Google Cloud IAM Policy Binding Issues and Remediations During a Cloud Connection Creation:
The issue that you may notice during Permission assignment:
ERROR: Policy modification failed. For binding with the condition, run "gcloud alpha iam policies lint-condition"
to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) FAILED_PRECONDITION: One or more users named in the policy do not belong to a permitted customer.
- '@type': type.googleapis.com/google.rpc.PreconditionFailure violations: - description: User xxxxxx@appranixsra.iam.gserviceaccount.com is
not in permitted organization. subject: orgpolicy:projects/gcp-project-id-01?configvalue=xxxxx%40appranixsra.iam.gserviceaccount.com
type: constraints/iam.allowedPolicyMemberDomains
Details of the cause of the issue and its remediations are as follows:
What causes failures during automated Google Cloud IAM policy assignments?
ARS creates a service account name of form "xxxxxxx@appranixsra.iam.gserviceaccount.com" during the creation of Cloud Connections. This service account belongs to theappranix.com domain. If this domain is not whitelisted in your Project under"constraints/iamAllowedPolicyMemberDomain"policy, ARS will not able to discover, protect, and recover resources in your project.
Who can authorize the Organization Policy changes?
Organization Policy can be edited at the project or organization level. If you are the Organization Administrator, you can assign the "Organization Policy Administrator" Role permissions to allow users to edit the policy bindings at the organization level.
How to whitelist the Appranix domain in the Organization Policy?
Under your GCP Project, navigate to IAM -> "Organization Policies" -> Filter "Domain restricted sharing"
If you have valid permissions, you should be able to edit it with the following values (refer the image below)
Choose Customize
Set Policy enforcement to Replace (Read the caution note)
Set Policy values to Custom
Set Policy type to Allow
Add the following Custom values: "C03c05rb4" and "Your organizations DIRECTORY_CUSTOMER_ID"
Note: "C03c05rb4" is the Appranix organization’s DIRECTORY_CUSTOMER_ID
How do I get your Organization’s directory ID?
On your Cloud Shell, use the command `gcloud organizations list` to get the organization directory ID.
Save the policy to allow you to run ARS created Cloud Shell commands
Caution: The minimum required values are the DIRECTORY_CUSTOMER_ID to which your email id belongs and Appranix DIRECTORY_CUSTOMER_ID, if you miss any organization's valid ids in this, the access for the users of the organization will be revoked and it has to be reset, so please use this in a test project or with approval from the organization policy owner to add all whitelisted ids.