Failed to grant privileges to a Data Fusion Service Account when the project resides under an organisation

Question

I would like to create a Data Fusion instance and grant the service account privileges to read and write to BigQuery. I am using the Beta version of Data Fusion and my project resides under an organisation.

gcloud services enable datafusion.googleapis.com
ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
PROJECT_ID=my-project-under-an-org
INSTANCE_ID=cdf-dev-0
curl --request POST --header "Authorization: Bearer $ACCESS_TOKEN" --header 'Content-Type: application/json' https://datafusion.googleapis.com/v1beta1/projects/$PROJECT_ID/locations/europe-west1/instances?instanceId=$INSTANCE_ID -d \"{'zone': 'europe-west1-b', 'enableStackdriverLogging': true, 'enableStackdriverMonitoring': true, 'labels': {}, 'networkConfig': {}, 'options': {}, 'privateInstance': false, 'type': 'ENTERPRISE'}\""

# retrieve service account so that permissions can be granted to it
SERVICE_ACCOUNT=$(curl --request GET --header "Authorization: Bearer $ACCESS_TOKEN" --header 'Content-Type: application/json' https://datafusion.googleapis.com/v1beta1/projects/$PROJECT_ID/locations/europe-west1/instances/$INSTANCE_ID | jq .serviceAccount)

gcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:$SERVICE_ACCOUNT --role='roles/bigquery.dataEditor'

When I try to grant the privileges I get the following error:

ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) FAILED_PRECONDITION: One or more users named in the policy do not belong to a permitted customer.
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
  violations:
  - description: User cloud-datafusion-management-sa@xxxx-tp.iam.gserviceaccount.com
      is not in permitted organization.
    subject: orgpolicy:projects/my-project-under-an-org?configvalue=cloud-datafusion-management-sa%xxxx-tp.iam.gserviceaccount.com
    type: constraints/iam.allowedPolicyMemberDomains

Any hints appreciated.

Answer 1

The policy modification failure was triggered by a domain restriction constraint that is used in organization policies to limit resource sharing based on domain. This domain sharing restriction prevented the permission being assigned to the service account. The workaround was to temporary disable the restriction.