FAST: Clear default resourcemanager.projectCreator and billing.admin authoritatively at the root of the org #1220
Comments
|
projectCreator is already managed authoritatively. We only have to do the same for roles/billing.creator |
juliocc
added a commit
that referenced
this issue
Mar 7, 2023
By default new orgs grant billing.creator and resourcemanager.projectCreator to the whole domain[1]. This PR makes FAST remove the former binding during the bootstrap (the latter is already managed by FAST). Fixes #1220 [1] https://cloud.google.com/resource-manager/docs/default-access-control
juliocc
added a commit
that referenced
this issue
Mar 7, 2023
By default new orgs grant billing.creator and resourcemanager.projectCreator to the whole domain[1]. This PR makes FAST remove the former binding during the bootstrap (the latter is already managed by FAST). Fixes #1220 [1] https://cloud.google.com/resource-manager/docs/default-access-control
lcaggio
pushed a commit
that referenced
this issue
May 5, 2023
By default new orgs grant billing.creator and resourcemanager.projectCreator to the whole domain[1]. This PR makes FAST remove the former binding during the bootstrap (the latter is already managed by FAST). Fixes #1220 [1] https://cloud.google.com/resource-manager/docs/default-access-control
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For tracking: on freshly created GCP organizations, there's a default "domain:" level binding at the root of the org for the roles resourcemanager.projectCreator and billing.admin. FAST should authoritatively manage these roles, removing these default (explicit) grants.
The text was updated successfully, but these errors were encountered: