Enable Personalized Service Health for all projects in an organization or folder
Stay organized with collectionsSave and categorize content based on your preferences.
This document describes a script that enables each project in an organization
or folder for service health events processing. It grants theIdentity and Access Management (IAM) principalspecified the Service Health Viewer role, which lets you view events and
enable the Service Health API.
Ensure that you have the following permissions to run the script:
Permission to list projects under the parent:resourcemanager.projects.list.
Permission to add IAM
(Service Health Viewer role) for the specified IAM
principal:resourcemanager.projects.setIamPolicy.
Permission to enable Google Cloud services:serviceusage.services.enable.
One way to gain these permissions is to ask an administrator to grant you an
appropriate role. Search for the permissions in thePredefined rolessection of the IAM basic and predefined roles reference page.
The roles that have the permissions appear.
Run the script
The script accepts the following parameters:
PARENT_ID: ID of the parent to projects. The ID can be for an organization
or a folder. All projects under the parent will have Personalized Service
Health enabled.
(optional)IAM_PRINCIPAL: An identifier for the principal, or member, which
will be granted the Service Health Viewer role. It usually has the following
form:PRINCIPAL_TYPE:ID. Example:user:my-user@example.com.
For the full list of supported values, see theGrant a single rolesection of the Manage access to projects, folders, and organizations page.
To run the script:
Decide on theAPI VERSION:v1orv1beta.
Paste the following script to a file:
#!/bin/bashPARENT_ID="$1"PRINCIPAL="$2"FAILED_PROJECTS=()forprojectin$(gcloudprojectslist--filter="parent.id:${PARENT_ID}"--format="value(projectId)")doecho"Enabling PSH API for project$project"gcloudservicesenableservicehealth.googleapis.com--project="${project}"echo"Finished enabling PSH API for project$project"if[[-n"$PRINCIPAL"]];thenecho"Adding$PRINCIPALas service health viewer to project$project"gcloudprojectsadd-iam-policy-binding"${project}"--member"${PRINCIPAL}"--roleroles/servicehealth.viewerecho"Finished adding$PRINCIPALas service health viewer to project$project"sleep5elseecho"PRINCIPAL not provided, will not grant service health viewer role. Please provide a PRINCIPAL value in order to view events."fiecho"Attempt to list events from Personalized Service Health for project$project"RESPONSE="$(curl-w"%{http_code}"-H"Authorization: Bearer$(gcloudauthprint-access-token)"-H"Content-Type: application/json"https://servicehealth.googleapis.com/APIVERSION/projects/"${project}"/locations/global/events)"HTTP_CODE=$(tail-n1<<<"$RESPONSE")if[["$HTTP_CODE"-ne200]];thenecho"Failed to list events for project$project"echo"Response:$RESPONSE"FAILED_PROJECTS+=($project)elseecho"Successfully listed events for project$project"fidoneif[["${#FAILED_PROJECTS[@]}"-ne0]];thenecho"Listing projects that failed to activate"forprojectin"${FAILED_PROJECTS[@]}"doecho"$project"donefi
Run the script. The following examples assume the script is in a file namedactivateProjects.sh:
To activate all projects in organization ID345678901and grant
useruser:test-user@gmail.comthe role ofroles/servicehealth.viewer,
run:
To activate all projects in organization ID345678901and grant
service accountserviceAccount:test-proj1@example.domain.comthe role
ofroles/servicehealth.viewer, run:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Enable Personalized Service Health for all projects in an organization or folder\n\nThis document describes a script that enables each project in an organization\nor folder for service health events processing. It grants the\n[Identity and Access Management (IAM) principal](/iam/docs/overview#how_cloud_iam_works)\nspecified the Service Health Viewer role, which lets you view events and\nenable the Service Health API.\n\nBefore you begin\n----------------\n\n\n[Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\nEnsure that you have the following permissions to run the script:\n\n- Permission to list projects under the parent: `resourcemanager.projects.list`.\n- Permission to add IAM (Service Health Viewer role) for the specified IAM principal: `resourcemanager.projects.setIamPolicy`.\n- Permission to enable Google Cloud services: `serviceusage.services.enable`.\n\nOne way to gain these permissions is to ask an administrator to grant you an\nappropriate role. Search for the permissions in the [Predefined roles](/iam/docs/understanding-roles#predefined)\nsection of the IAM basic and predefined roles reference page.\nThe roles that have the permissions appear.\n\nRun the script\n--------------\n\nThe script accepts the following parameters:\n\n- `PARENT_ID`: ID of the parent to projects. The ID can be for an organization or a folder. All projects under the parent will have Personalized Service Health enabled.\n- (optional) `IAM_PRINCIPAL`: An identifier for the principal, or member, which\n will be granted the Service Health Viewer role. It usually has the following\n form: `PRINCIPAL_TYPE:ID`. Example:`user:my-user@example.com`.\n\n For the full list of supported values, see the\n [Grant a single role](/iam/docs/granting-changing-revoking-access#grant-single-role)\n section of the Manage access to projects, folders, and organizations page.\n\nTo run the script:\n\n1. Decide on the \u003cvar class=\"readonly\" scope=\"API_VERSION\" translate=\"no\"\u003eAPI VERSION\u003c/var\u003e: `v1` or `v1beta`.\n2. Paste the following script to a file:\n\n #!/bin/bash\n\n PARENT_ID=\"$1\" PRINCIPAL=\"$2\"\n\n FAILED_PROJECTS=()\n\n for project in $(gcloud projects list --filter=\"parent.id: ${PARENT_ID}\" --format=\"value(projectId)\")\n do\n echo \"Enabling PSH API for project $project\"\n gcloud services enable servicehealth.googleapis.com --project=\"${project}\"\n echo \"Finished enabling PSH API for project $project\"\n\n if [[ -n \"$PRINCIPAL\" ]]; then\n echo \"Adding $PRINCIPAL as service health viewer to project $project\"\n gcloud projects add-iam-policy-binding \"${project}\" --member \"${PRINCIPAL}\" --role roles/servicehealth.viewer\n echo \"Finished adding $PRINCIPAL as service health viewer to project $project\"\n sleep 5\n else echo \"PRINCIPAL not provided, will not grant service health viewer role. Please provide a PRINCIPAL value in order to view events.\"\n fi\n\n echo \"Attempt to list events from Personalized Service Health for project $project\"\n RESPONSE=\"$(curl -w \"%{http_code}\" -H \"Authorization: Bearer $(gcloud auth print-access-token)\" -H \"Content-Type: application/json\" https://servicehealth.googleapis.com/\u003cvar scope=\"API_VERSION\" translate=\"no\"\u003eAPI\u003cspan class=\"devsite-syntax-w\"\u003e \u003c/span\u003eVERSION\u003c/var\u003e/projects/\"${project}\"/locations/global/events)\" HTTP_CODE=$(tail -n1 \u003c\u003c\u003c \"$RESPONSE\")\n\n if [[ \"$HTTP_CODE\" -ne 200 ]] ; then\n echo \"Failed to list events for project $project\"\n echo \"Response: $RESPONSE\"\n FAILED_PROJECTS+=($project)\n else\n echo \"Successfully listed events for project $project\"\n fi\n done\n\n if [[ \"${#FAILED_PROJECTS[@]}\" -ne 0 ]]; then\n echo \"Listing projects that failed to activate\"\n for project in \"${FAILED_PROJECTS[@]}\"\n do\n echo \"$project\"\n done\n fi\n\n3. Run the script. The following examples assume the script is in a file named\n `activateProjects.sh`:\n\n - To activate all projects in organization ID `345678901` and grant\n user`user:test-user@gmail.com` the role of`roles/servicehealth.viewer`,\n run:\n\n bash activateProjects.sh 345678901 \"user:test-user@gmail.com\"\n\n - To activate all projects in organization ID `345678901` and grant\n service account `serviceAccount:test-proj1@example.domain.com` the role\n of`roles/servicehealth.viewer`, run:\n\n bash activateProjects.sh 345678901 \"serviceAccount:test-proj1@example.domain.com\"\n\nPersonalized Service Health will take up to 24 hours to start processing service health\nevents."]]
