google-cloud-platformgcloud

gcloud CLI: Permission denied moving project between organizations


I’m trying to move a Google Cloud project from our org (Org ID: ORG_ID_1) into the client’s org (Org ID: ORG_ID_2) with:

gcloud beta projects move PROJECT_ID --organization=ORG_ID_2

but I immediately get:

ERROR: (gcloud.beta.projects.move) [USER_EMAIL] does not have permission to access projects instance [PROJECT_ID] (or it may not exist): The caller does not have permission. This command is authenticated as USER_EMAIL which is the active account specified by the [core/account] property

I then tried read-only check to confirm I truly can’t even see the project:

gcloud projects describe PROJECT_ID

But it works, I can see it.

At project level I have:

roles/editor
roles/owner
roles/resourcemanager.projectMover

On my organization export is allowed to client’s org

constraints/resourcemanager.allowedExportDestinations = under:organizations/ORG_ID_2

and vice versa.

I am also Organization Admin and Org Policy Admin in my org.

Question

Despite having both Project Owner and Project Mover on the project, and no org-policy blocking, I still get a permission denied at the very first gcloud call.

What other IAM or policy settings could prevent me from seeing or moving the project?

How can I further diagnose why my account cannot access PROJECT_ID, even for describe?

Any pointers for deeper troubleshooting would be greatly appreciated!


Solution

  • You might be missing project creator on target organization. The following checklist should help

    https://cloud.google.com/resource-manager/docs/project-migration-checklist