It's quite confusing also for me. You can't assign org policies without having org in place. However it looks like those Org policies are set by default to enforce. Let me ask, did you've been invited to those project by anybody else, or you just using your billing card, and without any org dealing with cloud ?

cheers,

DamianS

Additionally I've created issue ticket regarding this: https://issuetracker.google.com/issues/335695517

i've been invited, you're right. the point is that even the project owner can't disable this policy (lack of permissions). thank you for your help, keeping an eye on the ticket

Basically to deal with Org Policies you must have

roles/orgpolicy.policyAdmin

 assigned to your IAM user. So even if you are Org Admin, which have more permissions than Project Admin or ( Owner ) you will not be able to deal with policies. If the person who invited you, is able to grant 

roles/orgpolicy.policyAdmin

 and then make an exception based on tag to your project, SA keys creation functionality will be restored. But if you don't want to utilize keys anymore due to security reason, highly recommend to use Workload Identity Federations instead of service keys. 

Grab the cli command to grant mentioned role 

gcloud organizations add-iam-policy-binding YOUR_ORG_ID --member='user:YOUR_EMAIL' --role='roles/orgpolicy.policyAdmin'

For some reason the person who's invited me can't assign OrgAdm role to me:

Now i'm trying to move this project (under "No organization") to existing org, which is another journey.  So far no luck..

Hi,

yep. This error means, that only principals in trusted polices can be added to IAM. So, you must check which domains are whitelisted at policy constraint and add principal with that policy or add domain where your user has been created like @example.com or @company2.com and then you will be able to be added.