Help with GCP permissions for `gitlab-qa-resources` project
From Slack https://gitlab.slack.com/archives/CB3LSMEJV/p1564474768120200 :
This is in order to help resolve the problems from https://gitlab.com/gitlab-com/access-requests/issues/1175#note_193800960
I'm looking for some help understanding permissions in GCP. We have a few GCP projects and we're trying to understand what is the correct way to give people access to manage GKE clusters in these projects. Ordinarily we have just been asking for people to be given Kubernetes Engine Admin role. And this has seemed to do what we need in the past for gitlab-internal-153318
project. But we've found that for this project gitlab-qa-resources we've gotten this access for @Alexand but still he cannot seem to access the clusters page in the UI because he doesn't have compute.projects.get. But I'm trying to dig into this and I'm seeing all sorts of inconsistencies across the projects I'm a member of on what roles people have. For example I seem to be admin and can manage gitlab-qa-resources myself but I'm not even listed on https://console.cloud.google.com/iam-admin/iam?orgonly=true&project=gitlab-qa-resources&supportedpurview=organizationId . Then strangely when I look at https://console.cloud.google.com/iam-admin/orgpolicies/list?project=gitlab-internal-153318 I only have Kubernetes Engine Admin and it seems to work fine viewing clusters for me.
So I'm sure there is more to permissions than what I see on this IAM page but I don't understand what that is and what I should actually do to give @Alexand the access he needs for seeing clusters. I don't want to start guessing permissions either if I don't understand how this IAM stuff works. I assume I can just give him compute admin and that error will go away but that seems wrong because people didn't seem to need compute admin to use gitlab-internal.
Can someone help us understand this stuff better ?