Can't change policies of a project event though I ...

hl-philip-b · 11-02-2023 02:28 AM

I have a project called, let's say, "Orange Octangulars" under an organization "Acme corp". As I can see on https://console.cloud.google.com/iam-admin/iam, I have the role "Owner" in "Orange Octangulars". I have also given myself the role "Project IAM Admin" just in case, so I have two roles in "Orange Octangulars". I am trying to allow external IPs for VM instances in "Orange Octangulars". I do so by going to https://console.cloud.google.com/iam-admin/orgpolicies/compute-vmExternalIpAccess (under the project "Orange Octangulars") and I want to press "Manage policy". Unfortunately, that button is greyed out and the error message, when I hover over it, says:

You need permissions for this action.
Required permission(s):

Orange Octangulars
All of orgpolicy.policies.create, orgpolicy.policies.delete, orgpolicy.policies.update, and orgpolicy.policy.get

What's up with that? I am an owner and a project IAM admin of the project. Why can't I manage this policy or any other policies for the project?

lawrencenelson

Hi @hl-philip-b,

Welcome to the Google Cloud Community!

Basically, there are different hierarchical levels when setting IAM Policies in Google Cloud. You can set an IAM policy at the organization level, the folder level, the project level, or (in some cases) the resource level. Resources inherit the policies of the parent resource. If you set a policy at the organization level, it is inherited by all its child folder and project resources, and if you set a policy at the project level, it is inherited by all its child resources [1]. You can view the diagram below [2].

In your case, your organization needs the orgpolicy.policies.create, orgpolicy.policies.delete, orgpolicy.policies.update, and orgpolicy.policy.get permissions which are available with the Organization Policy Administrator role.

I hope this answers your question.

Best,
Law

[1]. https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#inheritance
[2]. https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#resource-hierarchy-...

lulucas

I've had the same issue. Although I am the organization owner and I can't assign the Organization Admin role to my user and disable the Key Creation policy.

DamianS

Hello @lulucas ,Welcome on Google Cloud Community.
Yes, because you have to get assigned Organization POlicy Admin predefined role. Once done, you will be able to edit constraints and organization policies.

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

helpmeplease2

The "Organization Policy Admin" role does not show up when trying to assign it to my iam user. I am the account owner.

The "Organization Policy Administrator" role does show up in the roles tab (https://console.cloud.google.com/iam-admin/roles) so it does exist.

Is this a bug?

helpmeplease2

ah, the problem is you need to add the "Organization Policy Admin" role at the organization resource level, not the project level.

ScudmanRoxx

I still cannot disable the "iam.disableServiceAccountKeyCreation" constraint even though I have assigned "Organization Policy Admin" role to myself. Please help.

Required permissions as shown below are missing:
orgpolicy.policies.create, orgpolicy.policies.delete, orgpolicy.policies.update, and orgpolicy.policy.get

DamianS

Hello @ScudmanRoxx ,Welcome on Google Cloud Community.

Please send an screenshot with your IAM settings.
--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

Can't change policies of a project event though I am its owner