Add compute roles to assignable organization roles#233
Open
scotwells wants to merge 3 commits into
Open
Conversation
Owner and Editor gain compute.datumapis.com-admin; Viewer gains compute.datumapis.com-viewer, so organization members have access to compute resources consistent with their role level. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
JoseSzycho
previously approved these changes
May 20, 2026
Grant view access to location resources directly on the viewer assignable org role rather than through the networking-viewer hierarchy, since locations are expected to move out of the networking group. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
JoseSzycho
approved these changes
May 21, 2026
kevwilliams
added a commit
that referenced
this pull request
Jun 5, 2026
## Summary
- Owner and Editor roles now include `billing.miloapis.com-admin`
- Viewer role now includes `billing.miloapis.com-viewer`
## Why
Creating a BillingAccount from the cloud portal fails with:
```
User "kwilliams@datum.net" cannot create resource "billingaccounts" in API group
"billing.miloapis.com" in the namespace "organization-personal-org-efb26a2b"
```
Organization members have no access to billing resources through their
org-level role. The billing IAM roles (`billing.miloapis.com-admin` /
`-viewer`) are already deployed and registered with Milo —
`infra/apps/billing-system/base/milo-control-plane.yaml` applies
`billing/config/components/iam` into `milo-system` — but were never
wired into the assignable organization roles.
`billing.miloapis.com-admin` grants
`billingaccounts.{create,update,patch,delete}` + the
`billingaccountbindings` equivalents (and inherits `-viewer`);
`billing.miloapis.com-viewer` grants `{list,get,watch}`.
Exactly mirrors the compute-roles wiring in #233.
## ⚠️ Decision for reviewers: should Editor get billing admin?
This follows #233's precedent (Owner **and** Editor get the resource
admin role). But BillingAccounts tie to payment, so you may prefer
**Owner-only** for `-admin` and give Editor `-viewer`. Easy to change —
drop the editor entry. Flagging because billing is more sensitive than
compute.
## Rollout
Like #233, this config publishes as an OCI bundle consumed by
`datum-cloud/infra`. If you want to validate in staging ahead of the
bundle, a staging-only patch in infra can apply it first.
## Verification after deploy
The original portal action (create BillingAccount as an org owner)
should succeed; the authz denial should disappear.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
compute.datumapis.com-admincompute.datumapis.com-viewerWhy
Organization members had no access to compute resources (Workloads, WorkloadDeployments, Instances) through their org-level role. The compute IAM roles are deployed and registered with Milo but were never wired into the assignable organization roles.
Rollout
A staging-only patch in
datum-cloud/infrais deploying this ahead of this OCI bundle being published, so the change can be validated in staging before reaching production.🤖 Generated with Claude Code