> Cloud Application Resilience > Troubleshooting

Troubleshooting for GCP

Google cloud connection fails due to IAM policy binding errors

Symptoms

The GCP cloud connection might fail during permission assignment, and the following errors appear:

ERROR: Policy modification failed. For binding with the condition, run "gcloud alpha iam policies lint-condition" 
to identify issues in condition.

ERROR: (gcloud.projects.add-iam-policy-binding) FAILED_PRECONDITION: One or more users named in the policy do not belong to a permitted customer.

- '@type': type.googleapis.com/google.rpc.PreconditionFailure  violations:  - description: User xxxxxx@appranixsra.iam.gserviceaccount.com is not in permitted organization. subject: orgpolicy:projects/gcp-project-id-01?configvalue=xxxxx%40appranixsra.iam.gserviceaccount.com    
type: constraints/iam.allowedPolicyMemberDomains

Cause

During the creation of Cloud Connections, Cloud Rewind creates a service account name in the form of "xxxxxxx@appranixsra.iam.gserviceaccount.com". This service account belongs to the appranix.com domain. If this domain is not whitelisted in your Project under "constraints/iamAllowedPolicyMemberDomain" policy, Cloud Rewind can't discover, protect, and recover resources in your project.

Resolution

  1. Assign the "Organization Policy Administrator" role permissions to allow users to edit the policy bindings at the organization level.

    An Organization Policy can be edited at the project or organization level.

  2. Whitelist the Cloud Rewind domain in the Organization Policy using the following steps:

    1. Under your GCP Project, navigate to IAM > "Organization Policies" > Filter "Domain restricted sharing"

    2. If you have valid permissions, you should be able to edit it with the following values (refer the image below)

      1. Choose Customize.

      2. Set Policy enforcement to Replace.

      3. Set Policy values to Custom.

      4. Set Policy type to Allow.

      5. Add the following Custom values: "C03c05rb4" and "Your organizations DIRECTORY_CUSTOMER_ID".

      Note

      "C03c05rb4" is the Cloud Rewind organization’s DIRECTORY_CUSTOMER_ID

    3. Get the Organization’s directory ID:

      1. Go to Cloud Shell.

      2. Run the following command: 

        gcloud organizations list

    4. Save the policy to allow you to run Cloud Rewind created Cloud Shell commands.

Note

The minimum required values are the DIRECTORY_CUSTOMER_ID to which your email id belongs and Cloud Rewind DIRECTORY_CUSTOMER_ID, if you miss any organization's valid ids in this, the access for the users of the organization will be revoked and it has to be reset, so please use this in a test project or with approval from the organization policy owner to add all whitelisted IDs.

×

Loading...