Search code examples
jsonpermissionsmigrationgcloudgoogle-workspace

Organisational Policy Permissions Google Cloud for Microsoft Migration


I am attempting to shift a small business (5 email inboxes) over to Microsoft 365 business. I made sure to organise all the DNS prerequisites on both sides before performing the migration. During the automated process, while it completed no JSON file was created on the Google side. I attempted to download the API key for the service account, but I get the error that the Service account key creation is disabled. Service account key creation disabled Tracing that, I found under the organisational policies that the service account key creation (iam.disableServiceAccountKeyCreation) was enforced. There is only one account with access to the cloud, policies etc. the account is supposed to have all organisational permissions, however checking on the cloud shell, I continue to get access errors, and neither the service account or the main account appear to have permissions to make any changes.

I am brand new to this account/network/business side of IT so I am a bit unsure what the issue might be. I have attempted to make changes according to the documentation but I have had no success.

Looking at the gcloud organizations describe organizationurl.com in the return there is no depicted owner:. using `gcloud projects describe projectnametmpz' I get a do not have permission to access projects error. Similarly for

gcloud iam service-accounts keys create file.json \
--iam-account [email protected]

ERROR: (gcloud.iam.service-accounts.keys.create) FAILED_PRECONDITION: Key creation is not allowed on this service account.

If anyone could give me some pointers on how to enable the correct permissions I would be immensely grateful.

I have attempted to trace the problem on the Google end, and I have narrowed it down to being Microsoft support could not help and for Google cloud support a subscription was needed, and all the documentation seems to be sending me in cirlces.


Solution

  • I had the same problem after completing the EOP wizard for Workspace migration. Took me a couple of hours to figure out 8-/

    With a Workspace super admin, login to https://console.cloud.google.com. Make sure you're working in the root org.

    • Select IAM and admin.
    • In IAM on left-hand menu, edit permissions for organisation.
    • Add Organisation Policy Administrator and save.
    • Go to Organisation policies in left-hand menu.
    • Search for 'Disable service account key creation'.
    • Edit policy, set Enforcement to Off and save.
    • Change workspace from root org to the project the 365 wizard created. Mine was called projectnamempij.
    • In IAM and admin, go to Service accounts in left-hand menu.
    • In the 3 dots menu besides the service account, select Manage keys.
    • When in service account, Add key -> Create new key.
    • The json file is created and downloaded.
    • Create a new endpoint in Exchange Online and use the downloaded json

    Hope this helps.