Hello,
I am an Organization Administrator (`roles/resourcemanager.organizationAdmin`) for my Google Cloud Organization, but I'm encountering a persistent "permission denied" error when trying to disable the `constraints/iam.allowedPolicyMemberDomains` organization policy. This issue occurs even when running the command from Cloud Shell.
**My Goal:**
I need to make a Cloud Run service (`sharky-chat-service` in project `chat-bot-social`) publicly accessible by granting `allUsers` the `roles/run.invoker` role. To do this, I first need to modify or disable the `constraints/iam.allowedPolicyMemberDomains` organization policy, which is currently restricting IAM members to my organization's customer ID.
**Details:**
* **Organization ID:** `275283949867`
* **User Account:** `Admin@sharkteam.[domain-redacted-due-to-filter]`
* **Project ID (for context):** `chat-bot-social`
* **Cloud Run Service (for context):** `sharky-chat-service`
* **Region (for context):** `europe-central2`
**Current Effective Org Policy on the project for `iam.allowedPolicyMemberDomains`:**
The effective policy on my project `chat-bot-social` for `constraints/iam.allowedPolicyMemberDomains` is:
```yaml
constraint: constraints/iam.allowedPolicyMemberDomains
listPolicy:
allowedValues:
- C03qt98jf(C03qt98jf is my Google Workspace/Cloud Identity Customer ID).
Command I am trying to run:
gcloud resource-manager org-policies disable-enforce constraints/iam.allowedPolicyMemberDomains --organization=275283949867
Error Message:
ERROR: (gcloud.resource-manager.org-policies.disable-enforce) [Admin@sharkteam.(...)] does not have permission to access organizations instance [275283949867:setOrgPolicy] (or it may not exist): The caller does not have permission. This command is authenticated as Admin@sharkteam.(...) which is the active account specified by the [core/account] property
Troubleshooting Steps Taken:
Confirmed IAM Role: I have verified that my user (mentioned above) has the roles/resourcemanager.organizationAdmin role for organization 275283949867. The output of gcloud organizations get-iam-policy 275283949867 --format=json shows the following binding for my user, with no IAM Condition:
{
"members": [
"user:Admin@sharkteam.[domain-redacted-due-to-filter]" // ะธะปะธ ะฒะฐั ะฟะพะปะฝัะน email, ะตัะปะธ ะพะฝ ะฝะต ะฒัะทัะฒะฐะตั ะฟัะพะฑะปะตะผ ะฒ ััะพะผ JSON ะฑะปะพะบะต
],
"role": "roles/resourcemanager.organizationAdmin"
}(Full policy etag: BwY1BKRu-ZY=, version: 1)
Cloud Shell: The exact same permission error occurs when running the disable-enforce command from Cloud Shell.
Re-authentication: I have tried re-authenticating gcloud using gcloud auth application-default login and gcloud auth login with my admin account.
Organization Status: I have checked the Organization status in the Google Cloud Console (IAM & Admin -> Identity & Organization), and it appears active with "Signup completed" displayed and no obvious warnings or critical issues visible on its main page.
Question: Given that I have the roles/resourcemanager.organizationAdmin role without any apparent conditions, and the error persists even in Cloud Shell, why am I still getting a permission denied error for the setOrgPolicy permission? Is this a potential Google Cloud platform issue, or is there anything else I can check or try?
Any help or insights would be greatly appreciated.
Thank you.
LinkedIn
Twitter
