No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I’m trying to setup continuous deployment within my CI. So I created a GCP service account, in a global project, and I gave it select access rights to my environments projects so that it can only update what I think it should be able to.
```// Define Semaphore SA access rights
["roles/run.developer"].map(
  (role) =&gt;
    new gcp.projects.IAMMember(`semaphoreci-${role}`, {
      project: configs.gcp.project,
      role,
      member: pulumi.interpolate`serviceAccount:${configs.semaphore.serviceAccountEmail}`,
    })
);```
It fails to deploy though when I try to get the project number this way: `gcp.organizations.getProject().then((project) =&gt; project.number)`
I tried adding several roles to my service account so that it can execute that command but it keeps failing saying that I need to allow the Cloud Resource Manager API (it is already enabled). Anyone knows how to allow a service account from another project to be able to execute that command?

```Diagnostics:00:12
  pulumi:pulumi:Stack (api-staging):00:12
    error: Error: invocation of gcp:organizations/getProject:getProject returned an error: invoking gcp:organizations/getProject:getProject: 1 error occurred:00:12
    	* Error when reading or editing Project "projectname-344455": googleapi: Error 403: Cloud Resource Manager API has not been used in project 1063070351412 before or it is disabled. Enable it by visiting <https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1063070351412> then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.00:12
    Details:00:12
    [00:12
      {00:12
        "@type": "<http://type.googleapis.com/google.rpc.Help|type.googleapis.com/google.rpc.Help>",00:12
        "links": [00:12
          {00:12
            "description": "Google developers console API activation",00:12
            "url": "<https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1063070351412>"00:12
          }00:12
        ]00:12
      },```
I have set roles/browser to the service account it still does not work

I just needed to enable the api on the global project :man-facepalming: