Cannot Change Google Cloud Organization Policy: As a Google Cloud Super Admin, you might find yourself unable to edit an Organizational Policy—with options like Edit Policy and Manage Policy greyed out—even though you have super admin role assigned. One common scenario where this arises is during projects like a Google Workspace to Office 365 migration, where creating a service account key is necessary. However, you may encounter an error stating:
Service account key creation is disabled
The organization policy constraint ‘iam.disableServiceAccountKeyCreation’ is enforced on your organization.
This means the Organizational Policy needs to be overridden, and enforcement turned off. But even as Super Admin, you may still be blocked. So, what’s the issue here?
Why Super Admins Cannot Change Google Cloud Organization Policy?
The key to understanding this limitation lies in a concept known as least privilege. Just because you’re a Super Admin doesn’t mean you have unrestricted access to all resources and settings, including Organizational Policies. This approach is rooted in Separation of Duties (SoD), a best practice in security where permissions are distributed to minimize risks.
In the case of Organizational Policies, you’ll need the Organization Policy Administrator role to make any changes. However, there’s an extra hurdle—this role doesn’t always appear in the IAM role list by default.
Why You Might Need to Edit Organizational Policies
There are several reasons you might need to adjust an Organizational Policy, such as:
- Enabling or disabling service account creation for a migration project.
- Changing constraints to allow specific actions or services.
- Ensuring compliance or meeting security requirements for cloud infrastructure.
If your task, like creating a service account key for a Google Workspace to Office 365 migration, gets blocked by an enforced organizational policy, here’s how you can resolve it.
Steps to Edit an Organizational Policy in Google Cloud
To update a Boolean policy (e.g., enable or disable service account creation), follow these steps:
- Navigate to the Organization Policies Page:
- In the Google Cloud console, go to the Organization Policies page.
- From the project picker, select the project, folder, or organization where you want to edit the policies.
- Locate the Relevant Policy Constraint:
- The Organization Policies page will display a list of available policy constraints.
- Select the constraint you want to modify. For example, the one blocking service account creation.
- Attempt to Edit the Policy:
- On the Policy details page, you’ll see an option to click Manage policy. This is where you would typically override the parent policy and make changes.
- However, if Edit Policy is greyed out, this confirms that your role lacks sufficient permissions.
- Solution: Assign the Organization Policy Administrator Role
You’ll need to assign the Organization Policy Administrator (roles/orgpolicy.policyAdmin) role to yourself or the appropriate user.
GUI: Through GUI you can’t assign the “Organization Policy Administrator” role as mentioned in the below image
gcloud: Here’s how to do it via the gcloud command line.
Step-by-Step Solution via gcloud
1. Install gcloud SDK:
If you haven’t installed the gcloud SDK, follow the installation steps from Google Cloud SDK Installation Guide based on your OS (Windows, MacOS, Linux).
2. Launch gcloud Shell and Fetch Organization ID:
Once the gcloud SDK is installed, open the gcloud shell.
Run the following command to get the organization ID:
gcloud projects get-ancestors {projectId} Replace {projectId} with your actual project ID. The output will display your organization ID.
ID TYPE
Your-project-ID project
123456789012 folder
567890123456 organization3. Assign the Organization Policy Admin Role:
Now, use the following command to assign the Organization Policy Administrator role to the user:
gcloud organizations add-iam-policy-binding example-organization-id-1 --member="user:test-user@example.com" --role="roles/orgpolicy.policyAdmin"Replace example-organization-id-1 with the organization ID you fetched earlier, and test-user@example.com with the email of the user you want to assign the role to.
4. Edit the Organizational Policy:
Once the role is assigned, go back to the Organization Policies page, and you should now be able to edit the policy and override the enforcement.
Wrapping Up
Understanding that Super Admin doesn’t automatically mean you have full access to every policy in Google Cloud can help avoid confusion and delays. The key takeaway is that least privilege and Separation of Duties (SoD) are security mechanisms that require you to explicitly assign roles like Organization Policy Administrator for sensitive operations.
By following the steps outlined above, you should be able to work around this limitation and make the necessary changes to organizational policies. This will allow you to proceed with tasks such as service account creation for your Google Workspace to Office 365 migration without any roadblocks.
For more details, refer to the official documentation here.
For more solutions, please check here
Whether you’re looking for troubleshooting tips, deep dives into systems architecture, or the latest in cloud computing, I’m here to help you navigate the evolving tech landscape. Let’s connect, learn, and grow together!
📧 ravi.chopra1709@gmail.com
- How to Create a Hyper-V Cluster on Windows Server 2022 -Step-by-Step Guide - 16 October 2024
- Windows AD Account lockout numerous times a day - 16 October 2024
- DNS Error | A new record cannot be created - 16 October 2024