Problem
When you try to enable a VPC host project or attach service projects to the VPC host project, it fails with errors below, even though you have Shared VPC Admin role in the folder:
Error : Required 'compute.organizations.enableXpnHost' permission for 'projects/<ProjectName>'
OR
Error : Required 'compute.organizations.enableXpnResource' permission for 'projects/'.
Environment
- Shared VPC
- Folder level Shared VPC Admin role
Solution
- Use gcloud beta command instead of using Google Cloud Console. See the sample commands mentioned in public document.
- Enable a host project.
gcloud beta compute shared-vpc enable HOST_PROJECT_ID
- Attach service projects.
gcloud beta compute shared-vpc associated-projects add SERVICE_PROJECT_ID \ --host-project HOST_PROJECT_ID.
Cause
To control with Shared VPC that you have folder level permissions, you have to use the gcloud beta command otherwise operations will result in a permission error. Note that if you have organization level permissions, Google Cloud Console will work.