Problem
When trying to set IAM policy on a Google Cloud Platform Project using Cloud Resource Manager API, you receive an error similiar to the one described below:
HttpError 400 when requesting https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy?alt=json returned "One or more users named in the policy do not belong to a permitted customer.". Details: "[{'@type': 'type.googleapis.com/google.rpc.PreconditionFailure', 'violations': [{'type': 'constraints/iam.allowedPolicyMemberDomains', 'description': 'User is not in permitted organization.'}]}]"
Environment
- API: Cloud Resource Manager
- Resource: Organization, Project or Folder
Solution
- Check the current configuration for the constraint iam.allowedPolicyMemberDomains.
- Review all the members of the IAM policy that you're trying to set and not just the newly added members.
- Make sure that the domains of all members are allowed in the Organization Policy constraint iam.allowedPolicyMemberDomains.
- The constraint takes a value of Customer ID. That Customer ID can be retrieved using gcloud or API.
Workaround
- Disable the Organization Policy constraint iam.allowedPolicyMemberDomains temporarily till the IAM policy binding is applied.
- If you have some policy members that aren't part of the safelisted Customer ID(s), you can add them to a Google Group and then use the Group for the IAM Policy binding as described here.
Cause
Cloud Resource Manager (CRM) Organizational Policies don't have a retroactive effect. If one or more principals where added to the IAM Policy binding before enabling the iam.allowedPolicyMemberDomains constraint, then they will not be affected by adding the constraint.
However, the Cloud Resource Manager API setIamPolicy method overwrites the existing IAM policy and not just append to it. When writing the IAM policy from scratch with the iam.allowedPolicyMemberDomains constraint enabled, the constraint will block the operation if any of the principals don't belong to a safelisted Customer ID.