I am trying to create a Custom Role in a Google Cloud organization, then apply that group to one of that organization's projects. However, this doesn't seem to work:
$ gcloud projects add-iam-policy-binding \
--member="group:data.viewer@example.com" \
--role="roles/viewer" "my-project"
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Group data.viewer@example.com does not exist.
Here is the organizational-level role I'm trying to assign:
$ gcloud iam roles describe data.viewer --organization 1234567
description: Can View Analytics
etag: ...
name: organizations/1234567/roles/data.viewer
stage: ALPHA
title: Data Viewer
The documentation seems open to interpretation:
Custom roles can only be used to grant permissions in policies for the same project or organization that owns the roles or resources under them. You cannot grant custom roles from one project or organization on a resource owned by a different project or organization.
Does that mean that my custom role can or cannot be used in a project within that organization?
I'm also wondering if this is not the correct way to group users together and give them permissions to various projects.
From the above error, it seems that Group data.viewer@example.com does not exist. Can you make sure that this group does exist and owned by the same organization?