This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Can't import search console data in Big Query

Posted on 07-01-2024 09:58 AM
tedber
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Background:

-Our client has enabled a GA4 parameter.

-The webmaster has granted me access to Google Search Console to export data.

Issue:

I am following the steps outlined in this article.
I am blocked at the step where I need to grant access to the service account search-console-data-export@system.gserviceaccount.com.

When I attempt to add this service account under IAM settings, I receive the following error message:


IAM policy update failed
The "Domain Restricted Sharing" administrative rule (constraints/iam.allowedPolicyMemberDomains) is applied. Only the main accounts of authorised domains can be added as main accounts in the rule. Correct the main account email addresses and try again. Find out more about domain-restricted sharing

Request ID: 8324870876744443750

Resolution Needed:

Guidance on how to bypass this restriction or modify the domain restrictions to allow the necessary service account.

I would really appreciate some help, I am losing more and more hair lately...

Have a great day y'all



3 1 481
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
Snoshone07
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi @tedber It looks like you’ve run into the Domain Restricted Sharing policy issue when trying to grant access to the service account search-console-data-export@system.gserviceaccount.com. This is a pretty common problem in organizations with strict domain-sharing rules.

What’s Happening?

The constraints/iam.allowedPolicyMemberDomains rule restricts IAM policy updates to specific email domains. As a result, service accounts outside your organization’s approved domains—like those ending in gserviceaccount.com—are blocked from being added.

How to Fix It

1. Check with Your Organization’s Admin

You’ll need to involve your Google Workspace (or Cloud Identity) administrator to resolve this. They can either:

  • Whitelist gserviceaccount.com as an allowed domain in the constraints/iam.allowedPolicyMemberDomains rule.
    • This requires updating the organization-level constraints in the Google Cloud Console under Organization Policies.
  • Temporarily relax the restriction to add the service account.
  • Alternatively, the admin can explicitly allow this specific service account email without fully relaxing the policy.

2. Manual Data Export as a Workaround


If adjusting the policy isn’t possible right now, you can manually export your Google Search Console data using the API. You can then upload it to BigQuery or any other destination. While it’s a bit more effort, it works as a temporary solution until the IAM policy is sorted out.

3. Use Third-Party Tools for a Seamless Solution


If you’re looking for an immediate fix without depending on domain restrictions, platforms like Windsor.ai can help. They integrate Google Search Console and GA4 data directly into BigQuery (or other destinations), handling authentication and data export processes for you. This way, you avoid dealing with IAM constraints entirely.

Next Steps for Admins

Here’s what your admin needs to do:

  1. Go to IAM & Admin > Organization Policies in the Google Cloud Console.
  2. Search for the constraints/iam.allowedPolicyMemberDomains setting.
  3. Add gserviceaccount.com to the list of allowed domains or make an exception for the specific service account.

Once this is done, you should be able to grant access without any issues.

0 Likes
Top Solution Authors
View all