diff --git a/docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md b/docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md index 6c2b3bc2d..908734b88 100644 --- a/docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md +++ b/docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md @@ -331,6 +331,54 @@ Also, just to clarify — `BigQuery tables` and `GCS buckets` serve different pu - Click `Save`. + +## Resolution on the GCS Policy restriction: + +A GCP Organization Admin needs to update the organisation policy that is blocking service account key creation. + +### Steps 1: + +1. Open **Google Cloud Console** +2. Go to **IAM & Admin → Organization Policies** +3. Search for: + `Disable service account key creation` +4. Select the policy: + `constraints/iam.disableServiceAccountKeyCreation` +5. Click **Edit** +6. Set the policy to **Not enforced** (or override it at the project level if org-level change is not allowed) +7. Save the changes + +https://docs.cloud.google.com/organization-policy/restrict-service-accounts + +### Step 2: + +1.Go to **Google Cloud Console** +2. Activate **Cloud Shell** +3. Click **Continue** and complete the setup steps + +Image + +--- + +### Run the following commands in Cloud Shell + +1. Authenticate (if not already authenticated): + ```bash + gcloud auth login + +2. List available organizations: + +gcloud organizations list + +3. Grant Organization Policy Admin role to the required user: + +gcloud organizations add-iam-policy-binding YOUR_ORG_ID \ + --member="user:ADMIN_EMAIL@yourdomain.com" \ + --role="roles/orgpolicy.policyAdmin" + +4. After access is granted, update the organization policy to allow service account key creation (disable or override the constraint): +constraints/iam.disableServiceAccountKeyCreation + ### Reference Articles - [GCS Pricing Details](https://cloud.google.com/storage/pricing)