I came back to this lesson after watching IAM lessons. We never provided "project create" permissions to the account user. It only had billing account user role (only to link billing accounts to projects). why was it allowed to create a new project?
2 Answers
I love this question! It’s a very good one, as it shows you are really thinking through what’s going on. 😃👍
The key to the mystery lies with the Project location in the resource hierarchy. If your Google account is tied to a Google Cloud "Organization", then all projects that account creates will be owned by and live within that Organization. In that case, your (Google) account will need to have "project create" permission for wherever that project will go.
But if your Google account is not a part of any Organization, then projects will not be owned by any Organization–those projects will be owned by the Google account that created them. And Google accounts intrinsically have permission to create their own projects.
Now, the Billing Account linking is a separate thing from the project creation. Your "User" Google account may be able to create a project, but it won’t be able to do much interesting unless there’s a billing account it can use. You could set up another trial billing account–which would be owned by that "User" account–but that works against our Least Privilege setup. So we grant permission for the "User" account to link projects it owns (i.e. creates) to the billing account that is owned by the "Admin" google account.
Does this help clarify?
Mattias
You are very welcome! Your excitement brings me joy. 😁
Again, what you are thinking through is good! Now, since creating a project will grant the “Owner” role on it, that means that the creator can set its billing account. However!–in the context of an organization, billing account creation works similarly to projects: any new ones automatically live in the organization, so organization-level IAM will control whether that can be done. So it could be possible to use a different Google account outside of the organization to create a billing account, but no new billing account could be created by that organization-linked Google account without that permission. You may want to review the Billing Access Control docs for more details.
And, for the record, keep this up! If you continue to dig into things as you go, you will smash the exam and succeed in the real world, too. 😀
Thanks Mattias! I am excited to ask more questions now!! Quoting you, [Your "User" Google account may be able to create a project, but it won’t be able to do much interesting unless there’s a billing account it can use.] This convinces me somehow. But I feel there could be more such cases where permissions are provided implicitly. On top of my mind, this could be one such – If "Project creator" role is granted to user (at organization level), that user will also become "project owner" eventually and can set up billing account. Does this not defy the "least privilege" practices?
You are very welcome! Your excitement brings me joy. 😁
I’ll respond to your comment in another answer so you’ll get a notification and so I can format it. 🙂