# getting-started


03/31/2022, 10:52 AM
I’m trying to setup continuous deployment within my CI. So I created a GCP service account, in a global project, and I gave it select access rights to my environments projects so that it can only update what I think it should be able to.
Copy code
// Define Semaphore SA access rights
  (role) =>
    new gcp.projects.IAMMember(`semaphoreci-${role}`, {
      project: configs.gcp.project,
      member: pulumi.interpolate`serviceAccount:${configs.semaphore.serviceAccountEmail}`,
It fails to deploy though when I try to get the project number this way:
gcp.organizations.getProject().then((project) => project.number)
I tried adding several roles to my service account so that it can execute that command but it keeps failing saying that I need to allow the Cloud Resource Manager API (it is already enabled). Anyone knows how to allow a service account from another project to be able to execute that command?
Copy code
  pulumi:pulumi:Stack (api-staging):00:12
    error: Error: invocation of gcp:organizations/getProject:getProject returned an error: invoking gcp:organizations/getProject:getProject: 1 error occurred:00:12
    	* Error when reading or editing Project "projectname-344455": googleapi: Error 403: Cloud Resource Manager API has not been used in project 1063070351412 before or it is disabled. Enable it by visiting <> then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.00:12
        "@type": "<|>",00:12
        "links": [00:12
            "description": "Google developers console API activation",00:12
            "url": "<>"00:12
I have set roles/browser to the service account it still does not work
I just needed to enable the api on the global project 🤦‍♂️