Error when migrating projects in GCP, could someone help me? - google-cloud-platform

I'm trying to Migrate 2 projects originating "no Organization" to a newly created organization in GCP.
The user has project-level permissions:
Owner
At the organization level the user has the permissions:
Organization Administrator,
Project Creator
When trying to perform the migration, it displays the error:
Permission denied
You do not have the following required permission to perform this action:
"resourcemanager.projects.update"
I've tried to perform the procedure via command too but it didn't work either
ERROR: (gcloud.beta.projects.move) User ["my user"] does not have
permission to access projects instance ["my project"] (or it may not exist):
The caller does not have permission.
Group permission that the user participates at the organizational level: Support Account Administrator, Organization Role Administrator, Organization Policy Administrator, Folder admin, Organization Administrator, Project Creator, Project Mover, Security Center Admin
User permission at the Organization level: Organization Administrator, Project Mover
User permission at project level: Owner, Project Mover, Organization Administrator
Would you have any more suggestions?

contacted our partner and we saw that the projects were linked to their organization, for me it appeared as "No organization" because I only had access to the project but not their organization.
To solve it, it was necessary to open a ticket on google to disassociate the projects from their organization and only after that I was able to migrate to my organization.
Thank you very much everyone for your support.

When you try to migrate, the error is because of you don't have organization policies. To move a project resource to a new organization, you must first apply an organization policy that will define the organizations to which the project can be moved.
On the parent resource to the project you want to move, set an organization policy that includes the
constraints/resourcemanager.allowedExportDestinations
This will define the target destination as a valid location to which you can migrate the project.
On the destination resource, set an organization policy that includes the
constraints/resourcemanager.allowedImportSources
This will define the source as a valid location from which you can migrate your project.
For example, say you had a project my-test-project that existed under an organization with the ID 12345678901, and you wanted to move it to a new organization for your secondary business unit, with the ID 45678901234.
You would set an organization policy on organizations/12345678901with the constraints/resourcemanager.allowedExportDestinations constraint enforced and under:organizations/45678901234 set as an allowed_value.
Then, set an organization policy on organizations/45678901234 with the constraints/resourcemanager.allowedImportSources constraint enforced and under:organizations/12345678901 set as an allowed_value.
Once these organization policies are enforced, you will be able to move my-test-project from organizations/12345678901 to organizations/45678901234, assuming you have the permissions noted in Assign permissions.
https://cloud.google.com/resource-manager/docs/project-migration#configure_organization_policies

I even created a customized role at the organization level with the permissions:
resourcemanager.organizations.get, resourcemanager.organizations.getIamPolicy, resourcemanager.organizations.setIamPolicy, resourcemanager.projects.create,resourcemanager.projects.get, resourcemanager.projects.getIamPolicy, resourcemanager.projects.list, resourcemanager.projects.move, resourcemanager.projects.setIamPolicy, resourcemanager.projects.update, resourcemanager.projects.updateLiens
I created a custom Role also in the project I want to migrate and set the permissions:
resourcemanager.projects.get, resourcemanager.projects.getIamPolicy, resourcemanager.projects.move, resourcemanager.projects.setIamPolicy, resourcemanager.projects.update,
Even after these changes I had the same error when migrating

The following instructions are only for moving a project within an organization (such as in this case). To move a project, you need the following IAM roles:
Have the resourcemanager.projects.update permission on the project, which typically comes from having either the Project Editor or Project Owner roles on the project.
Have the resourcemanager.projects.move permission on both the source folder and the destination folder. This permission is typically part of the Project Owner, Project Editor, Folder Admin, or Folder Mover roles. If the resource is not in a folder, you will need this permission on the organization node.
To move a project to another organization:
In the Google Cloud Console, go to the Manage resources page.
Select your Organization from the Organization drop-down on the top left of the page.
Click on your project's row to select your project from the list of resources. Note that you must not click on the name of the project, which takes you to the project's IAM page.
Click on the options menu (the vertical ellipsis) in the row and click Move.
Click Browse to select the folder to which you want to move the project.
Click Move.
If you made sure that your account has all the permissions specified
and still getting the error you may want to try the Resource Manager API as per the following link:
https://cloud.google.com/resource-manager/docs/project-migration#perform_migration
Hope you find this useful.
Regards

Related

Unable to Migrate GCP Project

When I click on Move, I only see the current organization as the target.
I have the following roles (same principal email in source and target):
Source organization:
Billing Account Administrator
Organization Administrator
Owner
Project Creator
Project IAM Admin
Project Mover
Source Project:
Organization Administrator
Owner
Project IAM Admin
Project Mover
Target Organization:
Billing Account Administrator
Organization Administrator
Organization Policy Administrator
Owner
Project Creator
Project IAM Admin
Project Mover
roles/orgpolicy.policyAdmin enabled on both source and target organizations
constraints/resourcemanager.allowedExportDestinations in source organization is set to Enable All
constraints/resourcemanager.allowedImportSources in target organization is set to Enable All
You can move a project between organization resources in the same organization.
Moving a project to a different organization requires Google Cloud Support to perform the move on your behalf. Google will move the projects out of the current organization. Those projects are now standalone (no parent organization). You will then move the standalone projects into the desired organization.
Kindly follow the steps to migrate the project to no organization. I have provided you with the link for better understanding Doc. Also, you can follow the below steps.
Now the project migration has become a self service, and to proceed with the migration below roles should be available. Refer documentation
The project resource that you want to move is the parent resource, and should have a project mover role.
Permission needed for resources that is moving “resourcemanager.projects.update” and permission required for a parent resource is “resourcemanager.projects.move”
On the destination side the following roles should be associated with user account,
If the destination resource is a folder then the role should be “resourcemanager.projects.move”
If the destination resource is a organization then the role should be “resourcemanager.projects.create”
Please find the documentation for your reference.
Since you mentioned that you have user id who has owner role which has both “resourcemanager.projects.move”
and “resourcemanager.projects.create” permissions already, you can use below command to proceed with the organization movement,
gcloud beta projects move PROJECT_ID \ --organization ORGANIZATION_ID
This will resolve your issue .

How to migrate a GCP Project from one organization to other

I had created a project on GCP to run my mobile app and I was on a free trial and before I realized the trial ended and I lost my project, I wanted to see if I can recover and migrate that project to my company's gcp account that I just created.
thanks!
Projects within GCP undergo a 30 day grace period before the resources are fully deleted. As the Project needs an active Billing account, which is automatically closed if you did not opt to upgrade it to a Paid Account.
If the Project is already past 30 day grace period, the resources on that project are now fully deleted and cannot be recovered.
For your question on Migrating the Project from one Organization to another.
You would need to:
Give the email account the Project Mover (*access to update and move projects) role on the Project to be moved.
Give the email account the Project Creator role on the destination Organization
On the Source and Destination Organizations, you will need the roles/orgpolicy.policyAdmin (Organization Policy Admin) role or you can just give the email account the Organization Admin role for both Organizations
Check below constraints (this is in IAM & Admin > Organization Policies):
a. Source Org > Allow constraints/resourcemanager.allowedExportDestinations
b. Destination Org > Allow constraints/resourcemanager.allowedImportSources
Then issue this command in Cloud Shell once all the above requirements are met:
gcloud beta projects move [Project-ID] --organization [ORG-ID]
OR
gcloud beta projects move PROJECT_ID \ --organization ORGANIZATION_ID
You may also check this documentation for reference
In regards to move the projects between organizations[1], here is a summary of permissions and policies that are needed:
Permissions on the Source organization :
The person moving the project needs to have roles/resourcemanager.projectMover on the organization. Alternatively, the person can have resourcemanager.projects.update permission on the project and have resourcemanager.projects.move permission on the parent (organization).
Permissions on the destination organization :
The same person moving the project needs to have roles/resourcemanager.projectCreator on the organization.
Organization policy permissions:
On the parent resource to the project you want to move, set an organization policy that includes the constraints/resourcemanager.allowedExportDestinations constraint. On the destination resource, set an organization policy that includes the constraints/resourcemanager.allowedImportSources constraint.
On the source and destination organization resources, you must have the roles/orgpolicy.policyAdmin role, which grants permission to create and manage organization policies.

How to create folders under the organization in Google Cloud Platform (GCP)?

I created a GCP account, accepted all licensing agreements.
I setup an Organization and a billing account, got that confirmed.
I am now trying to create a folder under the organization that was setup, and get a yellow warning ! triangle:
You do not have permission to create folders in this location.
Why?
How do I fix this?
When I go to any page in IAM it gives me warnings that I do not have permissions with anything related to IAM. I can't grant myself any further permissions.
I am logging in as the same user that created the GCP account (which is a GSuite user).
any help would be appreciated. There is no support of any kind direct from Google with a paid GCP account, I am pointed here.
In order to access the permissions to create folders perform the following steps:
Visit console.cloud.google.com
Log in as the Super Admin
In the TopAppBar, next to Google Cloud Platform, select the resource drop-down as-if you were going to switch organization units or resources
In the resulting pop-up, make sure Select from at the top left has the proper organizational unit selected, then from the top right click on the three vertical dots and select IAM/Permissions
As an alternative, you could simply follow the first 3 steps above and then
Click the menu stack at the far left of the TopAppBar, selecting from the navigation drawer the IAM sub-menu of the IAM & Admin menu option.
Next, in order to grant the proper permissions to the Super Admin:
Find the Super Admin in question from the list of IAM accounts, or alternatively you can add a new user or service account by selecting the appropriate action from the top of the view.
On the far right of the user in question, after the listed roles, click on the pencil icon that indicates Edit principal.
In the resulting drawer you have the option to edit the roles the user has, including adding new ones.
Organizational Admin provides almost every permission needed for managing resource, however it does not include creating Folders. For this, you need to scroll down in the list of Roles to Resource Manager (you can filter for "Folder", don't filter for "Resource" - it's confusing...I know) and on the Roles available for the category you can choose Folder Admin or Folder Creator to be able to create folders.
This may be a limitation of user accounts that were created before creating folders became available. I'm sure Google would never simply enable administrative privileges blindly, not even for current admins, just because they are newly created features.
In other words, I'm unsure if someone who created a GCP account now as a Super Admin would not have Folder Creation rights as an Organizational Admin - but if you happen to have that limitation as an Organizational Admin; the above is how to resolve the issue.
When you create an organization, you are not automatically assigned permissions (roles) in the organization. You need to add roles to your IAM member account.
There are several roles to consider. For the Project Owner, add the role roles/
resourcemanager.organizationAdmin at the Organization Level.
Access Control for Organizations using IAM
Also, review the roles Project Creator and Billing Account Creator
Managing Default Organization Roles
As was already pointed out by John Hanley, you will need to have the correct permissions to create a Folder in your organization:
If you are not the Prooject Owner, ask your administrator to grant you permissions to your account to create folders, I see you follow the access_control manual, but be sure you have the Folder Admin role:
Also, take a look at the “best practices“ regarding folders IAM permissions, this may help to configure them.

Is it possible to inherit the "owner" role in GCP IAM?

Situation:
I have a project which belongs to a GCP organization
User A is "Organization Administrator" and (Project) "Owner" at organization level
Problem:
As expected, the user A is listed in the IAM page of the project at hand (with both before mentioned roles, inheritance is indicated by an icon in the last column)
But: The user does not see the project nor can access it. This only works when I assign the Owner role again for the project.
Question: Is it possible to inherit the owner role to make users owner of a project by inheritance?
Seems like there were inconsistencies within GCP permission propagation, I removed all roles on organization level and added them again - now it is working.
Question: Is it possible to inherit the owner role to make users owner
of a project by inheritance?
If your Google Cloud Platform account is using Organizations, then Yes, you can add a user via IAM at the Organization level as Project owner. This role filters down thru inheritance to all projects in the organization. The same applies to Project Viewer, Project Editor, etc.
But: The user does not see the project nor can access it. This only
works when I assign the Owner role again for the project.
I have not see this problem before. Remember that changing roles and permissions is not an instant process. It takes time for GCP to sync world wide. Some articles mention up to 7 minutes. Also, with some changes, the browser caches information, so you have to refresh the page to see changes (not always).

You do not have permissions to create projects outside of an organization

Using GSuite admin account in developer console. After creating new project in organization it says:
Google Cloud Organization is now available for your domain!
And after that I can't create projects outside of organization. It says:
You do not have permissions to create projects outside of an organization
Is it possible to add permissions to create projects like this?
TLDR
You need the permission Project Creator at the organisation level
Visit https://console.cloud.google.com/iam-admin/iam
From the top project selection dropdown, choose the "organisation", as shown in the screenshot below (it would have an office building symbol, unlike projects which has 3 dots grouped together symbol).
The URL should now have an organizationId like https://console.cloud.google.com/iam-admin/iam?organizationId=435781836209
On this page, click "ADD", enter the email id in "Principals" and add the role as Project Creator.
LONG ANSWER
Apparently, having "admin" permissions doesnt suffice if you dont have the Project Creator permission.
As admin, I had the following permissions, but I was still unable to create the a project because I didnt have Project Creator permission:
Access Approval Approver
Access Context Manager Admin
Actions Admin
Recommendations AI Viewer
Access Transparency Admin
Bigtable Administrator
Billing Account Administrator
Project Billing Manager
Cloud Asset Owner
Compute Admin
Compute Network Admin
Compute Organisation Security Policy User
Compute Organisation Resource Admin
Organisation Role Administrator
Notebooks Admin
Owner
Folder Admin
Folder Creator
Folder IAM Admin
Folder Mover
Project IAM Admin
Service Broker Admin
Storage Admin
Would love to meet the gentleman at Google who came up with this idea. The Owner permission's description reads as Full access to all resources. (I am yet to see a description so unprofessionally misleading.)
Use https://console.cloud.google.com/iam-admin/iam/organization and make sure that folder admin is checked for the permission.
You cannot directly create projects outside of any organization with a GSuite account anymore.
At most you can create a project in another organization if you are given permission (useful for a developer house).
Projects without any organization are just for personal #gmail.com accounts.