You need the following permissions to migrate a project between organization resources.
To gain these permissions, ask your administrator to grant the suggested role at the appropriate level of the resource hierarchy .
Project migration permissions
To migrate a project between organization resources, you need the following roles on the project, its parent resource, and the destination resource:
- Project IAM Admin (
roles/resourcemanager.projectIamAdmin) on the project that you want to migrate between organization resources. - Project Mover (
roles/resourcemanager.projectMover) on the project's parent resource (folder or organization resource). - If the destination resource is a folder:Project Mover
(
roles/resourcemanager.projectMover) on the destination resource. - If the destination resource is an organization resource:Project Creator
(
roles/resourcemanager.projectCreator) on the destination resource.
These roles give you the following required permissions:
Required permissions
-
resourcemanager.projects.getIamPolicyon the project you want to migrate between organization resources -
resourcemanager.projects.updateon the project you want to migrate between organization resources -
resourcemanager.projects.moveon the project's parent resource (folder or organization resource) - If the destination resource is a folder:
resourcemanager.projects.moveon the destination resource - If the destination resource is an organization resource:
resourcemanager.projects.createon the destination resource - If you want to migrate a project that is not associated with an organization:
resourcemanager.projects.setIamPolicyon the project you want to migrate
You can also gain these permissions with a custom role , or other predefined roles.
Organization policy permissions
On the source and destination organization resources, the user setting the
organization policies must have the roles/orgpolicy.policyAdmin
role, which
grants permission to create and manage organization policies.
Billing account permissions
Cloud Billing accounts can be used across organization resources. Moving a project from one organization resource to another won't impact billing, and charges will continue against the old billing account. However, migration of projects between organization resources often also include a requirement to migrate to a new billing account.
To get the permissions that you need to change the project's billing account, ask your administrator to grant you the following IAM roles:
- Billing Account User
(
roles/billing.user) on the destination billing account - Project billing manager
(
roles/billing.projectManager) on the project
For more information about granting roles, see Manage access to projects, folders, and organizations .
These predefined roles contain the permissions required to change the project's billing account. To see the exact permissions that are required, expand the Required permissionssection:
Required permissions
The following permissions are required to change the project's billing account:
-
billing.resourceAssociations.createon the destination billing account -
resourcemanager.projects.createBillingAssignmenton the project -
resourcemanager.projects.deleteBillingAssignmenton the project
You might also be able to get these permissions with custom roles or other predefined roles .
What's next
To learn about how to configure organization policies, see Configure organization policies .
