin
roles/storage.admin
prod-resman-1
serviceAccount		 roles/logging.logWriter +