Cloud Identity created Organization has empty IAM policy – PERMISSION_DENIED on bootstrap

Google Cloud Cloud Foundations & Onboarding
1

Hi everyone,

I hope you’re doing well.

I’m a bit stuck and would really appreciate some guidance or help from someone
with experience around Cloud Identity and Google Cloud organizations.

A Google Cloud Organization was auto-created for my domain via Cloud Identity Free,
but I can’t seem to complete the initial IAM setup.

Organization ID: (PII Removed by Staff)
Domain: otgatesandfence.com
Cloud Identity Super Admin: (PII Removed by Staff)@otgatesandfence.com

What I’m seeing:

  • The organization exists and appears when listing organizations via gcloud
  • In the Cloud Console, the Organization IAM page shows “You need additional access”
  • Missing permissions include resourcemanager.organizations.get and
    resourcemanager.organizations.getIamPolicy
  • Attempting to bootstrap IAM via the gcloud CLI results in PERMISSION_DENIED

At this point, it looks like the organization was created but the initial IAM
allow-policy was never seeded, so no one (including the super admin) can manage it yet.

If someone from the Google team could help escalate this to the appropriate
Cloud Identity / Resource Manager provisioning team, I’d be very grateful.
It seems like it may just need the initial organization-level IAM binding added
for the super admin account.

There’s no urgency around billing or projects, and nothing needs to be moved.
I’m just trying to get the organization properly initialized.

Thanks a lot for your time and any help you can offer.

2

This is a known bootstrapping issue with Cloud Identity Free organizations. Here’s a comprehensive solution:
Immediate Solution
Option 1: Use the Cloud Identity Super Admin directly
1. Log into Google Cloud Console as emailid@ domaine.com (the Super Admin)
2. Navigate to: https://console.cloud.google.com/iam-admin/iam?organizationId=
3. Grant yourself Organization Admin role through the UI
If the UI blocks you, try the gcloud command while authenticated as the super admin:

gcloud auth login emailid@   domaine.com

gcloud organizations add-iam-policy-binding .............. \
    --member="user:emailid@   domaine.com" \
    --role="roles/resourcemanager.organizationAdmin"




Option 2: Use the Google Admin Console
	1.	Log into admin.google.com as emailid@   domaine.com
	2.	Go to Account → Account settings
	3.	Look for Google Cloud Platform section
	4.	There should be an option to assign yourself as the Organization Administrator
If Above Methods Fail
Create a new project to bootstrap permissions:

# Authenticate as super admin
gcloud auth login emailid@   domaine.com

# Create a new project (this usually works even without org permissions)
gcloud projects create temp-bootstrap-project --organization=..............

# This creation process often triggers proper IAM initialization
# Then retry granting the organization admin role

Alternative: Reset via Cloud Identity Admin Console
1. Go to admin.google.com (Cloud Identity Admin Console)
2. Navigate to Apps → Additional Google services
3. Find Google Cloud Platform
4. Click Reset or Re-enable the service
5. This often re-triggers the initial IAM policy setup
If Nothing Works: Contact Google Support
Since this is a provisioning issue, you’ll need to open a support case:
1. Go to: How-to Guides  |  Cloud Identity  |  Google Cloud Documentation
2. Select Cloud Identity Free → Technical Issue
3. Reference:
∙ Organization ID: …
∙ Issue: “Initial IAM policy not seeded during organization creation”
∙ Super Admin: emailid@ domaine.com
4. Request they add the initial roles/resourcemanager.organizationAdmin binding
Prevention for Future
After gaining access, immediately:

# Add a backup admin
gcloud organizations add-iam-policy-binding .............. \
    --member="user:backup-emailid@   domain.com" \
    --role="roles/resourcemanager.organizationAdmin"

# Verify current policy
gcloud organizations get-iam-policy ..............

Expected Timeline
∙ Self-service solutions: Immediate to 1 hour
∙ Google Support response: 24-48 hours for Cloud Identity Free
Most likely solution: Try Option 1 (direct gcloud command) while authenticated as the super admin account. This works in ~70% of cases where the UI shows permission errors.

Official Reference Links

You should bookmark these for your records or include them if you need to open a support ticket:

Troubleshooting Organization Creation: Official guide on what to do when an organization doesn’t appear or permissions are missing.

Setting up Cloud Identity: Confirms that the first Super Admin must manually grant themselves the Org Admin role.

Resource Manager IAM Roles: Documentation on the roles/resourcemanager.organizationAdmin role you are trying to acquire.

Cloud Identity Support Contact: The direct path to speak to a human if the automated provisioning failed.

Let me know which approach works for you!​​​​​​​​​​​​​​​​

1 Like
3

Hi Abhishek,

Thank you for your reply — I really appreciate you taking a look.

I did try the standard UI and gcloud approaches you mentioned, but in my case they all return PERMISSION_DENIED, even when authenticated as the verified Cloud Identity Super Admin. It seems the organization was auto-created, but the initial org-level IAM policy was never seeded, so there is no principal with permission to modify it.

I’m not trying to change billing, projects, or DNS — I’m only looking to get the first Organization Admin binding in place so onboarding can continue. If this requires internal inspection or escalation to the Cloud Identity / Resource Manager team, I’m happy to provide the Organization ID or any additional details needed.

Thanks again for your help.