Assign Identity and Access Management roles and permissions

You need the following permissions to migrate a project between organization resources.

To gain these permissions, ask your administrator to grant the suggested role at the appropriate level of the resource hierarchy.

Project migration permissions

To migrate a project between organization resources, you need the following roles on the project, its parent resource, and the destination resource:

Project IAM Admin (roles/resourcemanager.projectIamAdmin) on the project that you want to migrate between organization resources.
Project Mover (roles/resourcemanager.projectMover) on the project's parent resource (folder or organization resource).
If the destination resource is a folder: Project Mover (roles/resourcemanager.projectMover) on the destination resource.
If the destination resource is an organization resource: Project Creator (roles/resourcemanager.projectCreator) on the destination resource.

These roles give you the following required permissions:

Required permissions

resourcemanager.projects.getIamPolicy on the project you want to migrate between organization resources
resourcemanager.projects.update on the project you want to migrate between organization resources
resourcemanager.projects.move on the project's parent resource (folder or organization resource)
If the destination resource is a folder: resourcemanager.projects.move on the destination resource
If the destination resource is an organization resource: resourcemanager.projects.create on the destination resource
If you want to migrate a project with no organization: resourcemanager.projects.setIamPolicy on the project you want to migrate

You can also gain these permissions with a custom role, or other predefined roles.

Organization policy permissions

On the source and destination organization resources, the user setting the organization policies must have the roles/orgpolicy.policyAdmin role, which grants permission to create and manage organization policies.

Billing account permissions

Cloud Billing accounts can be used across organization resources. Moving a project from one organization resource to another won't impact billing, and charges will continue against the old billing account. However, migration of projects between organization resources often also include a requirement to migrate to a new billing account.

To get the permissions that you need to change the project's billing account, ask your administrator to grant you the following IAM roles:

Billing Account User (roles/billing.user) on the destination billing account
Project billing manager (roles/billing.projectManager) on the project

For more information about granting roles, see Manage access.

These predefined roles contain the permissions required to change the project's billing account. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to change the project's billing account:

billing.resourceAssociations.create on the destination billing account
resourcemanager.projects.createBillingAssignment on the project
resourcemanager.projects.deleteBillingAssignment on the project

You might also be able to get these permissions with custom roles or other predefined roles.

What's next

To learn about how to configure organization policies, see Configure organization policies.