Skip to content

Document GCS policy resolution steps #615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
SangeetaMishr merged 3 commits into from
Jun 3, 2026
Merged

Document GCS policy resolution steps #615

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1c199fb
Document GCS policy resolution steps
SangeetaMishr May 13, 2026
a44d6fd
Update last updated date and format code blocks
SangeetaMishr Jun 3, 2026
e83ffcf
Merge branch 'main' into Google-Cloud-Storage-Setup---GCS.md
SangeetaMishr Jun 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 60 additions & 1 deletion docs/2. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<tr>
<td><b>10 minutes read</b></td>
<td style={{ paddingLeft: '40px' }}><b>Level: Beginner</b></td>
<td style={{ paddingLeft: '40px' }}><b>Last Updated: October 2025</b></td>
<td style={{ paddingLeft: '40px' }}><b>Last Updated: June 2025</b></td>
</tr>
</table>
</h3>
Expand Down Expand Up @@ -331,6 +331,65 @@ Also, just to clarify — `BigQuery tables` and `GCS buckets` serve different pu

- Click `Save`.


## Resolution on the GCS Policy restriction:

A GCP Organization Admin needs to update the organisation policy that is blocking service account key creation.

### Steps 1:

1. Open **Google Cloud Console**
2. Go to **IAM & Admin → Organization Policies**
3. Search for:
`Disable service account key creation`
4. Select the policy:
`constraints/iam.disableServiceAccountKeyCreation`
5. Click **Edit**
6. Set the policy to **Not enforced** (or override it at the project level if org-level change is not allowed)
7. Save the changes

https://docs.cloud.google.com/organization-policy/restrict-service-accounts

### Step 2:

1.Go to **Google Cloud Console**
2. Activate **Cloud Shell**
3. Click **Continue** and complete the setup steps

<img width="700" height="284" alt="Image" src="https://github.com/user-attachments/assets/e254a542-6fe3-4577-8edb-716ef74b5480" />

---
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Match the existing horizontal-rule style in this file.

Use ___ instead of --- to satisfy the configured markdown lint rule.

🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 361-361: Horizontal rule style
Expected: ___; Actual: ---

(MD035, hr-style)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/2`. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md at line 361,
The horizontal rule at the indicated location uses three hyphens (`---`) which
violates the repo's markdown lint rule; replace that rule with three underscores
(`___`) so the file's existing horizontal-rule style is matched and the linter
passes.


### Run the following commands in Cloud Shell

1. Authenticate (if not already authenticated):

```bash

gcloud auth login

```


2. List available organizations:
```bash

gcloud organizations list
Comment thread
SangeetaMishr marked this conversation as resolved.

```

3. Grant Organization Policy Admin role to the required user:
```bash

gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
Comment thread
SangeetaMishr marked this conversation as resolved.
--member="user:ADMIN_EMAIL@yourdomain.com" \
--role="roles/orgpolicy.policyAdmin"

```

4. After access is granted, update the organization policy to allow service account key creation (disable or override the constraint):
Comment on lines +337 to +390
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use one spelling variant consistently (organization vs organisation).

This section mixes variants; pick one (preferably organization to match Google Cloud UI/docs) for consistency.

🧰 Tools
🪛 LanguageTool

[uncategorized] ~337-~337: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...n on the GCS Policy restriction: A GCP Organization Admin needs to update the organisation ...

(EN_WORD_COHERENCY)

[uncategorized] ~342-~342: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...loud Console** 2. Go to IAM & Admin → Organization Policies 3. Search for: `Disable s...

(EN_WORD_COHERENCY)

[uncategorized] ~369-~369: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ... gcloud auth login 2. List available organizations: gcloud organizations list 3. Grant O...

(EN_WORD_COHERENCY)

[uncategorized] ~371-~371: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: .... List available organizations: gcloud organizations list 3. Grant Organization Policy Admi...

(EN_WORD_COHERENCY)

[uncategorized] ~373-~373: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...s: gcloud organizations list 3. Grant Organization Policy Admin role to the required user:...

(EN_WORD_COHERENCY)

[uncategorized] ~375-~375: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ...dmin role to the required user: gcloud organizations add-iam-policy-binding YOUR_ORG_ID \ ...

(EN_WORD_COHERENCY)

[uncategorized] ~379-~379: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ... 4. After access is granted, update the organization policy to allow service account key cre...

(EN_WORD_COHERENCY)

🪛 markdownlint-cli2 (0.22.1)

[warning] 361-361: Horizontal rule style
Expected: ___; Actual: ---

(MD035, hr-style)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/2`. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md around lines
337 - 379, The document mixes "organisation" and "organization"; standardize to
"organization" throughout (including headings, step text, and the policy name
line `constraints/iam.disableServiceAccountKeyCreation`) so language matches
Google Cloud UI and docs; update all instances (e.g., "GCP Organization Admin",
"Organization Policies", and any in-step text) to use the single chosen
spelling.

constraints/iam.disableServiceAccountKeyCreation
Comment on lines +390 to +391
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the current gcloud command to disable enforcement of the boolean organization policy constraint constraints/iam.disableServiceAccountKeyCreation` at:

  1. organization scope
  2. project scope (override)?
    Please provide examples from official Google Cloud documentation.`

💡 Result:

To disable the enforcement of the boolean organization policy constraint constraints/iam.disableServiceAccountKeyCreation, you use the gcloud resource-manager org-policies disable-enforce command [1]. This command turns off the enforcement of a boolean constraint at a specific resource level [1]. Note that for this command, the constraint name should be specified as iam.disableServiceAccountKeyCreation (the prefix constraints/ is typically omitted when using this specific command) [1]. 1) Organization Scope To disable enforcement at the organization level, use the --organization flag with your Organization ID [1]: gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation \ --organization=ORGANIZATION_ID 2) Project Scope (Override) To disable enforcement at the project level, use the --project flag with your Project ID [1]. This overrides any policies inherited from higher levels in the resource hierarchy [1]: gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation \ --project=PROJECT_ID Alternatively, you can manage organization policies by creating a YAML policy file and applying it using gcloud org-policies set-policy, which allows for more complex configurations (such as specific overrides) [2][3]. When using this method to disable enforcement, your YAML file would set enforce: false for the specified constraint [2]. Ensure you have the necessary IAM permissions, such as the Organization Policy Administrator (roles/orgpolicy.policyAdmin) role, to modify these policies [2].

Citations:

Add the executable gcloud commands for updating the organization policy.

The step currently shows only the constraint name. Include the exact commands users need:

For organization scope:

gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation \
  --organization=ORGANIZATION_ID

For project scope (override):

gcloud resource-manager org-policies disable-enforce iam.disableServiceAccountKeyCreation \
  --project=PROJECT_ID

Note: The constraint name in the command omits the constraints/ prefix. Users will also need the Organization Policy Administrator (roles/orgpolicy.policyAdmin) role to execute these.

🧰 Tools
🪛 LanguageTool

[uncategorized] ~379-~379: Do not mix variants of the same word (‘organization’ and ‘organisation’) within a single text.
Context: ... 4. After access is granted, update the organization policy to allow service account key cre...

(EN_WORD_COHERENCY)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/2`. Pre Onboarding/05. Google Cloud Storage Setup - GCS.md around lines
379 - 380, Add explicit gcloud commands to update the organization policy for
iam.disableServiceAccountKeyCreation: show the org-scope command using gcloud
resource-manager org-policies disable-enforce with
--organization=ORGANIZATION_ID and the project-scope override using the same
command with --project=PROJECT_ID, note that the constraint name in the command
omits the "constraints/" prefix (use iam.disableServiceAccountKeyCreation) and
mention that the user needs the Organization Policy Administrator role
(roles/orgpolicy.policyAdmin) to run these commands; reference the constraint
identifier constraints/iam.disableServiceAccountKeyCreation in the explanatory
text so readers can map it to the commands.


### Reference Articles

- [GCS Pricing Details](https://cloud.google.com/storage/pricing)
Expand Down
Loading