fix(orgadm): add credentials-project flag and fix IAM policy version

robertodauria · robertodauria · commit d9b180df38cc · 2026-01-27T19:17:46.000+01:00
- Add -credentials-project flag for cross-project Datastore access
- Set IAM policy version to 3 (required for conditional bindings)
diff --git a/cmd/orgadm/main.go b/cmd/orgadm/main.go
@@ -21,15 +21,17 @@ import (
 )
 
 var (
-	org          string
-	orgEmail     string
-	project      string
-	updateTables bool
+	org                string
+	orgEmail           string
+	project            string
+	credentialsProject string
+	updateTables       bool
 )
 
 func init() {
 	flag.StringVar(&org, "org", "", "Organization name. Must match name assigned by M-Lab")
 	flag.StringVar(&project, "project", "", "GCP project to create organization resources")
+	flag.StringVar(&credentialsProject, "credentials-project", "", "GCP project for credentials Datastore (defaults to -project)")
 	flag.BoolVar(&updateTables, "update-tables", false, "Allow this org's service account to update table schemas")
 	flag.StringVar(&orgEmail, "org-email", "", "Organization contact email")
 }
@@ -57,13 +59,17 @@ func main() {
 	rtx.Must(err, "failed to create new dns service")
 	d := dnsx.NewManager(dnsiface.NewCloudDNSService(dnsService), project, dnsname.ProjectZone(project))
 
-	// Create Datastore client
-	dsc, err := datastore.NewClient(ctx, project)
+	// Setup Datastore client for credentials (may be in a different project)
+	credProj := credentialsProject
+	if credProj == "" {
+		credProj = project
+	}
+	dsc, err := datastore.NewClient(ctx, credProj)
 	rtx.Must(err, "failed to create datastore client")
 	defer dsc.Close()
 
 	// Initialize AutojoinManager from token-exchange with the correct namespace.
-	am := store.NewAutojoinManager(dsc, project, "platform-credentials")
+	am := store.NewAutojoinManager(dsc, credProj, "platform-credentials")
 
 	o := adminx.NewOrg(project, crmiface.NewCRM(project, crm), sa, sm, d, am, updateTables)
 	err = o.Setup(ctx, org, orgEmail)
diff --git a/internal/adminx/org.go b/internal/adminx/org.go
@@ -173,12 +173,13 @@ func (o *Org) ApplyPolicy(ctx context.Context, org string, account *iam.ServiceA
 	newBindings, wasMissing := appendBindingIfMissing(curr.Bindings, bindings...)
 
 	// Apply bindings if any were missing.
+	// Version 3 is required for policies with conditional role bindings.
 	preq := &cloudresourcemanager.SetIamPolicyRequest{
 		Policy: &cloudresourcemanager.Policy{
 			AuditConfigs: curr.AuditConfigs,
 			Bindings:     newBindings,
 			Etag:         curr.Etag,
-			Version:      curr.Version,
+			Version:      3,
 		},
 	}
 
