From 7e8aad4cd07987d32f4719d87150809c6fe59a5e Mon Sep 17 00:00:00 2001
From: Seth Vargo <seth@sethvargo.com>
Date: Mon, 23 Jan 2023 19:56:58 -0600
Subject: [PATCH] Document possible issues with org policies

Fixes GH-257
---
 README.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/README.md b/README.md
index eebdd1f2..23197ea7 100644
--- a/README.md
+++ b/README.md
@@ -632,6 +632,31 @@ Terraform module to automate your infrastructure provisioning. See [examples](ht
     Identity Pool mapping until the permissions are available.
 
 
+#### Organizational Policy Constraints
+
+By default, Google Cloud allows you to create Workload Identity Pools and
+Workload Identity Providers for any endpoints. Your organization may restrict
+which external identity providers are permitted on your Google Cloud account. To
+enable GitHub Actions as a Workload Identity Pool and Provider, add the
+`https://token.actions.githubusercontent.com` to the allowed
+`iam.workloadIdentityPoolProviders` Org Policy constraint.
+
+```shell
+gcloud resource-manager org-policies allow "constraints/iam.workloadIdentityPoolProviders" \
+  https://token.actions.githubusercontent.com
+```
+
+You can specify a `--folder` or `--organization`. If you do not have permission
+to manage these Org Policies, please contact your Google Cloud administrator.
+
+For GitHub Enterprise Server, the endpoint will be your server URL:
+
+```shell
+gcloud resource-manager org-policies allow "constraints/iam.workloadIdentityPoolProviders" \
+  https://my.github.company
+```
+
+
 ## GitHub Token Format
 
 Below is a sample GitHub Token for reference for attribute mappings. For a list of all