Managing multiple projects with Config Connector

A Config Connector installation has a system service account and role on your project. If you want to manage other projects you need to grant permissions for:

  • Another project
  • A folder
  • An organization

This topic explains how to grant Config Connector permissions at each of these levels.

Selecting an appropriate Cloud IAM role

Config Connector can only manage resources with the permissions it has. The most powerful Google Cloud Cloud Identity and Access Management role, roles/owner, is used in the examples in this topic. To limit Config Connector's permissions, use a less permissive role such as roles/editor.

Managing another project with Config Connector

To allow Config Connector to manage another project's resources, run the following command, replacing:

  • [PROJECT_ID] with your new project ID
  • [INSTALL_PROJECT_ID] with the project ID used during installation
  • roles/owner with the appropriate role
gcloud projects add-iam-policy-binding [PROJECT_ID] \
  --member serviceAccount:cnrm-system@[INSTALL_PROJECT_ID].iam.gserviceaccount.com \
  --role roles/owner

Managing all projects in a Cloud IAM folder

To expand Config Connector's permissions so it can manage all projects and folders in a given folder, run the following command, replacing:

  • [FOLDER_ID] with your Folder ID
  • [INSTALL_PROJECT_ID] with the project used during installation
  • roles/owner with the appropriate role
gcloud resource-manager folders add-iam-policy-binding [FOLDER_ID] \
  --member serviceAccount:cnrm-system@[INSTALL_PROJECT_ID].iam.gserviceaccount.com \
  --role roles/owner

Managing all projects in a Cloud IAM organization

To expand Config Connector's permissions so it can manage all projects and folders for a given organization, run the following command, replacing

  • [ORGANIZATION_ID] with your Organization ID, and
  • [INSTALL_PROJECT_ID] with the project ID used during installation
  • roles/owner with the appropriate role
gcloud organizations add-iam-policy-binding [ORGANIZATION_ID] \
  --member serviceAccount:cnrm-system@[INSTALL_PROJECT_ID].iam.gserviceaccount.com \
  --role roles/owner