I am using Google Cloud Resource Manager API with Service Account authorization in Google Apps Script. In the program I am interested in updating the roles of a Developer Console Project.
Specifically, I am trying to change Developer Console project's owner to editor and another user as owner. This, I believe in terms of HTTP Request payload would look like:
// before (taken from response of getIamPolicy REST call)
{
"bindings": [{
"role": "roles/owner",
"members": ["user:abc@my-google-domain.com"]
}],
"version": "0",
"etag": "acbqwcada="
}
// after (modified policy) used in setIamPolicy REST call
{
"bindings": [{
"role": "roles/owner",
"members": ["user:def@my-google-domain.com"]
},
{
"role": "roles/editor",
"members": ["user:abc@my-google-domain.com"]
}],
"version": "0",
"etag": "acbqwcada="
}
Few things I observed:
When changing current owner (user email) to editor and adding new owner (user email) the API call is returning
SOLO_MUST_INVITE_OWNERS
error. Here, I am impersonating service account as initial owner of project with all necessary domain wide accessHowever, when I do the same call in Google API explorer with same payload, its working fine!
Google Cloud and Identity Management documentation seems confusing. It says in one point
"Cloud Resource Manager IAM methods only support granting the owner role to user and serviceAccount"
while in another point"A user cannot be granted owner access using setIamPolicy(). The user must be granted the owner role using the Cloud Platform Console and he must explicitly accept the invitation."
-- I am wondering is there any other way to set policies other than setIamPolicy()?