fix: add organization-level IAM permissions for GCP deployments (#3930)

amirbenun · web-flow · commit e2865ea541a1 · 2026-02-04T16:05:21.000Z
Fixes GCP Infrastructure Manager deployments for organization-level CSPM
by adding support for granting organization-scoped IAM permissions. The
setup scripts for both gcp-credentials-json and gcp-elastic-agent now
accept an optional organization ID parameter, and when provided, grant
the necessary roles/iam.securityAdmin role at the organization level.
This enables proper organization-wide security scanning capabilities
when deploying Elastic Agent or service account credentials for GCP
CSPM.
diff --git a/deploy/infrastructure-manager/gcp-credentials-json/README.md b/deploy/infrastructure-manager/gcp-credentials-json/README.md
@@ -68,6 +68,19 @@ After successful deployment, the script saves the service account credentials to
 
 > **Note:** The key is also stored in Secret Manager for future access. The script outputs the `gcloud` command to retrieve it if needed.
 
+### Required Permissions
+
+The deployment service account needs these roles:
+- `roles/iam.serviceAccountAdmin` - Create and manage service accounts
+- `roles/iam.serviceAccountKeyAdmin` - Create service account keys
+- `roles/resourcemanager.projectIamAdmin` - Manage project-level IAM bindings
+- `roles/config.admin` - Infrastructure Manager operations
+- `roles/storage.admin` - Store Terraform state
+- `roles/secretmanager.admin` - Create and manage secrets
+
+For organization-level deployments (when `ORG_ID` is set), you also need:
+- `roles/iam.securityAdmin` - Manage organization IAM bindings (granted at organization level)
+
 ### Management
 
 **View deployment:**
diff --git a/deploy/infrastructure-manager/gcp-credentials-json/deploy.sh b/deploy/infrastructure-manager/gcp-credentials-json/deploy.sh
@@ -15,7 +15,7 @@ PROJECT_ID=$(gcloud config get-value core/project)
 SERVICE_ACCOUNT="infra-manager-deployer"
 
 # Ensure prerequisites are configured
-"${SCRIPT_DIR}/setup.sh" "${PROJECT_ID}" "${SERVICE_ACCOUNT}"
+"${SCRIPT_DIR}/setup.sh" "${PROJECT_ID}" "${SERVICE_ACCOUNT}" "${ORG_ID}"
 
 # Optional environment variables (defaults are in variables.tf or below)
 # ORG_ID          - Set for org-level monitoring
diff --git a/deploy/infrastructure-manager/gcp-credentials-json/setup.sh b/deploy/infrastructure-manager/gcp-credentials-json/setup.sh
@@ -4,6 +4,7 @@ set -e
 # Accept parameters
 PROJECT_ID="$1"
 SERVICE_ACCOUNT="$2"
+ORG_ID="$3" # Optional: required for organization-scope deployments
 SERVICE_ACCOUNT_EMAIL="${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com"
 
 REQUIRED_APIS=(
@@ -23,6 +24,10 @@ REQUIRED_ROLES=(
     roles/secretmanager.admin
 )
 
+ORG_LEVEL_ROLES=(
+    roles/iam.securityAdmin
+)
+
 echo "Setting up GCP Infrastructure Manager prerequisites..."
 
 # Enable APIs
@@ -34,11 +39,21 @@ if ! gcloud iam service-accounts describe "${SERVICE_ACCOUNT_EMAIL}" >/dev/null
         --display-name="Infra Manager Deployment Account" --quiet
 fi
 
-# Grant permissions
+# Grant project-level permissions
 for role in "${REQUIRED_ROLES[@]}"; do
     gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
         --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
         --role="${role}" --condition=None --quiet >/dev/null
 done
 
+# Grant organization-level permissions if ORG_ID is provided
+if [ -n "${ORG_ID}" ]; then
+    echo "Granting organization-level permissions for org ${ORG_ID}..."
+    for role in "${ORG_LEVEL_ROLES[@]}"; do
+        gcloud organizations add-iam-policy-binding "${ORG_ID}" \
+            --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
+            --role="${role}" --condition=None --quiet >/dev/null
+    done
+fi
+
 echo "✓ Setup complete"
diff --git a/deploy/infrastructure-manager/gcp-elastic-agent/README.md b/deploy/infrastructure-manager/gcp-elastic-agent/README.md
@@ -97,6 +97,19 @@ gcloud compute instances get-guest-attributes ${INSTANCE_NAME} \
   --query-path=elastic-agent/
 ```
 
+### Required Permissions
+
+The deployment service account needs these roles:
+- `roles/compute.admin` - Create and manage compute instances
+- `roles/iam.serviceAccountAdmin` - Create and manage service accounts
+- `roles/iam.serviceAccountUser` - Attach service accounts to instances
+- `roles/resourcemanager.projectIamAdmin` - Manage project-level IAM bindings
+- `roles/config.admin` - Infrastructure Manager operations
+- `roles/storage.admin` - Store Terraform state
+
+For organization-level deployments (when `ORG_ID` is set), you also need:
+- `roles/iam.securityAdmin` - Manage organization IAM bindings (granted at organization level)
+
 ### Management
 
 **View deployment:**
diff --git a/deploy/infrastructure-manager/gcp-elastic-agent/deploy.sh b/deploy/infrastructure-manager/gcp-elastic-agent/deploy.sh
@@ -9,7 +9,7 @@ PROJECT_ID=$(gcloud config get-value core/project)
 SERVICE_ACCOUNT="infra-manager-deployer"
 
 # Ensure prerequisites are configured
-"${SCRIPT_DIR}/setup.sh" "${PROJECT_ID}" "${SERVICE_ACCOUNT}"
+"${SCRIPT_DIR}/setup.sh" "${PROJECT_ID}" "${SERVICE_ACCOUNT}" "${ORG_ID}"
 
 # Required environment variables (no defaults - must be provided)
 # FLEET_URL, ENROLLMENT_TOKEN, STACK_VERSION
diff --git a/deploy/infrastructure-manager/gcp-elastic-agent/setup.sh b/deploy/infrastructure-manager/gcp-elastic-agent/setup.sh
@@ -4,6 +4,7 @@ set -e
 # Accept parameters
 PROJECT_ID="$1"
 SERVICE_ACCOUNT="$2"
+ORG_ID="$3" # Optional: required for organization-scope deployments
 SERVICE_ACCOUNT_EMAIL="${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com"
 
 REQUIRED_APIS=(
@@ -23,6 +24,10 @@ REQUIRED_ROLES=(
     roles/storage.admin
 )
 
+ORG_LEVEL_ROLES=(
+    roles/iam.securityAdmin
+)
+
 echo "Setting up GCP Infrastructure Manager prerequisites..."
 
 # Enable APIs
@@ -34,11 +39,21 @@ if ! gcloud iam service-accounts describe "${SERVICE_ACCOUNT_EMAIL}" >/dev/null
         --display-name="Infra Manager Deployment Account" --quiet
 fi
 
-# Grant permissions
+# Grant project-level permissions
 for role in "${REQUIRED_ROLES[@]}"; do
     gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
         --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
         --role="${role}" --condition=None --quiet >/dev/null
 done
 
+# Grant organization-level permissions if ORG_ID is provided
+if [ -n "${ORG_ID}" ]; then
+    echo "Granting organization-level permissions for org ${ORG_ID}..."
+    for role in "${ORG_LEVEL_ROLES[@]}"; do
+        gcloud organizations add-iam-policy-binding "${ORG_ID}" \
+            --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
+            --role="${role}" --condition=None --quiet >/dev/null
+    done
+fi
+
 echo "✓ Setup complete"
