What permissions to set in service account for project creation?

Question

When I configure google cloud cli with my credentials, it is able to create a new project and create resources inside it.

But, for automation purpose in a pipeline, not able to use with my credentials as it will open a webpage and generate a code at runtime.

So, created a service account and when I ran the terraform templates(which worked earlier with my credentials), it is giving forbidden error.

Error 403: You don't have permission to get the role at organizations/6********405/roles/newProjectCreated

the below roles description command gave output.

gcloud iam roles describe roles/resourcemanager.projectIamAdmin

description: Access and administer a project IAM policies.
etag: AA==
includedPermissions:
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.setIamPolicy
name: roles/resourcemanager.projectIamAdmin
stage: GA
title: Project IAM Admin

Please suggest what is missing and what need to be added to service account.

Answer 1

The permissions provided to the service account at the organizational level, are listed here. Check whether you have all the listed permissions.

Make sure your account / the terraform service account that gets created has sufficient quota to create projects.

Double check that gcloud is configured to run as the user in the org_admins group and make sure you run gcloud auth login and gcloud auth application-default login as that user. Also check whether you have <roles/resourcemanager.projectCreator> for the user which provides access to create new projects.

Generally, Service accounts are created on project level and as such they usually can manage resources at a project level. Since you want to manage resources in the organization, you should first add the service account in the organization and assign the required permissions to manage projects, the caller must have a role that includes the following permissions. The role is granted to the organization or folder that contains the projects.To add that follow Access control for projects with IAM.