Super Admin account lacks GCP Organization Administrator rights — cannot manage org-level IAM or policies

Google Cloud Cloud Foundations & Onboarding
1

I am the Google Workspace Super Admin for a newly created org (URL Removed by Staff) I am also the Owner of a GCP project (PII Removed by Staff) that was recently migrated into the this organization.

My account does not have GCP Organization Administrator rights, even though it is the Workspace Super Admin. I cannot modify org-level IAM policies or Organization Policies in Google Cloud Console or via the gcloud CLI.

What I’ve tried: - Accessing org-level IAM in GCP Console as Super Admin — access denied

  • Running gcloud organizations get-iam-policy — returns permission denied - Running gcloud organizations add-iam-policy-binding — returns permission denied

Why this is needed: The org has an active iam.allowedPolicyMemberDomains policy that is blocking my Cloud Run service from being made publicly accessible, which I need to fix in order to deploy my application to production.

2

Hello @Ben_Rohrs ,

You have to assign to your Workspace Super User “Organization Policy Admin” IAM predefined role at ORGANIZATION level prio to do anything with org policies.

This is security mechanism applied by vendor.

To do that:

You must have one of the following roles:

  • Organization Admin (roles/resourcemanager.organizationAdmin)

  • IAM Admin (roles/resourcemanager.organizationAdmin) or an equivalent role with the necessary permissions to manage IAM roles and policies at the organizational level.

image
image822×748 50.1 KB

Then wait few minutes and you should be able to deal with policies :slight_smile:

cheers,
Damian | GDE for Google Cloud