Unable to trigger Cloud Function - Blocked by 'iam.allowedPolicyMemberDomains' Organization Policy

Google Cloud Serverless Applications
, ,
1

Hello community,

I am the super-administrator of a new Google Workspace organization and I am completely deadlocked by a security policy. I have tried every documented method to solve this and would be extremely grateful for any help.

Goal:
Trigger a Cloud Function (Gen 2) when a new email arrives in my Workspace Gmail account.

Core Problem:
The iam.allowedPolicyMemberDomains organization policy is active and prevents any identity outside my organization from being granted IAM roles. This blocks all event-driven triggers for my Cloud Function.

What I have tried:

  1. Gmail API Push to Pub/Sub: Fails because the Gmail service account (gmail-api-push@system.gserviceaccount.com) cannot be granted the pubsub.publisher role. The attempt to add this permission results in a FAILED_PRECONDITION error due to the organization policy.

  2. Editing the Organization Policy (as orgpolicy.policyAdmin): I have the roles/orgpolicy.policyAdmin role. I have tried to edit the iam.allowedPolicyMemberDomains policy to add an exception. Both the web console and gcloud reject every possible syntax (serviceAccount:…, domain:…, under:cloudidentity…) with an “Invalid value” error.

  3. Temporarily Disabling the Policy at the Project Level: I attempted the standard workaround to temporarily disable the policy on the project, grant the permission, and then re-enable it.

    • gcloud org-policies set-policy with a rule of “allowAll”: true" fails with a Name field not present or INVALID_ARGUMENT error, depending on the JSON structure. The API seems to reject all formats.

  4. Authenticated Pub/Sub Push Subscription: I created a push subscription that uses a service account from my own project (with run.invoker role) to call the Cloud Function’s HTTP endpoint. This also fails, with the function logs showing The request was not authenticated.

  5. Allowing Unauthenticated Invocation: Deploying the function with --allow-unauthenticated fails with the same FAILED_PRECONDITION error, as the organization policy blocks adding allUsers to the IAM policy.

Conclusion:
I am in a complete deadlock. It seems impossible to either (a) grant the necessary cross-service permissions or (b) disable the policy that prevents it, even temporarily at a project level. This seems to be a common issue for new Google Workspace organizations with default security policies.

Question:
Is there a known, working procedure for new Google Workspace organizations to allow Google’s own services (like Gmail API push) to interact with project resources when this restrictive policy is active? How can I correctly configure an exception to the iam.allowedPolicyMemberDomains policy?

Thank you for any guidance.