GSuite/Cloud Platform - Fixing or Resetting Permissions - google-cloud-platform

I had created a Google Cloud Platform project and an associated service account for accessing the Directory API in the Admin SDK. After some experimentation I decided to remove that project and the service account and start from scratch. Around that same time I also changed the primary domain on our GSuite account.
I believe this combination has screwed up my permissions in the Google Cloud Platform. I'm the only SuperAdmin on our GSuite account, and yet it seems I'm unable to do many things (examples below). Any way to completely reset permissions or the Cloud Platform account entirely? There are no projects to lose at this point.
Examples:
When I try to create a new project, when choosing "location", the only option (the name of the organization, still using the old primary domain) tells me "You do not have permission to create projects in this location"
If I go to IAM & Admin > Settings and try to rename the organization, it says "You do not have the permission to rename this resource.
Required permission(s): All of resourcemanager.organizations.get and resourcemanager.organizations.update"
If I go to IAM & Admin > Roles a banner at the top says "You do not have sufficient permissions to view this page"
I contacted GSuite support, but since the problem itself was on the Cloud Platform side they couldn't really do much for me.

I'm still not sure what caused the permissions to get mangled, but creating another GSuite admin and using that one to repair permissions took care of it.

Related

Unable to add HTTPArchive dataset to BigQuery project

I'd like to explore the HTTPArchive data that is publicly available in BigQuery. To access the data, I'm following along with these instructions:
https://github.com/HTTPArchive/httparchive.org/blob/main/docs/gettingstarted_bigquery.md
Unfortunately, when I get to step 7, I get an error message as follows:
You seem to be missing permissions on the billing project. The billing project can be changed using the project picker at the top of the page. If the project is correct then please talk to your administrator. Original error message: The caller does not have permission
In my googling to resolve the issue, I found this SO question/answer: missing permission on "billingAccounts/XXXXXXXXXXXXXXXXXXXXXXXX": billing.resourceAssociations.create Terraform (GCP)
Unfortunately, adding all the various billing roles to the principal associated with the account does not resolve the issue. I've added all the mentioned billing roles but I'm still running into the same problem.
I can't tell for sure (I just don't have the expertise atm) but it seems the project isn't correctly linked to the billing resource but I could be wrong.
I do get this message when I click on "Change billing account" (within the "Actions" menu) under the "Account management page".
This seems like it could be the issue but it might also just mean that I don't have a second Billing account to change to.
Any and all help greatly appreciated.
You have to unlink first your project from your current Cloud Billing Account to link to your new or desired billing account. To do so, you have to make sure that you have predefined roles for permissions both on your project and billing account. You can follow the steps based on this documentation.
Another option is to create a new Cloud Billing Account. If you are under an organization, you must have this permission - billing.accounts.create. You can follow these instructions on creating your new billing account. If you are the one who manages your Google Cloud resources, you won't need to add any permissions to create a new billing account.
Kindly comment below if this can help you proceed on setting up your HTTPArchive to BigQuery so we can still find another solution to your blocker.

Google Cloud: Why am I not an organization administrator?

I am attempting to expand my usage of Google Cloud and running into issues. When I go to IAM & Admin -> IAM and select my organization, I get an error: "You do not have sufficient permissions to view this page". A bit lower: "You are missing the following required permissions: resourcemanager.organizations.getIamPolicy".
I'm confused by this because if I select a project IN the organization I see I have the "Organization Administrator" role which has that exact permission assigned. I also have "Owner" role.
I also cannot upgrade from Basic support to any paid support due to this issue, so I literally cannot get any help from anyone at Google.
I created this org! Do I need to delete everything and start over? (ugh)
Based on what #JohnHanley's shared on the comments:
Organization Admin must be applied (bound) at the organization level. If you created the organization, then you have a Workspace or Identity account. Use that account to login. The problem should be easy to solve once you are using the correct account to authenticate.
In addittion to that;
To administer a particular project or product on GCP, you must ask your organization or the team managing your Google Workspace Admin to increase your role and authorization to a higher hierarchy.

Organization Admin somehow doesn't have access to create a folder in GCP?

I'm pretty sure this is an actual bug with GCP at the moment. I'm the Organization Admin for the GCP organization (I've quadruple checked this, and that I'm signed in with the correct account).
But when I go to Manage Resources, And try to create a new folder, it doesn't let me select the organization as the location, because I "don't have the required resourcemanager.folders.create permission". If I try to create the folder in a project that's in the organization, I get "Unknown error".
I'm the user who created the organization and all projects in the first place, and the only G-Suite user that even exists on this domain.
If you review the permissions that Organization Administrator has, resourcemanager.folders.create is not one of them.
IAM Roles
Org Admin by itself has almost infinite power because it can set IAM policies. This means the Org Admin can grant any IAM permission to any identity.
Grant yourself the required role such as roles/resourcemanager.folderAdmin.
Note: I recommend keeping the Org Admin as a separate identity that you lock away and only use to manage the organization. Create separate identities for day-to-day operations, development, and deployment.

Add cloud identity to existing Google Cloud Projects

I have 2 Google Cloud projects with GKE and various other services enabled and running.
None of those projects has an organization resource assigned. There are also many Users and serviceaccounts inside the projects that are used in production.
We use (example) adminaccount#example.com for those projects.
I would like to add Google Identity Free, so that I will be able to use Azure AD Users with SSO
So I created a new Google Identity Account with the username identityadmin#example.com which is not member of my existing Gcloud projects.
The domain (example.com) has not been verified so far.
What will I have to do to get this running with my existing projects?
I read that first I would need an organization resource, which would be created after I verify the domain.
Is it safe to do that? Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?
I don't understand how a new organization could be recognized by my existing projects, because there is no link between them.
The goal of course is not to have any downtime.
Sure, I would purchase Google support, but that's only possible If you have an organization, what I don't have.
I'm really confused and troubled.
Looking forward to any suggestions.
Many thanks in advance!
Roland
Firstly, you need to create your new organization. Start by creating a Google Workspace environment (go to https://admin.google.com and create it). You can create the org with a Google Workspace free trial and then cancel your subscription, no worry, I'm paying nothing!
Secondly, with your new Google Workspace account, and your new user, go to https://console.cloud.google.com. Here, select your organization, and go to IAM. Here add as member the user account where your project are created in the "No Organization" organisation, and grant it the role Organization Administrator
Perfect. Now, go back to your user account (freshly granted) and go to ressource manager. I use the project picker window to go there
And eventually, migrate your project. Select one project from "No Organization", click on migrate, select the Organization, and validate. That's all. No downtime
Your Cloud Identity organization is created when you finish your signup and setup steps for your Cloud Identity service
To answer your questions:
What will I have to do to get this running with my existing projects?
The simple answer is Migrate projects and billing accounts and set permissions
This documentation explains how Grant access to billing accounts and Grant access to projects
Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?
Once a Google Cloud Organization resource has been created for your domain, you can move your existing projects into the organization.
There should be NO server downtime or impact as a result of migration.
Take into consideration that the link between projects and billing accounts is preserved, irrespective of the hierarchy.
To migrate a project using you will need the following permissions: resourcemanager.projects.create on the destination organization, typically granted by the Project Creator role.
resourcemanager.projects.update and resourcemanager.projects.setIAMPolicy on the project you are migrating, typically granted by the Owner role.
You can get further information in the following link: Migrating projects with no organization
Additionally to contact support you could create a case using this link and it doesn’t matter if you don’t have an organization.

Cannot view/create tenants in Google Identity Platform

I've got a GCP project shared with me with the "project owner" access.
So, I can open and manage the "Identity Platform" users.
But I can't open the "Tenants" page (it's loading infinitely).
So, maybe it requires some additional roles, although I'm an owner of the project and I have the following roles assigned:
App Engine Admin
Cloud Build Editor
Cloud Scheduler Admin
Environment and Storage Object Administrator
Cloud Datastore Owner
Firebase Admin
Logging Admin
Google Cloud Managed Identities Admin
Admin of Tenancy Units
Storage Admin
Storage Object Admin
Storage Transfer Admin
Some people also suggest to open the page in incognito mode, but unfortunately it, not my case.
I also have noticed that "Tenants" currently in the BETA stage.
But I'm not sure if it's related somehow.
Thanks.
UPDATE:
Does it make sense to use Tenants in Google Identity Platform?
I'm owner of my project and the tenant work well. You should lack of some permissions (and it's very hard to find information. I'm in contact with the PM, I will try to know more)
About the relevance of tenant, all depends of your use cases. If you have user from different context/customer and you want to manage authentication in different manner according to this context.
If a customer don't pay, you can also deactivate a tenant, and you can disrupt the authentication (and thus the service) until the payment.
Your use case has to make sense, not the technical capabilities.
UPDATE
About permission, there is not yet predefined roles and you have to build a custom role for this. The list of permission are the same as for firebase