Google Cloud IAM Policy Binding Issues and Remediation

Google Cloud IAM Policy Binding Issues and Remediation

Google Cloud IAM Policy Binding Issues and Remediations During a Cloud Connection Creation:


The issue that you may notice during Permission assignment:

ERROR: Policy modification failed. For binding with the condition, run "gcloud alpha iam policies lint-condition" 
to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) FAILED_PRECONDITION: One or more users named in the policy do not belong to a permitted customer.
- '@type': type.googleapis.com/google.rpc.PreconditionFailure  violations:  - description: User xxxxxx@appranixsra.iam.gserviceaccount.com is
 not in permitted organization. subject: orgpolicy:projects/gcp-project-id-01?configvalue=xxxxx%40appranixsra.iam.gserviceaccount.com    
type: constraints/iam.allowedPolicyMemberDomains

Details of the cause of the issue and its remediations are as follows:

What causes failures during automated Google Cloud IAM policy assignments?

ARS creates a service account name of form "xxxxxxx@appranixsra.iam.gserviceaccount.com" during the creation of Cloud Connections. This service account belongs to theappranix.com domain. If this domain is not whitelisted in your Project under"constraints/iamAllowedPolicyMemberDomain"policy, ARS will not able to discover, protect, and recover resources in your project.

Who can authorize the Organization Policy changes?

Organization Policy can be edited at the project or organization level. If you are the Organization Administrator, you can assign the "Organization Policy Administrator" Role permissions to allow users to edit the policy bindings at the organization level.

  How to whitelist the Appranix domain in the Organization Policy?

  1. Under your GCP Project, navigate to IAM -> "Organization Policies" -> Filter "Domain restricted sharing"

  1. If you have valid permissions, you should be able to edit it with the following values (refer the image below)

    1. Choose Customize

    2. Set Policy enforcement to Replace (Read the caution note)

    3. Set Policy values to Custom

    4. Set Policy type to Allow

    5. Add the following Custom values:  "C03c05rb4" and "Your organizations DIRECTORY_CUSTOMER_ID"

   Note: "C03c05rb4" is the Appranix organization’s DIRECTORY_CUSTOMER_ID

  1. How do I get your Organization’s directory ID?

            On your Cloud Shell, use the command `gcloud organizations list` to get the organization directory ID.

  1. Save the policy to allow you to run ARS created Cloud Shell commands

Caution: The minimum required values are the DIRECTORY_CUSTOMER_ID to which your email id belongs and Appranix DIRECTORY_CUSTOMER_ID, if you miss any organization's valid ids in this, the access for the users of the organization will be revoked and it has to be reset, so please use this in a test project or with approval from the organization policy owner to add all whitelisted ids.



    • Related Articles

    • GCP Environment Onboarding

      Subscribe from GCP market place Search for "Appranix" in GCP Marketplace. Subscribe to the "Appranix Cloud Application Resilience". Register an account with Appranix using the registration form. Activate your account through the verification email ...

    • GCP Kubernetes Protection Service

      Overview Protect and recover your entire Kubernetes apps, configurations, and data for your app resilience Protect your on-prem or on-cloud clusters for high availability Become compliant with organizational DR policies No infrastructure required, ...

    • AWS Environment Onboarding

      Subscribe from AWS Marketplace Search for "Appranix" in the AWS Marketplace Subscribe for "Appranix Cloud Application Resilience" from the search result Subscribe to the service Register your account with Appranix AWS Onboarding Prerequisites For ...

    • When a Cloud Assembly's existing policy is deleted, will Appranix delete all the snapshots created using the policy?

      Yes, if a Cloud Assembly's existing policy is removed, Appranix cleans up all the snapshots generated by that particular policy. Note: Appranix will not allow deletion of all the associated policies in a Cloud Assembly. At least one policy should ...

    • How to edit a Cloud Assembly's existing policy?

      * Click the Policies tab inside the Cloud Assembly. * Click on the existing policy. Click the "ACTIONS" button on the top right corner and choose the "EDIT" option. * Update the required fields and save the new changes.