Reputation: 3
Google Compute Engine - Default behavior for Compute Engine Nested VMs will change on January 31, 2020
I received mail from Google like this:
Dear Google Compute Engine Customer,
On October 21, 2019, we sent a message to announce that Google will begin rolling out a change to the behavior of the Disable VM Nested virtualization Organization Policy Boolean Constraint on January 31, 2019.... What do I need to know?
Currently, the default behavior of the Disable VM Nested virtualization constraint is to allow users to create virtual machines (VMs) with nested virtualization in organizations, folders and projects. Unless the constraint is explicitly set to “enforced” by the user on the project, folder, or organization, users can create VMs that support nested virtualization.
After February 7, 2020, the constraint’s default behavior will no longer allow users to create nested virtualization-enabled VMs. What do I need to do?
Before February 7, 2020, to continue running VMs with nested virtualization you will need to explicitly set the ‘Disable VM Nested virtualization’ constraint on your projects, folders, or organizations to allow nested virtualization.
To continue running nested VMs in your projects: Disable enforcement of the constraint for your organization, folder, or projects, as appropriate. The following command can be used to disable enforcement of the constraint on a specific project.
gcloud beta resource-manager org-policies disable-enforce compute.disableNestedVirtualization --project=PROJECT_ID
Now, We have detected that the following projects have had VMs using nested virtualization: my-VM-gcp (my-VM-gcp-XXXXXX)
...
So I run this command on GCloud Shell:
gcloud beta resource-manager org-policies disable-enforce \
compute.disableNestedVirtualization \
--project=$(gcloud projects list --format="value(projectId)")
and the result is:
ERROR: (gcloud.beta.resource-manager.org-policies.disable-enforce)
User [[email protected]] does not have permission to access
project [my-vm-gcp-xxxxxx:setOrgPolicy] (or it may not exist):
The caller does not have permission
BTW: I try with "sudo" and check "IAM" Console and verify my user is OWNER
Can somebody help me ? Thanks.
Upvotes: 0
Views: 341
Answers (1)
Reputation: 409
to edit any of this policies you will need Organization Policy Roles and not just Owner role.
Upvotes: 0
Related Questions
- How to enable Nested Virtualization on an existing Google cloud VM instance?
- Unable to add tags to Compute Engine instance as Project Owner
- Google cloud platform, vm instance's ssh permission
- gcloud compute on hadoop cluster has insufficient permission
- "You don't have permission to enable Compute Engine" with GCloud
- Google Cloud permissions
- Google Compute Engine VM instance access permission
- Google Compute Engine permissions and roles don't grant necessary scopes
- "Cloud Datastore" permission for Google Compute Engine VM instance
- Change Google Cloud Compute Permissions after creation