Create Billing Project: Organizational Constraint: iamAllowedPolicyMemberDomains
Hello,
I'm attempting to add the "Billing Account User" role for terra-billing@terra.bio, however there's a policy violation being hit for our org:
"A domain restriction organization policy is in place. Only members of allowed domains can be added as members of the policy. Correct the member emails and try again."
Is there a workaround for this issue?
Thanks!
Comments
8 comments
Hi Ed Rodgers - NOAA Federal,
Thanks for writing in. Can you please share a screenshot of what you are doing when you receive the error? Are you creating a billing project in Terra, or updating a billing account on GCP?
Best,
Samantha
Samantha,
I am adding the required domain role of "Billing Account User" in GCP at the organization level when I receive the policy error described. I think it might be because the GCP policy: iamAllowedPolicyMemberDomains does not include the domain IDs associated with terra-billing@terra.bio.
Is there a published list of organization IDs that are required so that we may add them?
Hi Ed Rodgers - NOAA Federal,
Thanks for clarifying. That policy is set by your IT department, or whoever manages your Google Cloud environment. They will need to allow the terra-billing@terra.bio/terra-billing@firecloud.org addresses, or those domains.
Best,
Samantha
Samantha,
The current policy that we have lists org IDs rather than domain names. Could you provide those org IDs? Basically we'd like to allow the Terra GCP organization access and not reference individual domain names.
Thanks!
Hi Ed Rodgers - NOAA Federal,
The org ID is 386193000800.
Best,
Samantha
Samantha,
So close! I went to add the ID into the policy but it failed. I looked further into it, and what we actually need is the "DIRECTORY_CUSTOMER_ID" field which can be obtained from:
gcloud organizations list
For me this outputs 3 fields:
DISPLAY_NAME, ID, and DIRECTORY_CUSTOMER_ID
Ours is a 9 character string of letters and numbers.
Here is the info for the GCP policy in question:
constraints/iam.allowedPolicyMemberDomains
"Domain restricted sharing
This list constraint defines the set of members that can be added to Cloud IAM policies. By default, all user identities are allowed to be added to Cloud IAM policies. The allowed/denied list must specify one or more Cloud Identity or G Suite customer IDs. If this constraint is active, only identities in the allowed list will be eligible to be added to Cloud IAM policies."
This policy is required for our organization. It's preventing me from adding users from your domain to use our billing account.
Thanks!
Hi Ed Rodgers - NOAA Federal,
The
DIRECTORY_CUSTOMER_IDis C02e6ak51.Best,
Samantha
That's the ticket! Thanks very much for your help.
Please sign in to leave a comment.