Hello, I am an Organization Administrator (`roles/resourcemanager.organizationAdmin`) for my Google Cloud Organization, but I'm encountering a persistent "permission denied" error when trying to disable the `constraints/iam.allowedPolicyMemberDomains` organization policy. This issue occurs even when running the command from Cloud Shell. **My Goal:** I need to make a Cloud Run service (`sharky-chat-service` in project `chat-bot-social`) publicly accessible by granting `allUsers` the `roles/run.invoker` role. To do this, I first need to modify or disable the `constraints/iam.allowedPolicyMemberDomains` organization policy, which is currently restricting IAM members to my organization's customer ID. **Details:** * **Organization ID:** `275283949867` * **User Account:** `Admin@sharkteam.[domain-redacted-due-to-filter]` * **Project ID (for context):** `chat-bot-social` * **Cloud Run Service (for context):** `sharky-chat-service` * **Region (for context):** `europe-central2` **Current Effective Org Policy on the project for `iam.allowedPolicyMemberDomains`:** The effective policy on my project `chat-bot-social` for `constraints/iam.allowedPolicyMemberDomains` is: ```yaml constraint: constraints/iam.allowedPolicyMemberDomains listPolicy: allowedValues: - C03qt98jf
(C03qt98jf is my Google Workspace/Cloud Identity Customer ID).
Command I am trying to run:
gcloud resource-manager org-policies disable-enforce constraints/iam.allowedPolicyMemberDomains --organization=275283949867
Error Message:
ERROR: (gcloud.resource-manager.org-policies.disable-enforce) [Admin@sharkteam.(...)] does not have permission to access organizations instance [275283949867:setOrgPolicy] (or it may not exist): The caller does not have permission. This command is authenticated as Admin@sharkteam.(...) which is the active account specified by the [core/account] property
Troubleshooting Steps Taken:
Confirmed IAM Role: I have verified that my user (mentioned above) has the roles/resourcemanager.organizationAdmin role for organization 275283949867. The output of gcloud organizations get-iam-policy 275283949867 --format=json shows the following binding for my user, with no IAM Condition:
{ "members": [ "user:Admin@sharkteam.[domain-redacted-due-to-filter]" // ะธะปะธ ะฒะฐั ะฟะพะปะฝัะน email, ะตัะปะธ ะพะฝ ะฝะต ะฒัะทัะฒะฐะตั ะฟัะพะฑะปะตะผ ะฒ ััะพะผ JSON ะฑะปะพะบะต ], "role": "roles/resourcemanager.organizationAdmin" }
(Full policy etag: BwY1BKRu-ZY=, version: 1)
Cloud Shell: The exact same permission error occurs when running the disable-enforce command from Cloud Shell.
Re-authentication: I have tried re-authenticating gcloud using gcloud auth application-default login and gcloud auth login with my admin account.
Organization Status: I have checked the Organization status in the Google Cloud Console (IAM & Admin -> Identity & Organization), and it appears active with "Signup completed" displayed and no obvious warnings or critical issues visible on its main page.
Question: Given that I have the roles/resourcemanager.organizationAdmin role without any apparent conditions, and the error persists even in Cloud Shell, why am I still getting a permission denied error for the setOrgPolicy permission? Is this a potential Google Cloud platform issue, or is there anything else I can check or try?
Any help or insights would be greatly appreciated.
Thank you.
Solved! Go to Solution.
Hello! In order to create/delete Org Policy constraints, you'll need the Organization Policy Administrator role (https://cloud.google.com/iam/docs/roles-permissions/orgpolicy#orgpolicy.policyAdmin). The Organization Administrator role you currently have does not have the permissions needed to modify an existing Org Policy. Please apply the Org Policy Admin role (roles/orgpolicy.policyAdmin) at the Org level and give that command a try. I would expect it to succeed!
Please let us know if you continue to run into trouble! Good luck!
Chris
Hello! In order to create/delete Org Policy constraints, you'll need the Organization Policy Administrator role (https://cloud.google.com/iam/docs/roles-permissions/orgpolicy#orgpolicy.policyAdmin). The Organization Administrator role you currently have does not have the permissions needed to modify an existing Org Policy. Please apply the Org Policy Admin role (roles/orgpolicy.policyAdmin) at the Org level and give that command a try. I would expect it to succeed!
Please let us know if you continue to run into trouble! Good luck!
Chris
Thank you very much!