Enable Personalized Service Health for all projects in an organization or folder
Stay organized with collections
Save and categorize content based on your preferences.
This document describes a script that enables each project in an organization
or folder for service health events processing. It grants the
Identity and Access Management (IAM) principal
specified the Service Health Viewer role, which lets you view events and
enable the Service Health API.
Ensure that you have the following permissions to run the script:
Permission to list projects under the parent:
resourcemanager.projects.list.
Permission to add IAM
(Service Health Viewer role) for the specified IAM
principal: resourcemanager.projects.setIamPolicy.
Permission to enable Google Cloud services: serviceusage.services.enable.
One way to gain these permissions is to ask an administrator to grant you an
appropriate role. Search for the permissions in the Predefined roles
section of the IAM basic and predefined roles reference page.
The roles that have the permissions appear.
Run the script
The script accepts the following parameters:
PARENT_ID: ID of the parent to projects. The ID can be for an organization
or a folder. All projects under the parent will have Personalized Service
Health enabled.
(optional) IAM_PRINCIPAL: An identifier for the principal, or member, which
will be granted the Service Health Viewer role. It usually has the following
form: PRINCIPAL_TYPE:ID. Example:user:my-user@example.com.
For the full list of supported values, see the
Grant a single role
section of the Manage access to projects, folders, and organizations page.
To run the script:
Decide on the API VERSION: v1 or v1beta.
Paste the following script to a file:
#!/bin/bashPARENT_ID="$1"PRINCIPAL="$2"FAILED_PROJECTS=()forprojectin$(gcloudprojectslist--filter="parent.id: ${PARENT_ID}"--format="value(projectId)")doecho"Enabling PSH API for project $project"gcloudservicesenableservicehealth.googleapis.com--project="${project}"echo"Finished enabling PSH API for project $project"if[[-n"$PRINCIPAL"]];thenecho"Adding $PRINCIPAL as service health viewer to project $project"gcloudprojectsadd-iam-policy-binding"${project}"--member"${PRINCIPAL}"--roleroles/servicehealth.viewer
echo"Finished adding $PRINCIPAL as service health viewer to project $project"sleep5elseecho"PRINCIPAL not provided, will not grant service health viewer role. Please provide a PRINCIPAL value in order to view events."fiecho"Attempt to list events from Personalized Service Health for project $project"RESPONSE="$(curl-w"%{http_code}"-H"Authorization: Bearer $(gcloudauthprint-access-token)"-H"Content-Type: application/json"https://servicehealth.googleapis.com/APIVERSION/projects/"${project}"/locations/global/events)"HTTP_CODE=$(tail-n1 <<< "$RESPONSE")if[["$HTTP_CODE"-ne200]];thenecho"Failed to list events for project $project"echo"Response: $RESPONSE"FAILED_PROJECTS+=($project)elseecho"Successfully listed events for project $project"fidoneif[["${#FAILED_PROJECTS[@]}"-ne0]];thenecho"Listing projects that failed to activate"forprojectin"${FAILED_PROJECTS[@]}"doecho"$project"donefi
Run the script. The following examples assume the script is in a file named
activateProjects.sh:
To activate all projects in organization ID 345678901 and grant
useruser:test-user@gmail.com the role ofroles/servicehealth.viewer,
run:
To activate all projects in organization ID 345678901 and grant
service account serviceAccount:test-proj1@example.domain.com the role
ofroles/servicehealth.viewer, run:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Enable Personalized Service Health for all projects in an organization or folder\n\nThis document describes a script that enables each project in an organization\nor folder for service health events processing. It grants the\n[Identity and Access Management (IAM) principal](/iam/docs/overview#how_cloud_iam_works)\nspecified the Service Health Viewer role, which lets you view events and\nenable the Service Health API.\n\nBefore you begin\n----------------\n\n\n[Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\nEnsure that you have the following permissions to run the script:\n\n- Permission to list projects under the parent: `resourcemanager.projects.list`.\n- Permission to add IAM (Service Health Viewer role) for the specified IAM principal: `resourcemanager.projects.setIamPolicy`.\n- Permission to enable Google Cloud services: `serviceusage.services.enable`.\n\nOne way to gain these permissions is to ask an administrator to grant you an\nappropriate role. Search for the permissions in the [Predefined roles](/iam/docs/understanding-roles#predefined)\nsection of the IAM basic and predefined roles reference page.\nThe roles that have the permissions appear.\n\nRun the script\n--------------\n\nThe script accepts the following parameters:\n\n- `PARENT_ID`: ID of the parent to projects. The ID can be for an organization or a folder. All projects under the parent will have Personalized Service Health enabled.\n- (optional) `IAM_PRINCIPAL`: An identifier for the principal, or member, which\n will be granted the Service Health Viewer role. It usually has the following\n form: `PRINCIPAL_TYPE:ID`. Example:`user:my-user@example.com`.\n\n For the full list of supported values, see the\n [Grant a single role](/iam/docs/granting-changing-revoking-access#grant-single-role)\n section of the Manage access to projects, folders, and organizations page.\n\nTo run the script:\n\n1. Decide on the \u003cvar class=\"readonly\" scope=\"API_VERSION\" translate=\"no\"\u003eAPI VERSION\u003c/var\u003e: `v1` or `v1beta`.\n2. Paste the following script to a file:\n\n #!/bin/bash\n\n PARENT_ID=\"$1\" PRINCIPAL=\"$2\"\n\n FAILED_PROJECTS=()\n\n for project in $(gcloud projects list --filter=\"parent.id: ${PARENT_ID}\" --format=\"value(projectId)\")\n do\n echo \"Enabling PSH API for project $project\"\n gcloud services enable servicehealth.googleapis.com --project=\"${project}\"\n echo \"Finished enabling PSH API for project $project\"\n\n if [[ -n \"$PRINCIPAL\" ]]; then\n echo \"Adding $PRINCIPAL as service health viewer to project $project\"\n gcloud projects add-iam-policy-binding \"${project}\" --member \"${PRINCIPAL}\" --role roles/servicehealth.viewer\n echo \"Finished adding $PRINCIPAL as service health viewer to project $project\"\n sleep 5\n else echo \"PRINCIPAL not provided, will not grant service health viewer role. Please provide a PRINCIPAL value in order to view events.\"\n fi\n\n echo \"Attempt to list events from Personalized Service Health for project $project\"\n RESPONSE=\"$(curl -w \"%{http_code}\" -H \"Authorization: Bearer $(gcloud auth print-access-token)\" -H \"Content-Type: application/json\" https://servicehealth.googleapis.com/\u003cvar scope=\"API_VERSION\" translate=\"no\"\u003eAPI\u003cspan class=\"devsite-syntax-w\"\u003e \u003c/span\u003eVERSION\u003c/var\u003e/projects/\"${project}\"/locations/global/events)\" HTTP_CODE=$(tail -n1 \u003c\u003c\u003c \"$RESPONSE\")\n\n if [[ \"$HTTP_CODE\" -ne 200 ]] ; then\n echo \"Failed to list events for project $project\"\n echo \"Response: $RESPONSE\"\n FAILED_PROJECTS+=($project)\n else\n echo \"Successfully listed events for project $project\"\n fi\n done\n\n if [[ \"${#FAILED_PROJECTS[@]}\" -ne 0 ]]; then\n echo \"Listing projects that failed to activate\"\n for project in \"${FAILED_PROJECTS[@]}\"\n do\n echo \"$project\"\n done\n fi\n\n3. Run the script. The following examples assume the script is in a file named\n `activateProjects.sh`:\n\n - To activate all projects in organization ID `345678901` and grant\n user`user:test-user@gmail.com` the role of`roles/servicehealth.viewer`,\n run:\n\n bash activateProjects.sh 345678901 \"user:test-user@gmail.com\"\n\n - To activate all projects in organization ID `345678901` and grant\n service account `serviceAccount:test-proj1@example.domain.com` the role\n of`roles/servicehealth.viewer`, run:\n\n bash activateProjects.sh 345678901 \"serviceAccount:test-proj1@example.domain.com\"\n\nPersonalized Service Health will take up to 24 hours to start processing service health\nevents."]]
