I am locked out of my own Organization Policy Administrator role, and I can't assign the permission to myself (not even Cloud Shell works)

Google Cloud Compute Infrastructure
1

I cannot give myself any organization administration rights even though I created and own the organization. My projects are essentially trapped in the organization, and I can’t even make a ticket to get help for it because I don’t have permission to.

I’m basically stuck in a permanent loop.

I created the organization. My project is in the organization, and the Google Cloud Console Terminal is also rejecting everything saying I don’t have permission.

If I run the command in cloud shell (the supposed magic bullet according to all the support I’ve seen):
gcloud organizations add-iam-policy-binding xxxxxx --member=‘user:me@site.com’ --role='roles/orgpolicy.policyAdmin

I get the error:

ERROR: (gcloud.organizations.add-iam-policy-binding) [me@site.com] does not have permission to access organizations instance [xxxxxxx:getIamPolicy] (or it may not exist): The caller does not have permission. This command is authenticated as me@site.com which is the active account specified by the [core/account] property

The Cloud Shell also seems to be force-selecting my project (there doesn’t seem to be an organization level elevation in cloud shell I can find).

Forgive me if this is the wrong place to post this, but this is totally crazy. I tried everything here: Cant assign Organization Policy Administrator role to myself

I’ve also tried doing it in IAM at the organization level (but I’m locked out and have to ask myself for permissions, which, surprise, doesn’t work). The console is supposed to

1 Like
2

Hello @trdev1055 ,

We will try to handle it.

  1. Do you have access to the user who have super admin rights on your google workspace associated with your Google Cloud Org ( in other words, do you have access to the account which was a firts account when you’ve created your google workspace)? → This is first question which determine further steps :slight_smile:

cheers,
Damian | GDE for Google Cloud

3

Hi! I just figured it out now. As it turns out, there was a weird permission inheritance issue due to us using a gsuite/workspace setup. Another “super admin” account (creator/sub of the workspace) was able to apply the permission command to me at the org level in Cloud Shell just now and it fixed the issue.

I might not be using the correct terminology, but it ultimately happened because my account was not actually the “super admin” account that had the permissions to make organization-level changes, and I hadn’t realized that the two services integrated at that level where the organization permission was tied to the workspace. Either way, it’s a very niche issue that I doubt many will run into.

I appreciate your timeliness!

2 Likes