After renaming a project, GCP automatically moved it under No Organization, which is not what I intended. Now I want to move the project back to the existing organization, but can't set the permissions in No Organization to make the migration. Any ideas on how to resolve this?
Related
When migrating a project with no organization to a new organization, can we maintain the same billing account, or do we have to set up a new one?
Once the project is migrated, is there anything left to "close out" at the source? Since there is no organization in the source, there shouldn't be any folders.
You can migrate a project that is not associated with an organization into an organization. However, you can't change it back to No organization using this process. If you have a project that is associated with your organization and you want to revert it to No organization, reach out to your Support representative for assistance. Note, you need to set up the billing account again to migrate the projects from no organization, you can use the same billing account. You may check this documentation for reference. Migrating projects with no organization
Note: Reverting a project to No organization requires business justification.
Once the project is migrated there is nothing left to close out at the source. You may check this documentation for reference. IAM policy inheritance
Is it possible to change the Organisation Ownership of a Google Cloud Account from one organisation to another?
Initially we setup the account under domain.net.au.
Our company was purchased by another company and has setup emails using google under domain.ag.
My boss is now wanting the Google Cloud Account and all its projects to be moved over to domain.ag.
Is this possible without having to re-create them all in the new location?
We have a massive database that is highly important to our company that needs to have almost no downtime.
thanks!
Changing organisational ownership I think you really have to contact support. But if what you meant is moving your resources from the old organisation account to the new one,Yes it is possible to Move resources from one organisation to another. With the right Migration plans and the projectmover roles to the required accounts you can. But note that the resources would not inherit policies from previous organisations hence you have to do accurate setup for your new organisation. Just do an inventory record of what's in the current organisation to know how to prepare the new organisation to avoid issues. If you encounter any error, then you can rollback
To change the organization ownership first you need to contact google support. Also yes, it is possible if you want to move your resources from an old organization account to a new organization account with correct migration plans and roles. Kindly make a note here, the resources would not inherit policies from previous organisations. Hence you need to do the exact setup for your new organization account.
Steps to change Organizational ownership.
Create a list of projects that you’d like to move.
Move all the projects out of any folders in the current organization and into the top level.
Contact Support with a list of projects that you’d like to move from the current organization to another organization.
Support will move the projects out of the current organization so they have no parent (no organization).
Move all the projects into the new organization.
I'm trying to Migrate 2 projects originating "no Organization" to a newly created organization in GCP.
The user has project-level permissions:
Owner
At the organization level the user has the permissions:
Organization Administrator,
Project Creator
When trying to perform the migration, it displays the error:
Permission denied
You do not have the following required permission to perform this action:
"resourcemanager.projects.update"
I've tried to perform the procedure via command too but it didn't work either
ERROR: (gcloud.beta.projects.move) User ["my user"] does not have
permission to access projects instance ["my project"] (or it may not exist):
The caller does not have permission.
Group permission that the user participates at the organizational level: Support Account Administrator, Organization Role Administrator, Organization Policy Administrator, Folder admin, Organization Administrator, Project Creator, Project Mover, Security Center Admin
User permission at the Organization level: Organization Administrator, Project Mover
User permission at project level: Owner, Project Mover, Organization Administrator
Would you have any more suggestions?
contacted our partner and we saw that the projects were linked to their organization, for me it appeared as "No organization" because I only had access to the project but not their organization.
To solve it, it was necessary to open a ticket on google to disassociate the projects from their organization and only after that I was able to migrate to my organization.
Thank you very much everyone for your support.
When you try to migrate, the error is because of you don't have organization policies. To move a project resource to a new organization, you must first apply an organization policy that will define the organizations to which the project can be moved.
On the parent resource to the project you want to move, set an organization policy that includes the
constraints/resourcemanager.allowedExportDestinations
This will define the target destination as a valid location to which you can migrate the project.
On the destination resource, set an organization policy that includes the
constraints/resourcemanager.allowedImportSources
This will define the source as a valid location from which you can migrate your project.
For example, say you had a project my-test-project that existed under an organization with the ID 12345678901, and you wanted to move it to a new organization for your secondary business unit, with the ID 45678901234.
You would set an organization policy on organizations/12345678901with the constraints/resourcemanager.allowedExportDestinations constraint enforced and under:organizations/45678901234 set as an allowed_value.
Then, set an organization policy on organizations/45678901234 with the constraints/resourcemanager.allowedImportSources constraint enforced and under:organizations/12345678901 set as an allowed_value.
Once these organization policies are enforced, you will be able to move my-test-project from organizations/12345678901 to organizations/45678901234, assuming you have the permissions noted in Assign permissions.
https://cloud.google.com/resource-manager/docs/project-migration#configure_organization_policies
I even created a customized role at the organization level with the permissions:
resourcemanager.organizations.get, resourcemanager.organizations.getIamPolicy, resourcemanager.organizations.setIamPolicy, resourcemanager.projects.create,resourcemanager.projects.get, resourcemanager.projects.getIamPolicy, resourcemanager.projects.list, resourcemanager.projects.move, resourcemanager.projects.setIamPolicy, resourcemanager.projects.update, resourcemanager.projects.updateLiens
I created a custom Role also in the project I want to migrate and set the permissions:
resourcemanager.projects.get, resourcemanager.projects.getIamPolicy, resourcemanager.projects.move, resourcemanager.projects.setIamPolicy, resourcemanager.projects.update,
Even after these changes I had the same error when migrating
The following instructions are only for moving a project within an organization (such as in this case). To move a project, you need the following IAM roles:
Have the resourcemanager.projects.update permission on the project, which typically comes from having either the Project Editor or Project Owner roles on the project.
Have the resourcemanager.projects.move permission on both the source folder and the destination folder. This permission is typically part of the Project Owner, Project Editor, Folder Admin, or Folder Mover roles. If the resource is not in a folder, you will need this permission on the organization node.
To move a project to another organization:
In the Google Cloud Console, go to the Manage resources page.
Select your Organization from the Organization drop-down on the top left of the page.
Click on your project's row to select your project from the list of resources. Note that you must not click on the name of the project, which takes you to the project's IAM page.
Click on the options menu (the vertical ellipsis) in the row and click Move.
Click Browse to select the folder to which you want to move the project.
Click Move.
If you made sure that your account has all the permissions specified
and still getting the error you may want to try the Resource Manager API as per the following link:
https://cloud.google.com/resource-manager/docs/project-migration#perform_migration
Hope you find this useful.
Regards
I have 2 Google Cloud projects with GKE and various other services enabled and running.
None of those projects has an organization resource assigned. There are also many Users and serviceaccounts inside the projects that are used in production.
We use (example) adminaccount#example.com for those projects.
I would like to add Google Identity Free, so that I will be able to use Azure AD Users with SSO
So I created a new Google Identity Account with the username identityadmin#example.com which is not member of my existing Gcloud projects.
The domain (example.com) has not been verified so far.
What will I have to do to get this running with my existing projects?
I read that first I would need an organization resource, which would be created after I verify the domain.
Is it safe to do that? Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?
I don't understand how a new organization could be recognized by my existing projects, because there is no link between them.
The goal of course is not to have any downtime.
Sure, I would purchase Google support, but that's only possible If you have an organization, what I don't have.
I'm really confused and troubled.
Looking forward to any suggestions.
Many thanks in advance!
Roland
Firstly, you need to create your new organization. Start by creating a Google Workspace environment (go to https://admin.google.com and create it). You can create the org with a Google Workspace free trial and then cancel your subscription, no worry, I'm paying nothing!
Secondly, with your new Google Workspace account, and your new user, go to https://console.cloud.google.com. Here, select your organization, and go to IAM. Here add as member the user account where your project are created in the "No Organization" organisation, and grant it the role Organization Administrator
Perfect. Now, go back to your user account (freshly granted) and go to ressource manager. I use the project picker window to go there
And eventually, migrate your project. Select one project from "No Organization", click on migrate, select the Organization, and validate. That's all. No downtime
Your Cloud Identity organization is created when you finish your signup and setup steps for your Cloud Identity service
To answer your questions:
What will I have to do to get this running with my existing projects?
The simple answer is Migrate projects and billing accounts and set permissions
This documentation explains how Grant access to billing accounts and Grant access to projects
Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?
Once a Google Cloud Organization resource has been created for your domain, you can move your existing projects into the organization.
There should be NO server downtime or impact as a result of migration.
Take into consideration that the link between projects and billing accounts is preserved, irrespective of the hierarchy.
To migrate a project using you will need the following permissions: resourcemanager.projects.create on the destination organization, typically granted by the Project Creator role.
resourcemanager.projects.update and resourcemanager.projects.setIAMPolicy on the project you are migrating, typically granted by the Owner role.
You can get further information in the following link: Migrating projects with no organization
Additionally to contact support you could create a case using this link and it doesn’t matter if you don’t have an organization.
Is there away how can i change google cloud platform to other GCP account ? Because my account has suspended via my company. Thank you
You can change a project owner, billing account or other options.
To change the organization of a project, you have to directly contact google as stated here: https://cloud.google.com/resource-manager/docs/migrating-projects-billing#migrating_projects_in_an_organization
If your project is part of an organization, you can only move the project within the organization. You cannot move the project outside the organization even if you change the owner. The owner is just a permission, not who controls the hierachy of organizations / folders / projects.
If the project is not part of an organization, you can change the owner to any Google Accounts email address. Just remember to delete the other owners. You will need ownership of the billing account also.