Error 400: failedPrecondition

[wallarug]

Hey Ros,

I have returned. It has been a while.

I am encountering issues setting up the GAM project in GCP. I keep getting hit with the error outlined below:

ERROR: 400: failedPrecondition - One or more users named in the policy do not belong to a permitted customer.

Let me outline exactly what I have done:

gam create project
WARNING: Config File: C:\GSUITE\GAMConfig\gam.cfg, Section: DEFAULT, Item: client_secrets_json, Value: C:\GSUITE\GAMConfig\client_secrets.json, Not Found
WARNING: Config File: C:\GSUITE\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GSUITE\GAMConfig\oauth2.txt, Not Found
WARNING: Config File: C:\GSUITE\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2service_json, Value: C:\GSUITE\GAMConfig\oauth2service.json, Not Found

Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s): gam-project-abc-efg-hij? <EMAILADDRESS>

Go to the following link in a browser on this computer or on another computer:

    [REDACTED]

If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):

Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required): 127.0.0.1 - - [31/Jul/2022 17:35:31] "GET /?state=[REDACTED]&code=[REDACTED]&scope=https://www.googleapis.com/auth/cloud-platform HTTP/1.1" 200 99

The authentication flow has completed.
Creating project "GAM Project"...
Checking project creation status...
Project: gam-project-bbr-mcw-owj, Enable 34 APIs
  API: accesscontextmanager.googleapis.com, Enabled (1/34)
  API: admin.googleapis.com, Enabled (2/34)
  API: alertcenter.googleapis.com, Enabled (3/34)
  API: audit.googleapis.com, Enabled (4/34)
  API: calendar-json.googleapis.com, Enabled (5/34)
  API: chat.googleapis.com, Enabled (6/34)
  API: chromemanagement.googleapis.com, Enabled (7/34)
  API: chromepolicy.googleapis.com, Enabled (8/34)
  API: classroom.googleapis.com, Enabled (9/34)
  API: cloudchannel.googleapis.com, Enabled (10/34)
  API: cloudidentity.googleapis.com, Enabled (11/34)
  API: cloudresourcemanager.googleapis.com, Enabled (12/34)
  API: contacts.googleapis.com, Enabled (13/34)
  API: datastudio.googleapis.com, Enabled (14/34)
  API: docs.googleapis.com, Enabled (15/34)
  API: drive.googleapis.com, Enabled (16/34)
  API: driveactivity.googleapis.com, Enabled (17/34)
  API: drivelabels.googleapis.com, Enabled (18/34)
  API: forms.googleapis.com, Enabled (19/34)
  API: gmail.googleapis.com, Enabled (20/34)
  API: groupsmigration.googleapis.com, Enabled (21/34)
  API: groupssettings.googleapis.com, Enabled (22/34)
  API: keep.googleapis.com, Enabled (23/34)
  API: iam.googleapis.com, Enabled (24/34)
  API: iap.googleapis.com, Enabled (25/34)
  API: licensing.googleapis.com, Enabled (26/34)
  API: people.googleapis.com, Enabled (27/34)
  API: pubsub.googleapis.com, Enabled (28/34)
  API: reseller.googleapis.com, Enabled (29/34)
  API: sheets.googleapis.com, Enabled (30/34)
  API: siteverification.googleapis.com, Enabled (31/34)
  API: storage-api.googleapis.com, Enabled (32/34)
  API: tasks.googleapis.com, Enabled (33/34)
  API: vault.googleapis.com, Enabled (34/34)
Setting GAM project consent screen...
Project: gam-project-abc-efg-hij, Service Account: gam-project-abc-efg-hij@gam-project-abc-efg-hij.iam.gserviceaccount.com, Enabled
Project: gam-project-abc-efg-hij, Service Account: gam-project-abc-efg-hij@gam-project-abc-efg-hij.iam.gserviceaccount.com, Generating new private key
Project: gam-project-abc-efg-hij, Service Account: gam-project-abc-efg-hij@gam-project-abc-efg-hij.iam.gserviceaccount.com, Extracting public certificate
Project: gam-project-abc-efg-hij, Service Account: gam-project-abc-efg-hij@gam-project-abc-efg-hij.iam.gserviceaccount.com, Done generating private key and public certificate
Project: gam-project-abc-efg-hij, Service Account: gam-project-abc-efg-hij@gam-project-abc-efg-hij.iam.gserviceaccount.com, Uploading new public certificate to Google...

Project: gam-project-abc-efg-hij, Service Account: gam-project-abc-efg-hij@gam-project-abc-efg-hij.iam.gserviceaccount.com, Service Account Key: [REDACTED], Uploaded
Service Account OAuth2 File: C:\GSUITE\GAMConfig\oauth2service.json, Service Account Key: [REDACTED], Updated
Project: gam-project-abc-efg-hij, Service Account: gam-project-abc-efg-hij@gam-project-abc-efg-hij.iam.gserviceaccount.com, Giving account gam-project-abc-efg-hij@gam-project-abc-efg-hij.iam.gserviceaccount.com rights to rotate gam-project-abc-efg-hij@gam-project-abc-efg-hij.iam.gserviceaccount.com private key

ERROR: 400: failedPrecondition - One or more users named in the policy do not belong to a permitted customer.

There is nothing I can do after I hit this step. The setup process exits.

I ran debug mode to see if I could get some more information on this. It appears that GCP is upset with giving the service account the role: roles/iam.serviceAccountKeyAdmin.

I'm happy to provide more details over email.

[wallarug]

I forgot to add: I managed to setup Got Your Back without any issues (if that is helpful information or not).

[wallarug]

Ok - I have solved this problem.

The default Google Cloud Platform instructions when you set up a new domain name strongly request that you turn on the "Domain Restricted sharing" constraint.

Source: https://console.cloud.google.com/cloud-setup/security

https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains?&_ga=2.19236337.-896336477.1659249710#setting_the_organization_policy

When this is turned on, it for some reason stops the service accounts from doing whatever is needed for GAM to work. I'm not exactly sure what it does except for brake GAM 😆 .

Any feedback on if this can be turned back on or if there is another work around to turning it off would be much appreciated.