Cannot Change Google Cloud Organization Policy: Even though you are the Google Workspace Super Admin, you may find that you are unable to edit an Organizational Policy because options like Edit Policy and Manage Policy are greyed out. This frequently occurs during initiatives that need the creation of a service account key, such as the conversion from Google Workspace to Office 365. But you can run into an error saying:
Service account key creation is disabled
The organization policy constraint ‘iam.disableServiceAccountKeyCreation’ is enforced on your organization.
This means the Organizational Policy needs to be overridden, and enforcement need to be turned off. But even as Super Admin, you can’t do it. So, what’s the issue here?
Why Super Admins Cannot Change Google Cloud Organization Policy?
The key to understanding this limitation lies in a concept known as least privilege. Just because you’re a Super Admin doesn’t mean you have unrestricted access to all resources and settings, including Organizational Policies. This approach is rooted in Separation of Duties (SoD), a best practice in security where permissions are distributed to minimize risks.
In the case of Organizational Policies, you’ll need the Organization Policy Administrator role to make any changes. However, there’s an extra hurdle—this role doesn’t always appear in the IAM role list by default.
Why you need to edit Organizational Policies?
There are several reasons you might need to adjust an Organizational Policy, such as:
- Enabling or disabling service account creation for a migration project.
- Changing constraints to allow specific actions or services.
- Ensuring compliance or meeting security requirements for cloud infrastructure.
For e.g., creating a service account key for a Google Workspace to Office 365 migration, gets blocked by an enforced organizational policy, here’s how you can resolve it.
Steps to Edit an Organizational Policy in Google Cloud
To update a Boolean policy (e.g., enable or disable service account creation), follow these steps:
- Navigate to the Organization Policies Page:
- In the Google Cloud console, go to the Organization Policies page.
- From the project picker, select the project, folder, or organization where you want to edit the policies.
- Locate the Relevant Policy Constraint:
- The Organization Policies page will display a list of available policy constraints.
- Select the constraint you want to modify. For example, the one blocking service account creation.
- Attempt to Edit the Policy:
- On the Policy details page, you’ll see an option to click Manage policy. This is where you would typically override the parent policy and make changes.
- However, if Edit Policy is greyed out, this confirms that your role lacks sufficient permissions.
Solution:
Assign the Organization Policy Administrator Role. You’ll need to assign the Organization Policy Administrator (roles/orgpolicy.policyAdmin) role to yourself or to the appropriate user.
GUI
Through GUI you can’t assign the “Organization Policy Administrator” role as mentioned in the below image
Command Line
Here’s how to do it via the gcloud command line.
Step-by-Step Solution via gcloud
1. Install gcloud SDK:
If you haven’t installed the gcloud SDK, follow the installation steps from Google Cloud SDK Installation Guide based on your OS (Windows, MacOS, Linux).
2. Launch gcloud Shell and Fetch Organization ID:
Once the gcloud SDK is installed, open the gcloud shell.
Run the following command to get the organization ID:
gcloud projects get-ancestors {projectId}
Replace {projectId}
with your actual project ID. The output will display your organization ID.
ID TYPE
Your-project-ID project
123456789012 folder
567890123456 organization
3. Assign the Organization Policy Admin Role:
Now, use the following command to assign the Organization Policy Administrator role to the user:
gcloud organizations add-iam-policy-binding example-organization-id-1 --member="user:test-user@example.com" --role="roles/orgpolicy.policyAdmin"
Replace example-organization-id-1
with the organization ID you fetched earlier, and test-user@example.com
with the email of the user you want to assign the role to.
4. Edit the Organizational Policy:
Once the role is assigned, go back to the Organization Policies page, and you should now be able to edit the policy and override the enforcement.
Wrapping Up
Understanding that Super Admin doesn’t automatically mean you have full access to every policy in Google Cloud can help avoid confusion and delays. The key takeaway is that least privilege and Separation of Duties (SoD) are security mechanisms that require you to explicitly assign roles like Organization Policy Administrator for sensitive operations.
By following the steps outlined above, you should be able to work around this limitation and make the necessary changes to organizational policies. This will allow you to proceed with tasks such as service account creation for your Google Workspace to Office 365 migration without any roadblocks.
For more details, refer to the official documentation here.
For more solutions, please check here
- Entra ID (Azure Active Directory): Migration and Integration Guide - 20 December 2024
- Active Directory Federation Services (ADFS): Implementation Guide - 16 December 2024
- Active Directory Backup and Recovery Strategy: Comprehensive Guide - 11 December 2024