0

I have recently been reviewing our roles and IAM on our very small (but set up a long time ago) organization on GCP and realized that we don't have any Essential Contacts defined (https://console.cloud.google.com/iam-admin/essential-contacts). I didn't have access to view this.

I went back and completed the foundational set up (https://console.cloud.google.com/cloud-setup - I don't think this existed when I originally signed up) to make sure I had the right groups set up with the right roles/permissions (and that I was a member of them).

But when I go to Essential Contacts and try to click "add Contact", I get a message that I don't have the permissions required.

essential contacts add contact button

So I can go and add this permission to myself individually or some group (that's not my question).

My question is:

  1. Have I actually set up the fundamental groups correctly? (if not, how)
  2. (Assuming I have set them up correctly) why is this permission left out of the roles assigned to the organization admins group ("gcp-organization-admins@DOMAIN" given that "Organisation administrators have access to administer all resources belonging to the organisation"). In other words, shouldn't an organizational admin already have this permission?

PS I am the owner of this (small) GCP organization.

Tim Diggins
  • 126
  • 3

1 Answers1

0

Seems you're using the default role with your created project, It's not recommended to use it. Even if you're the owner of the project and you're unable to create Essential Contacts, it means you are not setting up the fundamental groups correctly.

If you're unable to create Essential Contacts, that means you require Essential Contacts Admin role, recommend you to have at least one additional user with the Security admin role, with permissions to get and set any IAM policy. This role helps the user to grant any one owner or with any other role in the project. The owner role is a legacy role and has a wide range of permissions.

Please refer to the official GCP doc for more information.

Edit :

  1. First please check whether you are using the correct Organization & Project.

  2. Check If you have set up your foundation & admin role properly, you can get the result as shown in below image

enter image description here

If not set properly you will get the result as shown in the below image.

enter image description here

  1. You can check your roles : Login to the console >>Click on IAM & Admin>>Select IAM >>click on permissions then you can view VIEW BY ROLES & VIEW BY PRINCIPALS

Check whether you have Essential contacts admin roles in VIEW BY PRINCIPALS, if not available, you are unable to add/view contacts. By default the owner also doesn’t have that permission so add it as below.

You can grant access to the Essential contacts admin role as shown in the below image, so that you can get permission to add contacts.

enter image description here

Veera Nagireddy
  • 523
  • 2
  • 6
  • Thanks, but I think you may have misunderstood my question (or be just answering a different one). I've updated my question to make it more explicit. – Tim Diggins Feb 10 '23 at 18:47
  • Look at the revised Answer, which may help to resolve your issue. – Veera Nagireddy Feb 13 '23 at 11:17
  • Further edited my answer, Check Edit in above answer. By default the owner also doesn’t have that permission to add, so add essential contacts admin role as mentioned in the answer. – Veera Nagireddy Feb 21 '23 at 09:44
  • Hello @Tim Diggins, Did you had time to check my answer? It helped you to solve your problem? please let me know if you have any queries, I am happy to help if you further. – Veera Nagireddy Mar 08 '23 at 06:54
  • Thanks for your answer but it didn't really address my questions 1 or 2. – Tim Diggins Mar 09 '23 at 17:43