Unknown error getting started
166 views
Skip to first unread message
Abraham Lora
Apr 17, 2024, 10:36:21 PM4/17/24
to GAM for Google Workspace
Hey all, new to setting up GAM.
I tried following directions and cannot see why I am unable to get GAM fully setup.
I am the only user with super admin to this Google Workspace and below is the error message during the creation of the project:
The authentication flow has completed.
Creating project "GAM Project"...
Checking project status...
Project: gam-project-***-***-***, Enable 23 APIs
API: accesscontextmanager.googleapis.com, Enabled (1/23)
API: admin.googleapis.com, Enabled (2/23)
API: alertcenter.googleapis.com, Enabled (3/23)
API: calendar-json.googleapis.com, Enabled (4/23)
API: chat.googleapis.com, Enabled (5/23)
API: chromemanagement.googleapis.com, Enabled (6/23)
API: chromepolicy.googleapis.com, Enabled (7/23)
API: classroom.googleapis.com, Enabled (8/23)
API: cloudidentity.googleapis.com, Enabled (9/23)
API: cloudresourcemanager.googleapis.com, Enabled (10/23)
API: contacts.googleapis.com, Enabled (11/23)
API: drive.googleapis.com, Enabled (12/23)
API: driveactivity.googleapis.com, Enabled (13/23)
API: iap.googleapis.com, Enabled (14/23)
API: gmail.googleapis.com, Enabled (15/23)
API: groupssettings.googleapis.com, Enabled (16/23)
API: iam.googleapis.com, Enabled (17/23)
API: licensing.googleapis.com, Enabled (18/23)
API: reseller.googleapis.com, Enabled (19/23)
API: sheets.googleapis.com, Enabled (20/23)
API: siteverification.googleapis.com, Enabled (21/23)
API: storage-api.googleapis.com, Enabled (22/23)
API: vault.googleapis.com, Enabled (23/23)
Setting GAM project consent screen...
Creating Service Account
Generating new private key...
Extracting public certificate...
Done generating private key and public certificate.
Uploading new public certificate to Google...
ERROR: [{'@type': 'type.googleapis.com/google.rpc.PreconditionFailure', 'violations': [{'type': 'constraints/iam.disableServiceAccountKeyUpload', 'subject': 'projects/gam-project-***-***-***/serviceAccounts/gam-project-***-***-***@gam-project-***-***-***.iam.gserviceaccount.com?configvalue=gam-project-***-***-***%40gam-project--***-***-***.iam.gserviceaccount.com', 'description': 'Constraint `constraints/iam.disableServiceAccountKeyUpload` violated for service account projects/gam-project-***-***-***/serviceAccounts/gam-project-***-***-***@gam-project-***-***-***.iam.gserviceaccount.com attempting to upload public key.'}]}]
Creating project "GAM Project"...
Checking project status...
Project: gam-project-***-***-***, Enable 23 APIs
API: accesscontextmanager.googleapis.com, Enabled (1/23)
API: admin.googleapis.com, Enabled (2/23)
API: alertcenter.googleapis.com, Enabled (3/23)
API: calendar-json.googleapis.com, Enabled (4/23)
API: chat.googleapis.com, Enabled (5/23)
API: chromemanagement.googleapis.com, Enabled (6/23)
API: chromepolicy.googleapis.com, Enabled (7/23)
API: classroom.googleapis.com, Enabled (8/23)
API: cloudidentity.googleapis.com, Enabled (9/23)
API: cloudresourcemanager.googleapis.com, Enabled (10/23)
API: contacts.googleapis.com, Enabled (11/23)
API: drive.googleapis.com, Enabled (12/23)
API: driveactivity.googleapis.com, Enabled (13/23)
API: iap.googleapis.com, Enabled (14/23)
API: gmail.googleapis.com, Enabled (15/23)
API: groupssettings.googleapis.com, Enabled (16/23)
API: iam.googleapis.com, Enabled (17/23)
API: licensing.googleapis.com, Enabled (18/23)
API: reseller.googleapis.com, Enabled (19/23)
API: sheets.googleapis.com, Enabled (20/23)
API: siteverification.googleapis.com, Enabled (21/23)
API: storage-api.googleapis.com, Enabled (22/23)
API: vault.googleapis.com, Enabled (23/23)
Setting GAM project consent screen...
Creating Service Account
Generating new private key...
Extracting public certificate...
Done generating private key and public certificate.
Uploading new public certificate to Google...
ERROR: [{'@type': 'type.googleapis.com/google.rpc.PreconditionFailure', 'violations': [{'type': 'constraints/iam.disableServiceAccountKeyUpload', 'subject': 'projects/gam-project-***-***-***/serviceAccounts/gam-project-***-***-***@gam-project-***-***-***.iam.gserviceaccount.com?configvalue=gam-project-***-***-***%40gam-project--***-***-***.iam.gserviceaccount.com', 'description': 'Constraint `constraints/iam.disableServiceAccountKeyUpload` violated for service account projects/gam-project-***-***-***/serviceAccounts/gam-project-***-***-***@gam-project-***-***-***.iam.gserviceaccount.com attempting to upload public key.'}]}]
However, I am able to see the project being created in the Console.
Its been tough finding a solution to this as usually it would spit out a 400 error or something amongst the line.
Its been tough finding a solution to this as usually it would spit out a 400 error or something amongst the line.
Ross Scroggs
Apr 18, 2024, 11:46:48 AM4/18/24
to google-ap...@googlegroups.com
Sre: https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#authorize-service-account-key-uploads
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/12cdb470-8797-4cd7-9424-c7753749de86n%40googlegroups.com.
Jay Lee
Apr 18, 2024, 12:27:59 PM4/18/24
to google-ap...@googlegroups.com
Ross,
Those instructions are far to broad, there's no reason to change Google's default policy across the entire GCP org.
I'd suggest modifying the wiki to describe steps to set that policy ONLY for the new GAM project and then continue with a "gam update project" command.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/79ECA4BD-E379-4D0C-9FC2-C773F63EDDD2%40gmail.com.
Ross Scroggs
Apr 18, 2024, 1:02:29 PM4/18/24
to google-ap...@googlegroups.com
Jay,
Thanks.
See: https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#authorize-service-account-key-uploads
Ross
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp9i4bz9PgrA%3DK2V51yXMffNFJsh0jNo5ZKD%2BVFexs_39w%40mail.gmail.com.
Abraham Lora
Apr 18, 2024, 9:18:32 PM4/18/24
to GAM for Google Workspace
Thanks for the follow ups.
Here is an update.
I was unable to find orgpolicy.policies.update:
- Click on Grant Access
- Enter the new admin address in Principals
- Click in the Select a role box
- Type orgpolicy.policies.update in the Filter box
- Click Organization Policy Administrator
- Click Save
Are there limitations based on the level of subscription?
Ross Scroggs
Apr 18, 2024, 11:29:55 PM4/18/24
to google-ap...@googlegroups.com
Abraham,
I'm in California (PDT) and am generally available at 7:30AM PDT, send me a Meet/Zoon invitation.
Ross
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/51a121f7-1175-4c98-8a80-977b836cfdbcn%40googlegroups.com.
Abraham Lora
Apr 19, 2024, 10:32:35 AM4/19/24
to GAM for Google Workspace
Hey Ross, I've sent you a call invite for 7:30AM PDT.
Reply all
Reply to author
Forward
0 new messages