Need Help?

Search our documentation and community forum

Terra is a cloud-native platform for biomedical researchers to access data, run analysis tools, and collaborate.
Terra powers important scientific projects like FireCloud, AnVIL, and BioData Catalyst. Learn more.

Create Billing Project: Organizational Constraint: iamAllowedPolicyMemberDomains

Comments

8 comments

  • Avatar
    Samantha (she/her)

    Hi Ed Rodgers - NOAA Federal,

     

    Thanks for writing in. Can you please share a screenshot of what you are doing when you receive the error? Are you creating a billing project in Terra, or updating a billing account on GCP?

     

    Best,

    Samantha

    0
    Comment actions Permalink
  • Avatar
    Ed Rodgers - NOAA Federal

    Samantha,

    I am adding the required domain role of "Billing Account User" in GCP at the organization level when I receive the policy error described.  I think it might be because the GCP policy:  iamAllowedPolicyMemberDomains does not include the domain IDs associated with terra-billing@terra.bio.

    Is there a published list of organization IDs that are required so that we may add them?

    0
    Comment actions Permalink
  • Avatar
    Samantha (she/her)

    Hi Ed Rodgers - NOAA Federal,

     

    Thanks for clarifying. That policy is set by your IT department, or whoever manages your Google Cloud environment. They will need to allow the terra-billing@terra.bio/terra-billing@firecloud.org addresses, or those domains.

     

    Best,

    Samantha

    0
    Comment actions Permalink
  • Avatar
    Ed Rodgers - NOAA Federal

    Samantha,

    The current policy that we have lists org IDs rather than domain names.  Could you provide those org IDs?  Basically we'd like to allow the Terra GCP organization access and not reference individual domain names.

    Thanks!

    0
    Comment actions Permalink
  • Avatar
    Samantha (she/her)

    Hi Ed Rodgers - NOAA Federal,

     

    The org ID is 386193000800.

     

    Best,

    Samantha

    0
    Comment actions Permalink
  • Avatar
    Ed Rodgers - NOAA Federal

    Samantha,

    So close!  I went to add the ID into the policy but it failed.  I looked further into it, and what we actually need is the "DIRECTORY_CUSTOMER_ID" field which can be obtained from:

    gcloud organizations list

    For me this outputs 3 fields:

    DISPLAY_NAME, ID, and DIRECTORY_CUSTOMER_ID

    Ours is a 9 character string of letters and numbers.

    Here is the info for the GCP policy in question:

    constraints/iam.allowedPolicyMemberDomains

    "Domain restricted sharing
    This list constraint defines the set of members that can be added to Cloud IAM policies. By default, all user identities are allowed to be added to Cloud IAM policies. The allowed/denied list must specify one or more Cloud Identity or G Suite customer IDs. If this constraint is active, only identities in the allowed list will be eligible to be added to Cloud IAM policies."

    This policy is required for our organization.  It's preventing me from adding users from your domain to use our billing account.

    Thanks!

    0
    Comment actions Permalink
  • Avatar
    Samantha (she/her)

    Hi Ed Rodgers - NOAA Federal,

     

    The DIRECTORY_CUSTOMER_ID is C02e6ak51.

     

    Best,

    Samantha

    0
    Comment actions Permalink
  • Avatar
    Ed Rodgers - NOAA Federal

    That's the ticket!  Thanks very much for your help.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Powered by Zendesk