Reputation: 101
Error when migrating projects in GCP, could someone help me?
I'm trying to Migrate 2 projects originating "no Organization" to a newly created organization in GCP.
The user has project-level permissions:
Owner
At the organization level the user has the permissions:
Organization Administrator,
Project Creator
When trying to perform the migration, it displays the error:
Permission denied
You do not have the following required permission to perform this action:
"resourcemanager.projects.update"
I've tried to perform the procedure via command too but it didn't work either
ERROR: (gcloud.beta.projects.move) User ["my user"] does not have
permission to access projects instance ["my project"] (or it may not exist):
The caller does not have permission.
Group permission that the user participates at the organizational level: Support Account Administrator, Organization Role Administrator, Organization Policy Administrator, Folder admin, Organization Administrator, Project Creator, Project Mover, Security Center Admin
User permission at the Organization level: Organization Administrator, Project Mover
User permission at project level: Owner, Project Mover, Organization Administrator
Would you have any more suggestions?
Upvotes: 6
Views: 8893
Answers (5)
Reputation: 3388
The dropdown in GCP might show No organization instead of the actual organization name due to insufficient permissions to access organization details. Migration issues could arise from the lack of permissions granted at the organizational level to which the project belongs.
In my case the project was listed in GCP under No organization but indeed belonged to another organization (our partners), I verified that with:
gcloud projects list --format json
The output was as follows:
{
"createTime": "2023-11-08T01:01:35.791Z",
"lifecycleState": "ACTIVE",
"name": "Some name",
"parent": {
"id": "123456789012",
"type": "organization"
},
"projectId": "project-staging",
"projectNumber": "111001132111"
}
If a project has No organization, the output of the command gcloud projects list --format json would likely include an empty parent field or it might not appear at all.
You can verify whether the parent ID corresponds to your organization ID. If it doesn't, you can inquire with the potential owner to confirm if it is their organization id.
Also, make sure you get yourself familiar with GCP migration checklist: https://cloud.google.com/resource-manager/docs/project-migration-checklist?hl=en#checklist-section-3
Upvotes: 0
Reputation: 151
When you try to migrate, the error is because of you don't have organization policies. To move a project resource to a new organization, you must first apply an organization policy that will define the organizations to which the project can be moved.
On the parent resource to the project you want to move, set an organization policy that includes the constraints/resourcemanager.allowedExportDestinations This will define the target destination as a valid location to which you can migrate the project.
On the destination resource, set an organization policy that includes the constraints/resourcemanager.allowedImportSources This will define the source as a valid location from which you can migrate your project.
For example, say you had a project my-test-project that existed under an organization with the ID 12345678901, and you wanted to move it to a new organization for your secondary business unit, with the ID 45678901234.
You would set an organization policy on organizations/12345678901with the constraints/resourcemanager.allowedExportDestinations constraint enforced and under:organizations/45678901234 set as an allowed_value.
Then, set an organization policy on organizations/45678901234 with the constraints/resourcemanager.allowedImportSources constraint enforced and under:organizations/12345678901 set as an allowed_value.
Once these organization policies are enforced, you will be able to move my-test-project from organizations/12345678901 to organizations/45678901234, assuming you have the permissions noted in Assign permissions.
https://cloud.google.com/resource-manager/docs/project-migration#configure_organization_policies
Upvotes: 3
Reputation: 101
contacted our partner and we saw that the projects were linked to their organization, for me it appeared as "No organization" because I only had access to the project but not their organization.
To solve it, it was necessary to open a ticket on google to disassociate the projects from their organization and only after that I was able to migrate to my organization.
Thank you very much everyone for your support.
Upvotes: 3
Reputation: 101
I even created a customized role at the organization level with the permissions: resourcemanager.organizations.get, resourcemanager.organizations.getIamPolicy, resourcemanager.organizations.setIamPolicy, resourcemanager.projects.create,resourcemanager.projects.get, resourcemanager.projects.getIamPolicy, resourcemanager.projects.list, resourcemanager.projects.move, resourcemanager.projects.setIamPolicy, resourcemanager.projects.update, resourcemanager.projects.updateLiens
I created a custom Role also in the project I want to migrate and set the permissions: resourcemanager.projects.get, resourcemanager.projects.getIamPolicy, resourcemanager.projects.move, resourcemanager.projects.setIamPolicy, resourcemanager.projects.update,
Even after these changes I had the same error when migrating
Upvotes: 1
Reputation: 496
The following instructions are only for moving a project within an organization (such as in this case). To move a project, you need the following IAM roles:
Have the resourcemanager.projects.update permission on the project, which typically comes from having either the Project Editor or Project Owner roles on the project.
Have the resourcemanager.projects.move permission on both the source folder and the destination folder. This permission is typically part of the Project Owner, Project Editor, Folder Admin, or Folder Mover roles. If the resource is not in a folder, you will need this permission on the organization node.
To move a project to another organization:
- In the Google Cloud Console, go to the Manage resources page.
- Select your Organization from the Organization drop-down on the top left of the page.
- Click on your project's row to select your project from the list of resources. Note that you must not click on the name of the project, which takes you to the project's IAM page.
- Click on the options menu (the vertical ellipsis) in the row and click Move.
- Click Browse to select the folder to which you want to move the project.
- Click Move.
If you made sure that your account has all the permissions specified and still getting the error you may want to try the Resource Manager API as per the following link: https://cloud.google.com/resource-manager/docs/project-migration#perform_migration
Hope you find this useful. Regards
Upvotes: 2
Related Questions
- How to migrate a GCP Project from one organization to other
- Unable to Migrate GCP Project
- ERROR:Project creation failed. The project ID you specified is already in use by another project. Please try an alternative ID
- The requested project was not found
- Stuck on moving GCP project to an organization
- Error during migration process using GCP's Database Migration Service for MySQL
- GCP Project migration without support contract
- Unknown error creating a project
- gcloud beta projects move some-project-id --organization=0
- Error while deploying an application on google cloud platform