Skip to content

Document GCS policy resolution steps #615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
SangeetaMishr wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Document GCS policy resolution steps #615

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,54 @@ Also, just to clarify — `BigQuery tables` and `GCS buckets` serve different pu

- Click `Save`.


## Resolution on the GCS Policy restriction:

A GCP Organization Admin needs to update the organisation policy that is blocking service account key creation.

### Steps 1:

1. Open **Google Cloud Console**
2. Go to **IAM & Admin → Organization Policies**
3. Search for:
`Disable service account key creation`
4. Select the policy:
`constraints/iam.disableServiceAccountKeyCreation`
5. Click **Edit**
6. Set the policy to **Not enforced** (or override it at the project level if org-level change is not allowed)
7. Save the changes

https://docs.cloud.google.com/organization-policy/restrict-service-accounts

### Step 2:

1.Go to **Google Cloud Console**
2. Activate **Cloud Shell**
3. Click **Continue** and complete the setup steps

<img width="700" height="284" alt="Image" src="https://github.com/user-attachments/assets/e254a542-6fe3-4577-8edb-716ef74b5480" />

---
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Match the existing horizontal-rule style in this file.

Use ___ instead of --- to satisfy the configured markdown lint rule.

🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 361-361: Horizontal rule style
Expected: ___; Actual: ---

(MD035, hr-style)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/2`. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md at line 361,
The horizontal rule at the indicated location uses three hyphens (`---`) which
violates the repo's markdown lint rule; replace that rule with three underscores
(`___`) so the file's existing horizontal-rule style is matched and the linter
passes.


### Run the following commands in Cloud Shell

1. Authenticate (if not already authenticated):
```bash
gcloud auth login
Copy link
Copy Markdown
Member

@shijithkjayan shijithkjayan May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Backtick closing is missing


2. List available organizations:

gcloud organizations list
Copy link
Copy Markdown
Member

@shijithkjayan shijithkjayan May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add this as a code block using backtick, like in the 1st step


3. Grant Organization Policy Admin role to the required user:

gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
Copy link
Copy Markdown
Member

@shijithkjayan shijithkjayan May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add this as a code block

--member="user:ADMIN_EMAIL@yourdomain.com" \
--role="roles/orgpolicy.policyAdmin"
Comment on lines +366 to +377
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Close and structure the command code fences correctly.

The bash fence opened here is not closed, so subsequent steps render incorrectly as code and become hard to follow/copy.

Suggested markdown fix 
 1. Authenticate (if not already authenticated):
    ```bash
    gcloud auth login
+   ```
 
 2. List available organizations:
-
-gcloud organizations list
+   ```bash
+   gcloud organizations list
+   ```
 
 3. Grant Organization Policy Admin role to the required user:
-
-gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
-  --member="user:ADMIN_EMAIL@yourdomain.com" \
-  --role="roles/orgpolicy.policyAdmin"
+   ```bash
+   gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
+     --member="user:ADMIN_EMAIL@yourdomain.com" \
+     --role="roles/orgpolicy.policyAdmin"
+   ```
🧰 Tools
🪛 LanguageTool

[uncategorized] ~369-~369: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ... gcloud auth login 2. List available organizations: gcloud organizations list 3. Grant O...

(EN_WORD_COHERENCY)

[uncategorized] ~371-~371: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: .... List available organizations: gcloud organizations list 3. Grant Organization Policy Admi...

(EN_WORD_COHERENCY)

[uncategorized] ~373-~373: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...s: gcloud organizations list 3. Grant Organization Policy Admin role to the required user:...

(EN_WORD_COHERENCY)

[uncategorized] ~375-~375: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...dmin role to the required user: gcloud organizations add-iam-policy-binding YOUR_ORG_ID \ ...

(EN_WORD_COHERENCY)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/2`. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md around lines
366 - 377, Close the open ```bash fence after the first command and wrap each
gcloud command block in its own fenced code block so they render correctly: end
the first fence after "gcloud auth login", add a new ```bash fence before
"gcloud organizations list" and close it after that command, and add a final
```bash fence around the "gcloud organizations add-iam-policy-binding
YOUR_ORG_ID ..." command (the lines containing gcloud auth login, gcloud
organizations list, and gcloud organizations add-iam-policy-binding are the
identifiers to edit).


4. After access is granted, update the organization policy to allow service account key creation (disable or override the constraint):
Comment on lines +337 to +379
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use one spelling variant consistently (organization vs organisation).

This section mixes variants; pick one (preferably organization to match Google Cloud UI/docs) for consistency.

🧰 Tools
🪛 LanguageTool

[uncategorized] ~337-~337: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...n on the GCS Policy restriction: A GCP Organization Admin needs to update the organisation ...

(EN_WORD_COHERENCY)

[uncategorized] ~342-~342: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...loud Console** 2. Go to IAM & Admin → Organization Policies 3. Search for: `Disable s...

(EN_WORD_COHERENCY)

[uncategorized] ~369-~369: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ... gcloud auth login 2. List available organizations: gcloud organizations list 3. Grant O...

(EN_WORD_COHERENCY)

[uncategorized] ~371-~371: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: .... List available organizations: gcloud organizations list 3. Grant Organization Policy Admi...

(EN_WORD_COHERENCY)

[uncategorized] ~373-~373: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...s: gcloud organizations list 3. Grant Organization Policy Admin role to the required user:...

(EN_WORD_COHERENCY)

[uncategorized] ~375-~375: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...dmin role to the required user: gcloud organizations add-iam-policy-binding YOUR_ORG_ID \ ...

(EN_WORD_COHERENCY)

[uncategorized] ~379-~379: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ... 4. After access is granted, update the organization policy to allow service account key cre...

(EN_WORD_COHERENCY)

🪛 markdownlint-cli2 (0.22.1)

[warning] 361-361: Horizontal rule style
Expected: ___; Actual: ---

(MD035, hr-style)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/2`. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md around lines
337 - 379, The document mixes "organisation" and "organization"; standardize to
"organization" throughout (including headings, step text, and the policy name
line `constraints/iam.disableServiceAccountKeyCreation`) so language matches
Google Cloud UI and docs; update all instances (e.g., "GCP Organization Admin",
"Organization Policies", and any in-step text) to use the single chosen
spelling.

constraints/iam.disableServiceAccountKeyCreation
Comment on lines +379 to +380
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the current gcloud command to disable enforcement of the boolean organization policy constraint constraints/iam.disableServiceAccountKeyCreation` at:

  1. organization scope
  2. project scope (override)?
    Please provide examples from official Google Cloud documentation.`

💡 Result:

To disable the enforcement of the boolean organization policy constraint constraints/iam.disableServiceAccountKeyCreation, you use the gcloud resource-manager org-policies disable-enforce command [1]. This command turns off the enforcement of a boolean constraint at a specific resource level [1]. Note that for this command, the constraint name should be specified as iam.disableServiceAccountKeyCreation (the prefix constraints/ is typically omitted when using this specific command) [1]. 1) Organization Scope To disable enforcement at the organization level, use the --organization flag with your Organization ID [1]: gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation \ --organization=ORGANIZATION_ID 2) Project Scope (Override) To disable enforcement at the project level, use the --project flag with your Project ID [1]. This overrides any policies inherited from higher levels in the resource hierarchy [1]: gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation \ --project=PROJECT_ID Alternatively, you can manage organization policies by creating a YAML policy file and applying it using gcloud org-policies set-policy, which allows for more complex configurations (such as specific overrides) [2][3]. When using this method to disable enforcement, your YAML file would set enforce: false for the specified constraint [2]. Ensure you have the necessary IAM permissions, such as the Organization Policy Administrator (roles/orgpolicy.policyAdmin) role, to modify these policies [2].

Citations:

Add the executable gcloud commands for updating the organization policy.

The step currently shows only the constraint name. Include the exact commands users need:

For organization scope:

gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation \
  --organization=ORGANIZATION_ID

For project scope (override):

gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation \
  --project=PROJECT_ID

Note: The constraint name in the command omits the constraints/ prefix. Users will also need the Organization Policy Administrator (roles/orgpolicy.policyAdmin) role to execute these.

🧰 Tools
🪛 LanguageTool

[uncategorized] ~379-~379: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ... 4. After access is granted, update the organization policy to allow service account key cre...

(EN_WORD_COHERENCY)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/2`. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md around lines
379 - 380, Add explicit gcloud commands to update the organization policy for
iam.disableServiceAccountKeyCreation: show the org-scope command using gcloud
resource-manager org-policies disable-enforce with
--organization=ORGANIZATION_ID and the project-scope override using the same
command with --project=PROJECT_ID, note that the constraint name in the command
omits the "constraints/" prefix (use iam.disableServiceAccountKeyCreation) and
mention that the user needs the Organization Policy Administrator role
(roles/orgpolicy.policyAdmin) to run these commands; reference the constraint
identifier constraints/iam.disableServiceAccountKeyCreation in the explanatory
text so readers can map it to the commands.


### Reference Articles

- [GCS Pricing Details](https://cloud.google.com/storage/pricing)
Expand Down
Loading