Receiving a “Permission denied” error in the gcloud CLI while moving a project between organizations usually points to missing IAM roles or organizational policy restrictions. Without the right permissions, the gcloud CLI blocks the transfer to protect cloud resources and maintain compliance. Addressing these permission gaps restores your ability to move projects efficiently.

Grant Required Permissions to Your Account

Step 1: Identify the user or service account you are using to execute the project move. You can check your current active account in the CLI with:

gcloud auth list

This command displays the account currently authenticated for gcloud operations.

Step 2: Assign the necessary IAM roles on both the source and destination organizations. At a minimum, the account must have the Project Mover role (roles/resourcemanager.projectMover) or equivalent custom permissions on both organizations. Additionally, the account needs Project Deleter (roles/resourcemanager.projectDeleter) on the source and Project Creator (roles/resourcemanager.projectCreator) on the destination, if not already included in the Project Mover role.

To grant these roles, an Org Admin can use:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member='user:YOUR_EMAIL@example.com' \
  --role='roles/resourcemanager.projectMover'

Replace ORGANIZATION_ID and YOUR_EMAIL@example.com with your organization ID and email address respectively.

Step 3: Confirm that your account has the necessary permissions on both organizations. You can check your roles in the Google Cloud Console under IAM & Admin, or with:

gcloud projects get-iam-policy PROJECT_ID

This command lists who has which roles on the specified project.

Step 4: Retry the project move operation using the CLI:

gcloud beta projects move PROJECT_ID --organization=DEST_ORG_ID

If permissions are correctly configured, the operation should proceed without error.

Check and Update Organization Policy Constraints

Step 1: Review organization policies that might restrict project movement. Some organizations enforce constraints on project transfers for security or compliance reasons. In the Google Cloud Console, navigate to “Organization Policies” and look for policies like constraints/resourcemanager.allowedProjectParent.

Step 2: If a constraint blocks the move, request an update from an Organization Policy Admin. They may need to temporarily allow the destination organization or folder as a valid parent for project transfers.

Step 3: After the policy is updated, wait a few minutes for propagation, then retry the move command in the CLI.

Use the Google Cloud Console as an Alternative

Step 1: If CLI-based moves continue to fail, try moving the project via the Google Cloud Console. Go to “IAM & Admin” > “Settings” > “Project Settings,” and look for the “Move” option.

Step 2: Follow the on-screen prompts to select the new organization or folder. The Console may provide more detailed error messages or highlight missing permissions.

Step 3: Address any issues surfaced by the Console, such as pending billing account transfers or service account restrictions, before retrying the move.

Double-checking IAM roles, organizational policies, and using the Console as a fallback usually resolves permission denied errors for project transfers. If problems persist, contacting your organization’s Cloud Admin or Google Support can speed up resolution.