Org Admin: Perm. Denied Disabling Org Policy (iam.allowedPolicyMemberDomains) - Fails in Cloud Shell

Hello,

I am an Organization Administrator (`roles/resourcemanager.organizationAdmin`) for my Google Cloud Organization, but I'm encountering a persistent "permission denied" error when trying to disable the `constraints/iam.allowedPolicyMemberDomains` organization policy. This issue occurs even when running the command from Cloud Shell.

**My Goal:**
I need to make a Cloud Run service (`sharky-chat-service` in project `chat-bot-social`) publicly accessible by granting `allUsers` the `roles/run.invoker` role. To do this, I first need to modify or disable the `constraints/iam.allowedPolicyMemberDomains` organization policy, which is currently restricting IAM members to my organization's customer ID.

**Details:**
* **Organization ID:** `275283949867`
* **User Account:** `Admin@sharkteam.[domain-redacted-due-to-filter]`
* **Project ID (for context):** `chat-bot-social`
* **Cloud Run Service (for context):** `sharky-chat-service`
* **Region (for context):** `europe-central2`

**Current Effective Org Policy on the project for `iam.allowedPolicyMemberDomains`:**
The effective policy on my project `chat-bot-social` for `constraints/iam.allowedPolicyMemberDomains` is:
```yaml
constraint: constraints/iam.allowedPolicyMemberDomains
listPolicy:
  allowedValues:
    - C03qt98jf

(C03qt98jf is my Google Workspace/Cloud Identity Customer ID).

Command I am trying to run:

Bash
 
gcloud resource-manager org-policies disable-enforce constraints/iam.allowedPolicyMemberDomains --organization=275283949867

Error Message:

ERROR: (gcloud.resource-manager.org-policies.disable-enforce) [Admin@sharkteam.(...)] does not have permission to access organizations instance [275283949867:setOrgPolicy] (or it may not exist): The caller does not have permission. This command is authenticated as Admin@sharkteam.(...) which is the active account specified by the [core/account] property 

Troubleshooting Steps Taken:

  1. Confirmed IAM Role: I have verified that my user (mentioned above) has the roles/resourcemanager.organizationAdmin role for organization 275283949867. The output of gcloud organizations get-iam-policy 275283949867 --format=json shows the following binding for my user, with no IAM Condition:

    JSON
     
    {
      "members": [
        "user:Admin@sharkteam.[domain-redacted-due-to-filter]" // ะธะปะธ ะฒะฐัˆ ะฟะพะปะฝั‹ะน email, ะตัะปะธ ะพะฝ ะฝะต ะฒั‹ะทั‹ะฒะฐะตั‚ ะฟั€ะพะฑะปะตะผ ะฒ ัั‚ะพะผ JSON ะฑะปะพะบะต
      ],
      "role": "roles/resourcemanager.organizationAdmin"
    }

    (Full policy etag: BwY1BKRu-ZY=, version: 1)

  2. Cloud Shell: The exact same permission error occurs when running the disable-enforce command from Cloud Shell.

  3. Re-authentication: I have tried re-authenticating gcloud using gcloud auth application-default login and gcloud auth login with my admin account.

  4. Organization Status: I have checked the Organization status in the Google Cloud Console (IAM & Admin -> Identity & Organization), and it appears active with "Signup completed" displayed and no obvious warnings or critical issues visible on its main page.

Question: Given that I have the roles/resourcemanager.organizationAdmin role without any apparent conditions, and the error persists even in Cloud Shell, why am I still getting a permission denied error for the setOrgPolicy permission? Is this a potential Google Cloud platform issue, or is there anything else I can check or try?

Any help or insights would be greatly appreciated.

Thank you.

Solved Solved
0 2 324
1 ACCEPTED SOLUTION

Hello! In order to create/delete Org Policy constraints, you'll need the Organization Policy Administrator role (https://cloud.google.com/iam/docs/roles-permissions/orgpolicy#orgpolicy.policyAdmin). The Organization Administrator role you currently have does not have the permissions needed to modify an existing Org Policy. Please apply the Org Policy Admin role (roles/orgpolicy.policyAdmin) at the Org level and give that command a try. I would expect it to succeed!

Please let us know if you continue to run into trouble! Good luck!

Chris

View solution in original post

2 REPLIES 2

Hello! In order to create/delete Org Policy constraints, you'll need the Organization Policy Administrator role (https://cloud.google.com/iam/docs/roles-permissions/orgpolicy#orgpolicy.policyAdmin). The Organization Administrator role you currently have does not have the permissions needed to modify an existing Org Policy. Please apply the Org Policy Admin role (roles/orgpolicy.policyAdmin) at the Org level and give that command a try. I would expect it to succeed!

Please let us know if you continue to run into trouble! Good luck!

Chris

Thank you very much!