This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

In IAM what is the current name for "Compute Shared VPC Admin"

Posted on 11-28-2024 06:28 PM
Larry2
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

The Shared VPC documentation says that setting up the Host VPC requires "Compute Shared VPC Admin" or compute.xpnAdmin permissions.  When using AIM Grant Access form, the Select a Role filter says No Matches when I search for either of those terms.

What is the correct IAM Role to assign for Host VPC Administrators?

Note: I found one "Solved" question but it references the same terms that don't appear in IAM.

https://www.googlecloudcommunity.com/gc/Data-Analytics/The-caller-does-not-have-permission-Cloud-Com...

Solved Solved
0 4 464
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
Larry2
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

SOLVED!  The "Compute Shared VPC Admin" role can only be assigned at the FOLDER or ORG level, not at the Project level. (whine: it'd be nice if that was noted somewhere in IAM or the VPC docs. The Shared VPC doc kinda almost says this but it's not particularly clear that this is NOT a Project Role)

I found this solution buried in stackoverflow responses.  THANK YOU Stackoverflow!

https://stackoverflow.com/questions/66700942/googleapi-error-403-required-compute-organizations-enab...

View solution in original post

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Larry2
Bronze 1
Bronze 1
In response to Larry2
Reply posted on --/--/---- --:-- AM

In an idealer world I suggest the following Use Cases:

  • UC1
    • from a Project, open IAM Grant Access and "Assign Role" Filter
    • start typing something like "Compute Shared VPC Admin"
    • Filter results include "Compute Shared VPC Admin" in RED with hover text indicating "Only assignable to an Organization or Folder"
  • UC2
    • enter a Filter like "compute/xpnAdmin"
    • Filter results include Roles that include compute/xpnAdmin
    • Again, RED (or similar) if the role exists but is not usable in the current context

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
Larry2
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

SOLVED!  The "Compute Shared VPC Admin" role can only be assigned at the FOLDER or ORG level, not at the Project level. (whine: it'd be nice if that was noted somewhere in IAM or the VPC docs. The Shared VPC doc kinda almost says this but it's not particularly clear that this is NOT a Project Role)

I found this solution buried in stackoverflow responses.  THANK YOU Stackoverflow!

https://stackoverflow.com/questions/66700942/googleapi-error-403-required-compute-organizations-enab...

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Larry2
Bronze 1
Bronze 1
In response to Larry2
Reply posted on --/--/---- --:-- AM

In an idealer world I suggest the following Use Cases:

  • UC1
    • from a Project, open IAM Grant Access and "Assign Role" Filter
    • start typing something like "Compute Shared VPC Admin"
    • Filter results include "Compute Shared VPC Admin" in RED with hover text indicating "Only assignable to an Organization or Folder"
  • UC2
    • enter a Filter like "compute/xpnAdmin"
    • Filter results include Roles that include compute/xpnAdmin
    • Again, RED (or similar) if the role exists but is not usable in the current context
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
smit890
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello

For assigning the correct IAM role for Host VPC Administrators, use the roles/compute.xpnAdmin role, as it provides necessary permissions for managing Shared VPC configurations. If you can't find this role via the IAM Grant Access form, verify your project settings or manually assign the Compute Shared VPC Admin role. These roles are crucial for managing and configuring Shared VPC in Google Cloud.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Larry2
Bronze 1
Bronze 1
In response to smit890
Reply posted on --/--/---- --:-- AM

Thanks Smit. That's certainly the standard answer that I've seen in many other places. Could you please explain what you mean by "verify your project settings" when the Compute Shared VPC Admin role fails to appear in the IAM Grant form? I'm the Project Owner and IAM Admin. What other permissions do I need to have in order for the Compute... role to appear in the form.

OR could  you send a screenshot of the role appearing in the IAM Grant form associated with a Project?

And FWIW I marked ORG/Folder but not Project as a solution because the Compute... role appeared immediately when using IAM Grant for my Folders and Organization but has never appeared for a Project.

Jump to Solution
0 Likes
Top Labels in this Space
Top Solution Authors
View all