This is probably related to client's GCP policies. I am Project Owner, but looks like additional restrictions are in place?

Has anyone seen any error like this and know if there are any workarounds? I'm at the stage where I have my Oauth client ID JSON file and trying to generate a JSON file to provide for GCS_AUTH_FILE environment variable.

Authorisation Error
Error 403: org_internal
This client is restricted to users within its organization.
Request Details
login_hint={MY_EMAIL_HERE}
response_type=code
redirect_uri=http://localhost:1410/
state=SVXg31gZDH
hd={MY_ORGANIZATION_HERE}
flowName=GeneralOAuthFlow
client_id={CLIENT_ID_STRING_HERE}
access_type=offline
scope=https://www.googleapis.com/auth/devstorage.full_control https://www.googleapis.com/auth/userinfo.email openid

Looks like this would help: https://stackoverflow.com/questions/54629180/cant-login-using-google-auth-403-org-internal

However, it appears the UI has changed since then. Either that option is hidden from me or it has moved somewhere else:

I'm probably going to have to pass on it for this client project and use another solution for now.

See the googleCloudRunner setup video, I think this is when you have an External vs Internal (e.g only Google Workspace/GSuite users) allowed in your client credentials app. If so, it may be sorted if you switch it from Internal to External.

You can switch it in your OAuth consent screen https://console.cloud.google.com/apis/credentials/consent - yes it seems to be another new change to the auth process...

Thanks for clarifying! Looks like I can choose either Testing or Production:

For your External app, you only want Testing with your email specified as a test user, otherwise you have to go through an app approval process (for others who may see this)