Can't initialize GAM in my my domain

Claudio Caballero

unread,

Jul 11, 2024, 6:06:52 AM (6 days ago) Jul 11

to GAM for Google Workspace

Hi all:

I tested out GAM (haven't used it in years) on a personal test domain I have (one of those legacy-free accounts Google tried to get rid of). Worked a champ.

Now, when I do it on our (education licenses, in case it matters - Plus as needed, such as my super-admin account) paid account, it fails whether I try it in a GCP instance with service account (following those different instructions) or the traditional way on a regular Linux VM.

The GAM project never actually gets created.

I get output like this:

The authentication flow has completed.
Creating project "GAM Project"...
Checking project status...
Project: gam-project-p06-dyu-n9u, Enable 23 APIs
API: accesscontextmanager.googleapis.com, Enabled Setting GAM project consent screen...
Creating Service Account
Generating new private key...
Extracting public certificate...
Done generating private key and public certificate.
Uploading new public certificate to Google...

ERROR: [{'@type': 'type.googleapis.com/google.rpc.PreconditionFailure', 'violations': [{'type': 'constraints/iam.disableServiceAccountKeyUpload', 'subject': 'projects/gam-project-p06-dyu-n9u/serviceAccounts/gam-project...@gam-project-p06-dyu-n9u.iam.gserviceaccount.com?configvalue=gam-project-p06-dyu-n9u%40gam-project-p06-dyu-n9u.iam.gserviceaccount.com', 'description': 'Constraint `constraints/iam.disableServiceAccountKeyUpload` violated for service account projects/gam-project-p06-dyu-n9u/serviceAccounts/gam-project...@gam-project-p06-dyu-n9u.iam.gserviceaccount.com attempting to upload public key.'}]}]
Project creation failed. Trying again. Say N to skip project creation

The Workspace account I use is Super-Admin on workspace and Org-Admin on GCP.

I'm flummoxed despite my best Google-Fu. Anyone have a clue or pointer, please?

TIA.

Best regards,

Claudio

Ross Scroggs

unread,

Jul 11, 2024, 10:11:40 AM (6 days ago) Jul 11

to google-ap...@googlegroups.com

See: https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#authorize-service-account-key-uploads

Ross

----

Ross Scroggs

Ross.S...@gmail.com

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/0b5192dc-b342-412b-9a33-845d724766a0n%40googlegroups.com.

Claudio Caballero

unread,

Jul 11, 2024, 4:47:24 PM (5 days ago) Jul 11

to GAM for Google Workspace

Thanks so much, Ross.

I'm nearly there after having followed the steps in the page you linked.

Additional steps I want to mention and elaborate on in case it helps others but which are obvious to you, of course.

I waited until after the 2nd GCP Project gets created (with name like gam-project-xxx-yyy-zzz) to do the policy override.

The install script then completes, but you can't run commands yet.

I had to run the final command from this page:
https://github.com/taers232c/GAMADV-XTD3/wiki/Using-GAMADV-XTD3-with-a-delegated-admin-service-account

Which is:

gam config enable_dasa true admin_email ad...@domain.com customer_id <Customer ID from step 6> domain domain.com save

Then, the final step from here:
https://groups.google.com/g/google-apps-manager/c/E2wZ7Jt5-KY

Which is:
gam user ad...@domain.com check serviceaccount

That then launched a new appspot project (similar to the ones for regular install flow) which then authorized my super-admin account accordingly.

Now that command to check the service account passes, but yet, when I run a test command like:

gam info user us...@domain.com

I get:
User: us...@domain.com, Show Info Failed: Not Authorized to access this resource/api

Thanks again and in advance for any further pointers.

Ross Scroggs

unread,

Jul 11, 2024, 6:10:50 PM (5 days ago) Jul 11

to google-ap...@googlegroups.com

Send me a Meet/Zoom invitation and I'll help.

Ross

----

Ross Scroggs

Ross.S...@gmail.com

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/56034e19-fa19-4c60-8a14-8f9bee8c8badn%40googlegroups.com.

Message has been deleted

Claudio Caballero

unread,

Jul 12, 2024, 9:41:45 PM (4 days ago) Jul 12

to GAM for Google Workspace

Thanks so much, Ross. I'm going to keep plugging away as I think of new things this weekend, in the hopes that I don't need to take up your time Monday and can cancel our meeting. My everlasting gratitude either way.

Does the GCP Compute-Engine VM need to be in the same project that got created by GAM? I was using a pre-existing VM from another project, and when I try:

gcloud config set project gam-project-xxx-yyy-zzz

I get the following error:
WARNING: You do not appear to have access to project [gam-project-xxx-yyy-zzz] or it does not exist.

I'm going to try and see if I can find a way to switch the gcloud session in the VM to the GAM created project without moving the VM.

I had already changed the service account associated with the VM to match the one created by GAM, BTW.

I am also going to try installing GAM directly in cloud shell, as my further searches in this group mentioned that.

Thanks again and best regards,
Claudio

Reply all

Reply to author

Forward