Managing multiple clusters and projects

A Config Connector installation has a system service account and role on your project. If you want to manage other projects you need to grant permissions for:

  • Another project
  • A Folder
  • An Organization

This topic explains how to grant Config Connector permissions at each of these levels.

Selecting an appropriate IAM role

Config Connector can only manage resources with the permissions it has. The most powerful Google Cloud IAM role, roles/owner, is used in the examples in this topic. To limit Config Connector's permissions, use a less permissive role such as roles/editor.

Managing another project with Config Connector

To allow Config Connector to manage another project's resources, run the following command:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member serviceAccount:cnrm-system@INSTALL_PROJECT_ID.iam.gserviceaccount.com \
  --role roles/owner

Replace the following:

  • PROJECT_ID with your new project ID
  • INSTALL_PROJECT_ID with the project ID used during installation
  • roles/owner with the appropriate role

Managing all projects in an IAM Folder

To expand Config Connector's permissions so it can manage all projects and folders in a given folder, run the following command:

gcloud resource-manager folders add-iam-policy-binding FOLDER_ID \
  --member serviceAccount:cnrm-system@INSTALL_PROJECT_ID.iam.gserviceaccount.com \
  --role roles/owner

Replace the following:

  • FOLDER_ID with your Folder ID
  • INSTALL_PROJECT_ID with the project used during installation
  • roles/owner with the appropriate role

Managing all projects in an IAM Organization

To expand Config Connector's permissions so it can manage all projects and folders for a given organization, run the following command:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member serviceAccount:cnrm-system@INSTALL_PROJECT_ID.iam.gserviceaccount.com \
  --role roles/owner

Replace the following:

  • ORGANIZATION_ID with your Organization ID, and
  • INSTALL_PROJECT_ID with the project ID used during installation
  • roles/owner with the appropriate role

Preventing resource contention

Config Connector has built-in resource contention prevention when managing resources across multiple Google Cloud projects, folders, or organizations. For more information, see Managing conflicts with multiple Config Connector instances.