Status Update
No update yet.
Comments
dh...@google.com
Hello,
Thanks for reaching out to us!
This feature request is acknowledged and we will validate it further. Though we can't provide an ETA on feature requests nor guarantee their implementation, rest assured that your feedback is always taken very seriously, as it allows us to improve our products. Meanwhile, could you please let us know the Business Impact of not having this feature available right now.
Thank you for your trust and continued support to improve Google Cloud Platform products. In case you want to report a new issue, please do not hesitate to create a new
Thanks & Regards
ma...@gmail.com
It is not a major business impact right now. We've just accepted that IAM will allow domains that we own in the Workspace.
Description
What you would like to accomplish:
Currently, the Organization Policy
constraints/iam.allowedPolicyMemberDomainsaccepts a list of Google Workspace customer IDs as allowed values. This makes the primary and all secondary domains tied to the Workspace to be allowed policy members within the organization. I would like to only allow one (the primary) domain to be allowed for IAM policies.How this might work:
Accept a list of allowed domains (similar to
constraints/essentialcontacts.allowedContactDomains) instead of a list of allowed customer IDs. Or some way to filter specific domains within a Workspace (e.g., via conditions).If applicable, reasons why alternative solutions are not sufficient:
With the current approach, we have about 100 secondary domains attached to our org which we don't want to allow IAM bindings on. The suggestion from the documentation to separate domains with different Google Workspace accounts is not feasible:
Other information (workarounds you have tried, documentation consulted, etc):
I thought this might be something I could solve for using
resource.matchTag(...)) but I don't think it is currently possible this way.