2

I have a @gmail.com account where I have added my domain's email as the alternative email @domain.com. I can use @domain.com to login to my gmail account instead of @gmail.com account

enter image description here

I have created a Google Cloud Project and want to add the @domain.com as the Support Email in oAuth Consent Screen. However, even after following the steps here and adding the @domain.com email address in the IAM Section, I am not able to select it as the support email.

I get this error after accepting the invite in the Google Cloud Activity Tab:

Permission denied (HTTP 403): IAM authority does not have the permission 'resourcemanager.projectInvites.acceptProjectOwnership' required for action CloudResourceManagerInvitationsService-AcceptProjectOwnership on resource 'projects/ofpad-1304'. Explanation: Security Context: RecordingSecurityContext{delegate=ValidatedSecurityContextWithSystemAuthorizationPolicy{delegate=ValidatedSecurityContextWithRegistryHandle{delegate=ValidatedSecurityContextWithObligations{delegate=ContextWithGaiaMintToken{delegate=ValidatedIamSecurityContext{user=gaiauser/0xd22a3e2d9, creds=EndUserCreds{loggable_credential { type: GAIA_MINT loggable_gaia_mint { } } loggable_credential { type: SERVICE_CONTROL_TOKEN }}, peer=protocol=loas;psp_version=0;level=strong_privacy_and_integrity;host=saec4.prod.google.com;is_authenticated_host=false;role=cloud-boq-clientapi-iam;gaiaId=250014094659;security_realm=campus-wen;is_delegated=false;user_type=MDB_USER_NON_PERSON, InternalIAMIdentity{log=originator { scope: GAIA_USER gaia_user { user_id: 56415740633 } }}}}}}}}

I only see the @gmail email.

enter image description here

How can I fix this?

Abhishek R
  • 4,087
  • 1
  • 17
  • 21

1 Answers1

2

I tried replicating your use case and was successfully able to set Gmail's Alternative Email as Support Email in Google Developer Console oAuth Consent Screen without any issues. I actually logged onto the new account, and then changed it. Until the second email actually logged onto the console, the second email did not appear.

You may consider simply granting your new email address Basic roles such as Owner which is simpler to use. You need a second email address then add that email as Owner of the project. Then you will be able to add that email in the consent screen.

  1. Add Owner permission for the new email address to handle the project: To do that Go to navigation Menu > IAM & Admin > IAM, then click on the Add button, enter the email address in the New principals field and select Role > Basic > Owner.

  2. After giving the Owner role to the new email address an invitation will be sent to you through email. Check emails, click on the confirmation url, it will be navigated to the Google Developers Console and then accept the invitation from the new email address. Now accept the terms and conditions.

  3. Now the Google Developers Console is logged in using the NEW email address. On the OAuth consent screen click on Edit app, you will be able to see the new email address in the dropdown, select the new email address and click on save and continue. Only the new email address can change the displayed email address. You will now be successfully able to set Gmail's Alternative Email as Support Email .

  4. Now you can login using your primary or initially used email address and check whether you were able to find the new email address in the User support email dropdown.

enter image description here

Jyothi Kiranmayi
  • 2,090
  • 5
  • 14
  • Well this is exactly what I have tried. When I add the domain.com email as owner and login with the @domain.com after confirming I get this following error in Activity Tab: https://i.imgur.com/cQT3S33.png Also the domain.com doesn't appear in my dropdown like it does in your screenshot: https://i.imgur.com/BYUgkHi.png – Abhishek R Jul 07 '22 at 06:59
  • Try giving resourcemanager.projectInvites.acceptProjectOwnership permission on resource projects/ofpad-1304, as mentioned in the error. – Jyothi Kiranmayi Jul 07 '22 at 07:23
  • I am not sure how to provide this permission. When I invite any email that is not tagged as alternative email, I dont have this problem. – Abhishek R Jul 07 '22 at 07:44
  • Check this [documentation](https://cloud.google.com/iam/docs/granting-changing-revoking-access#required-permissions) which describes required roles to manage access to a project. – Jyothi Kiranmayi Jul 07 '22 at 07:46
  • Unfortunately I have never used gcloud CLI. I am not able to figure out how to add this role though the Google Cloud Console. – Abhishek R Jul 07 '22 at 08:03
  • The Resource Manager provides a domain restriction constraint that can be used in organization policies to limit resource sharing based on domain. This prevents you from accessing the project on a particular domain. Check if there is any restriction on the domain in the organization policy page. If there is any restriction try clearing all Domain Restricted Sharing restrictions from org/folder/project. Refer to this [doc](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains). – Jyothi Kiranmayi Jul 07 '22 at 08:03
  • I don't think this applies. I am using a free gmail account that I just created. I am not using a Google WorkSpace account. – Abhishek R Jul 07 '22 at 08:14
  • Try giving the alternate email id with some other domain other than the one which you are providing now and check. If the other domain is allowing you to access the invitation then there is some restriction on the domain. – Jyothi Kiranmayi Jul 07 '22 at 08:17
  • The problem exists when I try another domain2 email added as an alternative email. Only the gmail email gets added. The domain2 email that is attached as alternative email to gmail doesnt get added. – Abhishek R Jul 07 '22 at 10:36