This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Issue: Privileged Access Manager (PAM) Not Enabling Automatically on Projects

Posted on 02-10-2025 04:16 AM
bgigs
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We have enabled Privileged Access Manager (PAM) at the organization level, including assigning the roles/privilegedaccessmanager.serviceAgent role to our PAM org service account. Based on the documentation ([see here]), my understanding is that enabling PAM at the organization level should automatically enable it for all projects under the organization.

However, this doesn't seem to be happening. Even after waiting several hours, PAM is not enabled on individual projects unless I manually visit the PAM page of a specific project, which then triggers the API to activate.

What I've Checked So Far:

  • The organization-level PAM setup appears correct.
  • The required IAM role (roles/privilegedaccessmanager.serviceAgent) is assigned to the service account.
  • Organization policies don’t seem to be blocking or overriding the automatic enablement.

Question:

Has anyone encountered this issue before? Is there a way to force PAM to enable across all projects without manually visiting each one or explicitly having to enable the API in each project? Any suggestions on troubleshooting or potential workarounds would be greatly appreciated!

nit: can't seem to assign the Identity & Access Management (IAM) label

0 2 252
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
greb
Staff
Reply posted on --/--/---- --:-- AM

Hi @bgigs,

Welcome to Google Cloud Community!

I understand the difficulties you’re facing. In principle, activating Privileged Access Manager (PAM) at the organization level should affect all projects, but it seems that isn't occurring automatically. This may result from API propagation lags, IAM role assignments not cascading, or an organizational policy that mandates specific activation for each project.

Quick Fixes & Workarounds:

1. Check if PAM is enabled for a project:

 

gcloud services list --enabled --project PROJECT_ID

 

2. Manually enable it for all projects (if needed):

 

PROJECTS=$(gcloud projects list --format="value(projectId)")
for PROJECT in $PROJECTS; do
    gcloud services enable privilegedaccessmanager.googleapis.com --project $PROJECT
done

 

3. Confirm IAM permissions for the PAM service account at both org and project levels.
4. Check org policies that might be blocking automatic enablement:

 

gcloud org-policies list --organization ORGANIZATION_ID

 

While PAM should be enable automatically across all projects, it seems like manual activation is currently required. Using the bulk API enablement script can help automate this process. If the issue persists, Google Cloud Support may provide further insights.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes

Posted on --/--/---- --:-- AM
bgigs
Bronze 1
Bronze 1
In response to greb
Reply posted on --/--/---- --:-- AM

Thanks for the reply @greb! Much appreciate it.

As far as I can tell, we don't have any org policies that are blocking automatic enablement.

Unfortunately, I lack the permissions to enable the API on all projects. Hence, we decided to contact Google Support and they are currently investigating the issue.

 

0 Likes