Request is prohibited by organization: access error

Problem

When using Google Cloud CLI or gsutil commands against a VPC SC protected Google API, the following error is received.

Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier 

Access is blocked despite the following:

  • An Access Level is added to the perimeter configuration to allow access based on Device Policy
  • Access is allowed from Google Chrome on the same device, but not from Google Cloud CLI or gsutil.

Environment

  • VPC SC protected Google API
  • Access Level: Device Policy only
  • Access Method: Google Cloud CLI or gsutil

Solution

  1. Set Google Chrome as the default browser.
  2. From the command line interface of your PC, run the command gcloud auth login.
  3. If Google Chrome does not launch automatically, click on the generated URL.
  4. Authenticate in Google Chrome. 
    • Note: Make sure that you're authenticating interactively and not using the verification code authentication. 
  5. Run the Google Cloud CLI or gsutil command that was blocked before, and it should go through successfully. 

Cause

Device data is collected using the Endpoint Verification extension installed in Google Chrome. This data is then passed with the access token metadata back to Google Cloud CLI or gsutil. If a Google Cloud CLI or gsutil authentication is done using any other way other than Google Chrome interactive login, then the device data will not be passed and VPC Service Controls along with Access Context Manager will fail to verify the device for access approval.