I’m trying to move a Google Cloud project from our org (Org ID: ORG_ID_1) into the client’s org (Org ID: ORG_ID_2) with:
gcloud beta projects move PROJECT_ID --organization=ORG_ID_2
but I immediately get:
ERROR: (gcloud.beta.projects.move) [USER_EMAIL] does not have permission to access projects instance [PROJECT_ID] (or it may not exist): The caller does not have permission. This command is authenticated as USER_EMAIL which is the active account specified by the [core/account] property
I then tried read-only check to confirm I truly can’t even see the project:
gcloud projects describe PROJECT_ID
But it works, I can see it.
At project level I have:
roles/editor
roles/owner
roles/resourcemanager.projectMover
On my organization export is allowed to client’s org
constraints/resourcemanager.allowedExportDestinations = under:organizations/ORG_ID_2
and vice versa.
I am also Organization Admin and Org Policy Admin in my org.
Question
Despite having both Project Owner and Project Mover on the project, and no org-policy blocking, I still get a permission denied at the very first gcloud call.
What other IAM or policy settings could prevent me from seeing or moving the project?
How can I further diagnose why my account cannot access PROJECT_ID, even for describe?
Any pointers for deeper troubleshooting would be greatly appreciated!
You might be missing project creator on target organization. The following checklist should help
https://cloud.google.com/resource-manager/docs/project-migration-checklist