We have had a case of shadow IT and have seen an instance of GMP appear with Google analytics attached.
Currently, we have a Google Cloud Platform organizational account with billing attached and I'm wondering if it's at all possible to bring this under our GCP org account and billing account.
I'm unable to find any documentation to support this and I'm fairly new to GCP.
We are looking at introducing SAML auth and I figure it will be easier and more secure to have one auth entry rather than two.
Related
I am using a Google Cloud Project to automate the creation of some users inside of our organization. I have been using some API's that are hosted using the Google Cloud and have had no problem authenticating and using the API's, however I am not sure if I should be using a service account for this. I am currently using the Google Drive API, the Google Admin SDK(Directory API), the Sheets API, and the Docs API to create some accounts and manage an error log.
What I am asking is, should I be creating a service account to use the API's or is my own personal Google Workspace account okay for creating these? Is there a site/video/something that can guide me in the right direction if I do need to create a service account. I personally would rather have all of the automation using a service account for authentication, but the only videos and tutorials I found on using the service accounts are trying to use resources pertaining to Cloud Computing and service accounts that are impersonating other service accounts.
Using a Service Account is the best course of action for security reasons when you are the one giving authorization and authentication to your organization.
It is identical to granting access to any other identity to allow a service account access to a resource. For instance, suppose you only want an application that runs on Compute Engine to be able to generate items in Cloud Storage.
As a result, instead of managing each and every one of your users, you may limit and manage service accounts, assign certain roles to specific users or groups, and keep track of them because several service accounts can be created in a project.
Since you use Google Workspaces, I also advise you to read the shared documentation posted in the comments by #John Hanley.
I'm Trying to access maps using Maps JavaScript API at Google Cloud Platform.
I got error
You must enable Billing on the Google Cloud Project at
https://console.cloud.google.com/project/_/billing/enable Learn more at
Can we access Google API & Services without link Billing Account?
Yes it is necessary to enable billing to access Google API & Services.
Some Google APIs charge for usage, and you need to enable billing before you can start using these APIs. Enabling billing for the APIs that your projects use also has other advantages:
Some APIs allow free usage up to a courtesy usage limit, and in some cases this free limit is increased when you enable billing. For some APIs, more services are available after you enable billing.
Billing is enabled at the project level, not the API level. If you enable billing for a project, then every billable API in that project is billed, based on the project's usage. All usage in a project is billed using the payment method that you specify, and you can change to a different method at any time. You cannot selectively enable billing for some APIs but not others; when you enable billing for a project, it applies to all the APIs that you used within that project, even if the API is currently disabled. Refer APIs and billing for information.
NOTE : In order for you to use Maps API or Places API, you will have to create a new account under USD because Google Maps Platform services cannot be billed through the same billing account as Google Cloud Platform services. In order to continue using Google Maps Platform, all customers with a billing account in INR will need to create a new billing account for Maps and then migrate their existing Maps projects under this new account. You cannot get Google Map API without billing. Refer Google Maps Platform for information.
I am unable to select google cloud individual billing account when trying to enable billing on mine google cloud account. Can't select that option and have Individual profile set for Play developer.
I am not an citizen of EU country (saw on some threads that this could be the cause).
I need this account for development purposes (Google maps API to be more exact).
If you manage your Google Cloud resources using an Organization node, and you are a member of that Google Cloud Organization, then you must be a Billing Account Creator to create a new Cloud Billing account.
Specifically, if you are a Google Cloud user within an Organization, to perform this task, you must have the following permission.
billing.accounts.create
If you are not a member of a Google Cloud Organization but instead are managing your Google Cloud resources or Google Maps Platform APIs using projects, you do not need any specific role or permission to create a Cloud Billing account.
I am using two different Google accounts for Google Developer and Google Cloud Services. I have a live Android app and now I want enable real-time-notifications for monetisation. Is there any way that I can link my Google Developer account to Google Cloud Services Account So I can integrate Pub/Sub service?
If I understand correctly this you could use Cloud IAM and give needed roles Developer account. So you can give ex. Project Owner rights to your Google Developer account and than this account can control the project as the owner.
But I don't think you need project owner for Pub/Sub integration. Please check this document that shows such process.
As well there is possibility to merge accounts via Google Workspace Support, however again I don't think this is needed to integrate pub/sub.
One thing I dislike about Google Cloud Platform (GCP) is its less baked-in security model around roles/service accounts.
Running locally on my laptop, I need to use the service account's key specified in a JSON file. In AWS, I can just assume a role I have been granted access to assume (without needing to carry around a private key). Is there an analogue to this with GCP?
I am going to try and answer this. I have the AWS Security Specialty (8 AWS certifications) and I know AWS very well. I have been investing a lot of time this year mastering Google Cloud with a focus on authorization and security. I am also an MVP Security for Alibaba Cloud.
AWS has a focus on security and security features that I both admire and appreciate. However, unless you really spend the time to understand all the little details, it is easy to implement poor/broken security in AWS. I can also say the same about Google security. Google has excellent security built into Google Cloud Platform. Google just does it differently and also requires a lot of time to understand all the little features / details.
In AWS, you cannot just assume a role. You need an AWS Access Key first or be authenticated via a service role. Then you can call STS to assume a role. Both AWS and Google make this easy with AWS Access Keys / Google Service Accounts. Whereas AWS uses roles, Google uses roles/scopes. The end result is good in either platform.
Google authentication is based upon OAuth 2.0. AWS authentication is based upon Access Key / Secret Key. Both have their strengths and weaknesses. Both can be either easy to implement (if you understand them well) or a pain to get correct.
The major cloud providers (AWS, Azure, Alibaba, Google, IBM) are moving very fast with a constant stream of new features and services. Each one has strengths and weaknesses. Today, there is no platform that offers all the features of the others. AWS today is ahead both in features and market share. Google has a vast number of services that outnumber AWS and I don't know why this is overlooked. The other platforms are catching up quickly and today, you can implement enterprise class solutions and security with any of the cloud platforms.
Today, we would not choose only Microsoft or only Open Source for our application and server infrastructure. In 2019, we will not be chosing only AWS or only Google, etc. for our cloud infrastructure. We will mix and match the best services from each platform for our needs.
As described in the Getting Started with Authentication [1] page, for service accounts it is needed the key file in order to authenticate.
From [2]: You can authenticate to a Google Cloud Platform (GCP) API using service accounts or user accounts, and for APIs that don't require authentication, you can use API keys.
Service and user accounts needs the key file to authenticate. Taking this information into account, there is no manner to locally authenticate without using a key file.
Links:
[1] https://cloud.google.com/docs/authentication/getting-started
[2] https://cloud.google.com/docs/authentication/