1

I had created a Google Cloud Platform project and an associated service account for accessing the Directory API in the Admin SDK. After some experimentation I decided to remove that project and the service account and start from scratch. Around that same time I also changed the primary domain on our GSuite account.

I believe this combination has screwed up my permissions in the Google Cloud Platform. I'm the only SuperAdmin on our GSuite account, and yet it seems I'm unable to do many things (examples below). Any way to completely reset permissions or the Cloud Platform account entirely? There are no projects to lose at this point.

Examples:

  • When I try to create a new project, when choosing "location", the only option (the name of the organization, still using the old primary domain) tells me "You do not have permission to create projects in this location"

  • If I go to IAM & Admin > Settings and try to rename the organization, it says "You do not have the permission to rename this resource. Required permission(s): All of resourcemanager.organizations.get and resourcemanager.organizations.update"

  • If I go to IAM & Admin > Roles a banner at the top says "You do not have sufficient permissions to view this page"

I contacted GSuite support, but since the problem itself was on the Cloud Platform side they couldn't really do much for me.

RogerTheShrubber
  • 986
  • 8
  • 19
  • Go to the GCP Console -> IAM & admin -> Manage resources. What do you see? Go to IAM & admin -> IAM. In the top near "Google Cloud Platform" is a selector for projects / organization. Can you select any project or more importantly your organization? If you can select your organization, what roles does your user identity have? Try to give yourself "Organization Administrator" and "Project Creator". – John Hanley Feb 14 '19 at 19:38
  • If I go to the manage resources page I see just a dropdown with the organization name (the old domain) or "No organization" as the options. Then "You have no projects in this organization". The only available button is the "Create Project" button, and that leads to the same problem as listed above. When I go to IAM the selector you describe has the current name of our org. (like I said, our old primary domain). I can't edit roles since the roles page gives me the "You do not have sufficient permissions to view this page" banner. – RogerTheShrubber Feb 14 '19 at 20:46
  • Can you see any of your projects? Using the CLI: `gcloud projects list`. I have a feeling that you will need to contact Google Cloud Platform support. – John Hanley Feb 14 '19 at 22:01
  • There aren't any projects to show. I only had one before and I removed it to start from scratch. – RogerTheShrubber Feb 15 '19 at 03:08
  • I just tried to get to the Cloud Platform support site. I'm willing to sign up for a higher tier of support in order to fix this. But I literally can't even see most of the support site! In order to do anything you need to choose a project and since I have no projects and can't create one there's no way to proceed! – RogerTheShrubber Feb 15 '19 at 03:13
  • And in one final Kafka-esque note, I was able to get to a page where I could sign up for a support package, but of course, I had to configure billing. When I found the Cloud Platform billing page I clicked "Add Billing Account", and what do you know, "You don't have permission to create billing accounts for this organization." I'M THE ONLY ADMIN!!!! – RogerTheShrubber Feb 15 '19 at 03:21
  • If you have no projects, why don't you just create a new account? – John Hanley Feb 15 '19 at 03:39
  • The reason I didn't do that was that I preferred to keep everything under the existing GSuite administrator. I ended up creating another admin account and that one was able to fix permissions for the primary account. – RogerTheShrubber Feb 15 '19 at 20:36

1 Answers1

0

I'm still not sure what caused the permissions to get mangled, but creating another GSuite admin and using that one to repair permissions took care of it.

RogerTheShrubber
  • 986
  • 8
  • 19
  • 1
    So one final update, it seems that changing the primary domain was the culprit here. It seems it took about a week for it to fully propagate from GSuite to the Cloud Platform and everything seems corrected. – RogerTheShrubber Feb 19 '19 at 18:38