GCP IAM Access Denied: User from another domain does not have access to query BQ under Org
I have GCP org set up under a verified domain name (company.tech) with cloud identity enabled to use google cloud project. I am managing access to users through google groups (via admin panel). I've created a group with users from (company.tech, service account, Gmail & company.co.xx) i.e allowing members outside the org, let's call the group >> [email protected]
Following are the IAM policies added for the group:
BigQuery Job User
BigQuery Metadata Viewer
Also, ACL access was added to a dataset BigQuery Data Viewer
The issue is, I am able to query from gmail, service account & company.tech domain accounts but the users under company.co.xx (this is not a cloud identity account but google mapped account using sign up with an existing email with Office 365 subscription) can neither select project nor query and end up getting the following error & cannot preview/query the bigquery dataset tables.
Access Denied: Project <<>>: User does not have bigquery.jobs.create permission in project <<>>
I tried the following but I still get the same error for company.co.xx accounts:
- Added the custom rule to allow company.co.xx under domain restricted contacts org policy
- Added the domain under
Allowlisted domainsin google admin panel (but unfortunately, as mentioned there the domain is not linked with cloud identity/gws instead the accounts are signed up using existing email)
Google Groups is managed independently from Google Cloud IAM - they are independent services. You can add an identity to Google Groups which is not supported by Google Cloud IAM. In your case, that is what you did. If you want to use Microsoft identities with Google Cloud you will need to set up federation with Active Directory.
- Why does my GKE cluster not show any events?
- Python to get billing info from Gcloud
- Google Cloud: sign a JWT while impersonating a service account
- Firebase Firestore: Accessing Never-Retrieved Data Offline
- Google recaptcha enterprise: Your default credentials were not found
- Firebase Admin SDK cant upload to storage bucket folder
- Accessing Firestore via Cloud Function
- Problem with executing asynchronous Cloud Function
- do you need to create a separate collection/document for reading an aggregated document with firebase cloud function
- httpsCallable is not a function when calling a Firebase function
- Google Cloud Eventarc: Receive events via Pub/Sub directly
- Android Studio's project gradle file changed?
- How to listen to button triggers using Firebase
- gcloud auth login throwing error: gcloud crashed (ConnectionError): HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded
- Google Cloud Build Error: build step 0 "gcr.io/cloud-builders/docker" failed: step exited with non-zero status: 1
- Terraform - GCP - Import project IAM member
- Choosing fields to return with Places API (new) client library
- Deploy to Update version of Gmail App Script Extension
- Getting random "User not found in file /etc/passwd" error on Cloud Run Job
- Change time format in GCP Logs Explorer
- Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error
- Deploying a pelican site to Google Cloud Run with Dockerfile not working
- Is there a good explanation of resource labels versus metric labels?
- Why do I set the resource type when writing the metric but not when creating a descriptor?
- google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s)
- GA4 Data Not Retained for More Than 60 Days Despite BigQuery Table Expiration Set to 'Never
- How to list all enabled API services for Google Cloud Platform project
- Google Cloud calendar API connection error
- Downloading a folder from cloud storage in GitHub action and move it inside a docker container is not working
- How to fix CloudRun error 'The request was aborted because there was no available instance'