No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

<@UK4HNFLCB> That’s my current understanding how Pulumi  authenticates to GCP: <https://github.com/pulumi/docs/pull/2162/>

That’s the last thing I executed and it still doesn’t work. Then it must be a true permission problem. Pfff… Cloud IAM at the organization level is not easy to debug.

<@UK4HNFLCB> You’ve tried this service-account method? <https://pulumi-community.slack.com/archives/CRFUR2DGB/p1582308605082300?thread_ts=1582306847.081600&amp;cid=CRFUR2DGB>

<@UEPNUG6Q7> no, I added the `roles/resourcemanager.projectCreator` role to my account for the time being. It seems that org admin doesn’t have that role.

But I will have to learn using a service account ASAP.

&gt; I added the `roles/resourcemanager.projectCreator` role to my account for the time being. It seems that org admin doesn’t have that role.

Aha. Was the <https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/testIamPermissions> “200 OK” before adding that role to your account, as well?

Aha. So, does the service-account also have that additional role?

<@UEPNUG6Q7> I misunderstood the API explorer. For `testIamPermisions`, you pass a list of permissions, and the call only returns the list of permissions you are granted. In the first call, I got `{}` :wink: