Document GCS policy resolution steps#615
Conversation
Added steps for resolving GCS policy restrictions and granting permissions for service account key creation.
📝 WalkthroughWalkthroughThis PR adds a new troubleshooting section to the GCS setup documentation that guides GCP Organization Admins through resolving organization policy blocks preventing service account key creation. The section covers console navigation, Cloud Shell workflows, policy admin role assignment, and specific gcloud commands to adjust the relevant constraint. ChangesGCS Policy Troubleshooting Documentation
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
🚀 Deployed on https://deploy-preview-615--glific-docs.netlify.app |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/2`. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md:
- Around line 337-379: The document mixes "organisation" and "organization";
standardize to "organization" throughout (including headings, step text, and the
policy name line `constraints/iam.disableServiceAccountKeyCreation`) so language
matches Google Cloud UI and docs; update all instances (e.g., "GCP Organization
Admin", "Organization Policies", and any in-step text) to use the single chosen
spelling.
- Line 361: The horizontal rule at the indicated location uses three hyphens
(`---`) which violates the repo's markdown lint rule; replace that rule with
three underscores (`___`) so the file's existing horizontal-rule style is
matched and the linter passes.
- Around line 379-380: Add explicit gcloud commands to update the organization
policy for iam.disableServiceAccountKeyCreation: show the org-scope command
using gcloud resource-manager org-policies disable-enforce with
--organization=ORGANIZATION_ID and the project-scope override using the same
command with --project=PROJECT_ID, note that the constraint name in the command
omits the "constraints/" prefix (use iam.disableServiceAccountKeyCreation) and
mention that the user needs the Organization Policy Administrator role
(roles/orgpolicy.policyAdmin) to run these commands; reference the constraint
identifier constraints/iam.disableServiceAccountKeyCreation in the explanatory
text so readers can map it to the commands.
- Around line 366-377: Close the open ```bash fence after the first command and
wrap each gcloud command block in its own fenced code block so they render
correctly: end the first fence after "gcloud auth login", add a new ```bash
fence before "gcloud organizations list" and close it after that command, and
add a final ```bash fence around the "gcloud organizations
add-iam-policy-binding YOUR_ORG_ID ..." command (the lines containing gcloud
auth login, gcloud organizations list, and gcloud organizations
add-iam-policy-binding are the identifiers to edit).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: b3523eed-8482-41e0-9455-2aaa5a205cf4
📒 Files selected for processing (1)
docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md
| A GCP Organization Admin needs to update the organisation policy that is blocking service account key creation. | ||
|
|
||
| ### Steps 1: | ||
|
|
||
| 1. Open **Google Cloud Console** | ||
| 2. Go to **IAM & Admin → Organization Policies** | ||
| 3. Search for: | ||
| `Disable service account key creation` | ||
| 4. Select the policy: | ||
| `constraints/iam.disableServiceAccountKeyCreation` | ||
| 5. Click **Edit** | ||
| 6. Set the policy to **Not enforced** (or override it at the project level if org-level change is not allowed) | ||
| 7. Save the changes | ||
|
|
||
| https://docs.cloud.google.com/organization-policy/restrict-service-accounts | ||
|
|
||
| ### Step 2: | ||
|
|
||
| 1.Go to **Google Cloud Console** | ||
| 2. Activate **Cloud Shell** | ||
| 3. Click **Continue** and complete the setup steps | ||
|
|
||
| <img width="700" height="284" alt="Image" src="https://github.com/user-attachments/assets/e254a542-6fe3-4577-8edb-716ef74b5480" /> | ||
|
|
||
| --- | ||
|
|
||
| ### Run the following commands in Cloud Shell | ||
|
|
||
| 1. Authenticate (if not already authenticated): | ||
| ```bash | ||
| gcloud auth login | ||
|
|
||
| 2. List available organizations: | ||
|
|
||
| gcloud organizations list | ||
|
|
||
| 3. Grant Organization Policy Admin role to the required user: | ||
|
|
||
| gcloud organizations add-iam-policy-binding YOUR_ORG_ID \ | ||
| --member="user:ADMIN_EMAIL@yourdomain.com" \ | ||
| --role="roles/orgpolicy.policyAdmin" | ||
|
|
||
| 4. After access is granted, update the organization policy to allow service account key creation (disable or override the constraint): |
There was a problem hiding this comment.
Use one spelling variant consistently (organization vs organisation).
This section mixes variants; pick one (preferably organization to match Google Cloud UI/docs) for consistency.
🧰 Tools
🪛 LanguageTool
[uncategorized] ~337-~337: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...n on the GCS Policy restriction: A GCP Organization Admin needs to update the organisation ...
(EN_WORD_COHERENCY)
[uncategorized] ~342-~342: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...loud Console** 2. Go to IAM & Admin → Organization Policies 3. Search for: `Disable s...
(EN_WORD_COHERENCY)
[uncategorized] ~369-~369: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ... gcloud auth login 2. List available organizations: gcloud organizations list 3. Grant O...
(EN_WORD_COHERENCY)
[uncategorized] ~371-~371: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: .... List available organizations: gcloud organizations list 3. Grant Organization Policy Admi...
(EN_WORD_COHERENCY)
[uncategorized] ~373-~373: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...s: gcloud organizations list 3. Grant Organization Policy Admin role to the required user:...
(EN_WORD_COHERENCY)
[uncategorized] ~375-~375: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...dmin role to the required user: gcloud organizations add-iam-policy-binding YOUR_ORG_ID \ ...
(EN_WORD_COHERENCY)
[uncategorized] ~379-~379: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ... 4. After access is granted, update the organization policy to allow service account key cre...
(EN_WORD_COHERENCY)
🪛 markdownlint-cli2 (0.22.1)
[warning] 361-361: Horizontal rule style
Expected: ___; Actual: ---
(MD035, hr-style)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/2`. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md around lines
337 - 379, The document mixes "organisation" and "organization"; standardize to
"organization" throughout (including headings, step text, and the policy name
line `constraints/iam.disableServiceAccountKeyCreation`) so language matches
Google Cloud UI and docs; update all instances (e.g., "GCP Organization Admin",
"Organization Policies", and any in-step text) to use the single chosen
spelling.
|
|
||
| <img width="700" height="284" alt="Image" src="https://github.com/user-attachments/assets/e254a542-6fe3-4577-8edb-716ef74b5480" /> | ||
|
|
||
| --- |
There was a problem hiding this comment.
Match the existing horizontal-rule style in this file.
Use ___ instead of --- to satisfy the configured markdown lint rule.
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 361-361: Horizontal rule style
Expected: ___; Actual: ---
(MD035, hr-style)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/2`. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md at line 361,
The horizontal rule at the indicated location uses three hyphens (`---`) which
violates the repo's markdown lint rule; replace that rule with three underscores
(`___`) so the file's existing horizontal-rule style is matched and the linter
passes.
| ```bash | ||
| gcloud auth login | ||
|
|
||
| 2. List available organizations: | ||
|
|
||
| gcloud organizations list | ||
|
|
||
| 3. Grant Organization Policy Admin role to the required user: | ||
|
|
||
| gcloud organizations add-iam-policy-binding YOUR_ORG_ID \ | ||
| --member="user:ADMIN_EMAIL@yourdomain.com" \ | ||
| --role="roles/orgpolicy.policyAdmin" |
There was a problem hiding this comment.
Close and structure the command code fences correctly.
The bash fence opened here is not closed, so subsequent steps render incorrectly as code and become hard to follow/copy.
Suggested markdown fix
1. Authenticate (if not already authenticated):
```bash
gcloud auth login
+ ```
2. List available organizations:
-
-gcloud organizations list
+ ```bash
+ gcloud organizations list
+ ```
3. Grant Organization Policy Admin role to the required user:
-
-gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
- --member="user:ADMIN_EMAIL@yourdomain.com" \
- --role="roles/orgpolicy.policyAdmin"
+ ```bash
+ gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
+ --member="user:ADMIN_EMAIL@yourdomain.com" \
+ --role="roles/orgpolicy.policyAdmin"
+ ```🧰 Tools
🪛 LanguageTool
[uncategorized] ~369-~369: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ... gcloud auth login 2. List available organizations: gcloud organizations list 3. Grant O...
(EN_WORD_COHERENCY)
[uncategorized] ~371-~371: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: .... List available organizations: gcloud organizations list 3. Grant Organization Policy Admi...
(EN_WORD_COHERENCY)
[uncategorized] ~373-~373: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...s: gcloud organizations list 3. Grant Organization Policy Admin role to the required user:...
(EN_WORD_COHERENCY)
[uncategorized] ~375-~375: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...dmin role to the required user: gcloud organizations add-iam-policy-binding YOUR_ORG_ID \ ...
(EN_WORD_COHERENCY)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/2`. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md around lines
366 - 377, Close the open ```bash fence after the first command and wrap each
gcloud command block in its own fenced code block so they render correctly: end
the first fence after "gcloud auth login", add a new ```bash fence before
"gcloud organizations list" and close it after that command, and add a final
```bash fence around the "gcloud organizations add-iam-policy-binding
YOUR_ORG_ID ..." command (the lines containing gcloud auth login, gcloud
organizations list, and gcloud organizations add-iam-policy-binding are the
identifiers to edit).
| 4. After access is granted, update the organization policy to allow service account key creation (disable or override the constraint): | ||
| constraints/iam.disableServiceAccountKeyCreation |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the current gcloud command to disable enforcement of the boolean organization policy constraint constraints/iam.disableServiceAccountKeyCreation` at:
- organization scope
- project scope (override)?
Please provide examples from official Google Cloud documentation.`
💡 Result:
To disable the enforcement of the boolean organization policy constraint constraints/iam.disableServiceAccountKeyCreation, you use the gcloud resource-manager org-policies disable-enforce command [1]. This command turns off the enforcement of a boolean constraint at a specific resource level [1]. Note that for this command, the constraint name should be specified as iam.disableServiceAccountKeyCreation (the prefix constraints/ is typically omitted when using this specific command) [1]. 1) Organization Scope To disable enforcement at the organization level, use the --organization flag with your Organization ID [1]: gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation \ --organization=ORGANIZATION_ID 2) Project Scope (Override) To disable enforcement at the project level, use the --project flag with your Project ID [1]. This overrides any policies inherited from higher levels in the resource hierarchy [1]: gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation \ --project=PROJECT_ID Alternatively, you can manage organization policies by creating a YAML policy file and applying it using gcloud org-policies set-policy, which allows for more complex configurations (such as specific overrides) [2][3]. When using this method to disable enforcement, your YAML file would set enforce: false for the specified constraint [2]. Ensure you have the necessary IAM permissions, such as the Organization Policy Administrator (roles/orgpolicy.policyAdmin) role, to modify these policies [2].
Citations:
- 1: https://cloud.google.com/sdk/gcloud/reference/resource-manager/org-policies/disable-enforce
- 2: https://stackoverflow.com/questions/78507983/how-do-i-remove-the-iam-disableserviceaccountkeycreation-constraint
- 3: https://docs.cloud.google.com/sdk/gcloud/reference/org-policies
Add the executable gcloud commands for updating the organization policy.
The step currently shows only the constraint name. Include the exact commands users need:
For organization scope:
gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation \
--organization=ORGANIZATION_ID
For project scope (override):
gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation \
--project=PROJECT_ID
Note: The constraint name in the command omits the constraints/ prefix. Users will also need the Organization Policy Administrator (roles/orgpolicy.policyAdmin) role to execute these.
🧰 Tools
🪛 LanguageTool
[uncategorized] ~379-~379: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ... 4. After access is granted, update the organization policy to allow service account key cre...
(EN_WORD_COHERENCY)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/2`. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md around lines
379 - 380, Add explicit gcloud commands to update the organization policy for
iam.disableServiceAccountKeyCreation: show the org-scope command using gcloud
resource-manager org-policies disable-enforce with
--organization=ORGANIZATION_ID and the project-scope override using the same
command with --project=PROJECT_ID, note that the constraint name in the command
omits the "constraints/" prefix (use iam.disableServiceAccountKeyCreation) and
mention that the user needs the Organization Policy Administrator role
(roles/orgpolicy.policyAdmin) to run these commands; reference the constraint
identifier constraints/iam.disableServiceAccountKeyCreation in the explanatory
text so readers can map it to the commands.
|
|
||
| 1. Authenticate (if not already authenticated): | ||
| ```bash | ||
| gcloud auth login |
There was a problem hiding this comment.
Backtick closing is missing
|
|
||
| 2. List available organizations: | ||
|
|
||
| gcloud organizations list |
There was a problem hiding this comment.
Please add this as a code block using backtick, like in the 1st step
|
|
||
| 3. Grant Organization Policy Admin role to the required user: | ||
|
|
||
| gcloud organizations add-iam-policy-binding YOUR_ORG_ID \ |
shijithkjayan
left a comment
shijithkjayan
left a comment
There was a problem hiding this comment.
LGTM apart from the minor comments. Can merge after fixing the comments.
2 participants
Added steps for resolving GCS policy restrictions and granting permissions for service account key creation.
Summary by CodeRabbit