In the process of building and testing some automated infrastructure provisioning, I accidentally removed the "roles/resourcemanager.organizationAdmin" role (and any others that can set IAM Policy) from myself, and all other users. This means I am currently unable to manage IAM policy for my GCP organization.
This is, needless to say, a pretty big problem. Most notably, my account no longer has a Billing administrator or ability to assign one, which will very quickly become problematic.
The IAM control panel shows the following tooltip when attempting to edit policies:
You need permissions for this action.
Required permission(s): resourcemanager.organizations.setIamPolicy
Similarly, I receive an error when attempting to set IAM policies via the gcloud CLI:
~$ gcloud organizations add-iam-policy-binding <ORG_ID_REDACTED> --member="user:<MY_EMAIL_REDACTED>" --role="roles/resourcemanager.organizationAdmin"
ERROR: (gcloud.organizations.add-iam-policy-binding) User [<MY_EMAIL_REDACTED>] does not have permission to access organization [<ORG_ID_REDACTED>:setIamPolicy] (or it may not exist): The caller does not have permission
Neither of these errors are surprising, given that I do not, in fact, have the permission any longer. I have the following roles directly bound to my user account:
- Organization Role Administrator
- Service Account Admin
- Organization Policy Administrator
- Folder IAM Admin
- Folder Mover
- Project IAM Admin
Additionally, I am in GSuite groups that should have the following roles:
- Compute Network Admin
- Compute Shared VPC Admin
- Owner <- this one in particular seems like it should be helpful, but isn't
- Folder Admin
- Project Creator
- Project Deleter
- Project Mover
- Compute Security Admin
If it matters, I do have credentials for a GSuite 'Super Admin' account for this organization. Although at first glance, the options in that admin console seem to be totally separate from the GCP IAM configuration.
I cannot find a support option from Google without spending a decent amount of money, which is not a good option given this organization is a sandbox for trying out some tech and not a real business. Do I have any viable options at this point, other than deleting all projects and creating an entirely new organization?
Best Answer
So you deleted your Org admin role but you still have Org Admin role, also Organization Policy Admin role....
So in this case I'd recommend you to make sure you're executing the command with your user, I know is redundant but always is good to double check.
If you still can't, please check this steps as you said you had a Super Admin account for GSuite