1

I'm finding a way to programatically list Google Cloud projects inside an organization. I'm trying to use a service account exported json credential to achieve such purpose in this way:

    // More info on the endpoint here:
    // https://cloud.google.com/resource-manager/reference/rest/v1/projects/list
    final CloudResourceManager cloudResourceManagerService = createCloudResourceManagerService();
    final CloudResourceManager.Projects.List listRequest = cloudResourceManagerService
        .projects()
        .list()
        .setFilter("labels.it-restoring:false name:IT-TEST-*");

    final ListProjectsResponse listResponse = listRequest.execute();

    if (listResponse.isEmpty()) {
      throw new RuntimeException("The API did not get any response"); // I never get past here
    }

    log.info("Listing projects returned: {}", listResponse);

The problem I find is that I always get an empty response. Even though I assigned the service account the role of owner. According to docs, I could use roles/ resourcemanager.organizationAdmin which I also set but with no luck. I create the CloudResourceManagement api object using getApplicationDefault.

However if I do gcloud beta auth application-default login which triggers an auth flow in the browser and authenticate with the user which is the owner of the organization this works and lists all the projects that I have.

Can anybody explain to me what I should do to store a proper credential which would emulate he user owner? I already set the service account with the Owner role which in theory gives virtually access to all resources and still no luck.

AlFranco
  • 126
  • 1
  • 6
  • A good debugging tool is APIs Explorer. In this case, you'd need to be an owner too for it to use your credentials but... it's a good way to prove the underlying API. Alternatively you can use `gcloud projects list ---log-http`. First step would be, if you can, to try APIs Explorer with that filter to confirm you do get results – DazWilkin May 20 '20 at 18:51
  • When you run the code locally and wish to use a service account, you will need to set `GOOGLE_APPLICATION_CREDENTIALS=/path/to/jwt.json` – DazWilkin May 20 '20 at 18:57

2 Answers2

1

In order to list the projects on your organization, you need the permission resourcemanager.projects.get. Please find more information in this link The service account might have the owner role of 1 project, and not enought to list them all.

Juancki
  • 1,793
  • 1
  • 14
  • 21
  • Oh, so that means that I'm the owner of one project but not owner of the whole organization? Is there a way to do so? – AlFranco May 21 '20 at 09:06
  • From [here](https://cloud.google.com/iam/docs/understanding-roles#primitive_role_definitions) you can see that `roles/owner` is project-wise. The organization-wise roles start with `resourcemanager.--` [link](https://cloud.google.com/resource-manager/docs/creating-managing-projects). – Juancki May 21 '20 at 10:37
0

An alternative solution is to grant the account the cloudasset.assets.searchAllResources permission at org level by using one of the following roles:

  • roles/cloudasset.viewer
  • roles/cloudasset.owner
  • roles/viewer
  • roles/editor
  • roles/owner

With this permission, you can list all the projects within an organization 456:

gcloud asset search-all-resources \
--asset-types="cloudresourcemanager.googleapis.com/Project"
--scope=organizations/456

Documentation: https://cloud.google.com/asset-inventory/docs/searching-resources

Related post: How to find, list, or search resources across services (APIs) and projects in Google Cloud Platform?

Circy
  • 1,058
  • 11
  • 15