'Projects not appearing in Google Cloud Console / `gcloud projects list` for added Project Editor/Viewers

After adding other users from my organization as Project Editor and Viewer the projects aren't showing up in their Google Cloud Console project list, nor are they visible in gcloud projects list.

However if I give them a link directly to some resource inside the project they can navigate to it just fine,
and they can also use commands like gcloud container clusters list with the --project= set to the new projects and see the resources inside the project.

The documentation for the gcloud projects list (https://cloud.google.com/resource-manager/docs/creating-managing-projects#listing_projects) specifies it should list all projects on which you have resourcemanager.projects.list (which Project Viewer and Editor both grant) or any children under a parent on which you have resourcemanager.projects.list.
So maybe if I grant resourcemanager.projects.list on the organization level it would fix it, but I don't really want to grant the users such a broad access...

google-cloud-platformgcloudgoogle-cloud-console


Solution 1:[1]

As mentioned by John Hanley :

In order for a user to list projects in an organization, they need resourcemanager.projects.list at the organization or folder level.If a user has access to a project, allowing them to list projects should not be an issue unless revealing the names of projects is not desired. In that case, just provide everyone with the Project ID and they can manually use that to access resources.

Note: The level (project, folder, organization) determines what users can access. You could create folders, move projects under folders and allow users to only list projects in their folders

For more information you can refer to the Serverfault Answer related to a similar issue and Documentation where creation and management of the Folders has been well explained.

Here is how to replicate:

  1. As an admin create a "newProject990055" under an existing organization, select it and navigate to the IAM menu.
  2. Add a user with just the role "Logs Viewer" for "newProject990055".
  3. Login with such a user and try to select project "newProject990055". Expected: User won't see "newProject990055" because the user has no access to list all projects, and "newProject990055" is new, and the user has never visited it before.
  4. With such a user hit https://console.cloud.google.com/logs/query?project=newProject990055. Expected: User will see the logs for the "newProject990055" project and user will be notice that such a project is selected.
  5. Logoff and login back with such a user, click on the dropdown for projects. Expected: User should be able to see project "newProject990055" because even though the user has no access to list all projects, and "newProject990055" is new, the user has already visited it before.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

how to keep GKE cluster nodes in different regions?

Google Cloud TTS API for M1 Mac

Is it possible to render a video from AfterEffects in a Google Collaboratory notebook?

Allow-IAP Firewall Rule created in default VPC in GCP getting reflected in other VPC as well

Attribute Error when importing SpeechClient from google.cloud.speech

GCP Cost billing data

What is the difference between gcloud and gsutil?

Volume not persistent in Google Cloud

Permission Denied when trying to write on a TPU VM foler

Google Cloud Free Tier will start charging for static or ephemeral IP Address?

How to create a empty folder in google storage(bucket) using gsutil command?

How can size of the root disk in Google Compute Engine be increased?

Cannot switch Firestore from Datastore to native mode on GCP

action console simulator is not working and I cannot release my project