I have Google identity with a domain example.com and have created a group, say my-admins#example.com. I can create users a-user#example.com and say another-user#example.com and add them to group my-admins#example.com.
I have a Google Cloud organization example.com and have successfully added my-admins#example.com and assigned it the roles I want (e.g Organization Admins).
It's possible for me to add google accounts, e.g googleaccount123#gmail.com as principals to my organization and assign them roles, but I can't seem to add them to the my-admins#example.com group.
Are my Google identity groups always scoped to users with the same domain? If so how do I get to a place where I can manage a mixed group of example users and google accounts?
I've realized the issue is that there is a group attribute allowing/denying adding members from outside of the organization.
Related
I'm migrating projects that don't have an organization to a new organization. As I understand it, Cloud Identity is required when using an organization.
Will the existing users in in the projects with the same domain as the organization automatically be manageable in Cloud Identity?
How is the user group functionality in Cloud Identity different from user group functionality in the Cloud console IAM section? Would any groups created in IAM before or after the migration be visible in Cloud Identity?
Yes, Cloud Identity is required to use an Organization in Google Cloud.
Cloud identity is basically an identity provider (IdP) in which you create the user and group objects and manage parameters such as security factors (MFA) and application access. If you have a non organization project with existing users that have your domain, then it is likely they are regular 'Google' accounts, when you establish your Cloud Identity instance there is a process to consolidate them, they are called Unmanaged users .
Before adding users to your organization, use the Transfer tool for unmanaged users to see if you have any unmanaged personal Google accounts. The transfer tool enables you to see what unmanaged users exist, and then invite those unmanaged users to the domain.
You can also refer user groups in the cloud console IAM section, if you have a project and you have been managing groups within the IAM section, that would indicate that there is already a Cloud Identity instance behind and that the project is part of an organization. Which means, any groups created in the IAM section will be visible in Cloud Identity.
Refer Project migration for more information.
I have GCP org set up under a verified domain name (company.tech) with cloud identity enabled to use google cloud project. I am managing access to users through google groups (via admin panel). I've created a group with users from (company.tech, service account, Gmail & company.co.xx) i.e allowing members outside the org, let's call the group >> gcpusers#company.tech
Following are the IAM policies added for the group:
BigQuery Job User
BigQuery Metadata Viewer
Also, ACL access was added to a dataset BigQuery Data Viewer
The issue is, I am able to query from gmail, service account & company.tech domain accounts but the users under company.co.xx (this is not a cloud identity account but google mapped account using sign up with an existing email with Office 365 subscription) can neither select project nor query and end up getting the following error & cannot preview/query the bigquery dataset tables.
Access Denied: Project <<>>: User does not have bigquery.jobs.create permission in project <<>>
I tried the following but I still get the same error for company.co.xx accounts:
Added the custom rule to allow company.co.xx under domain restricted contacts org policy
Added the domain under Allowlisted domains in google admin panel (but unfortunately, as mentioned there the domain is not linked with cloud identity/gws instead the accounts are signed up using existing email)
Google Groups is managed independently from Google Cloud IAM - they are independent services. You can add an identity to Google Groups which is not supported by Google Cloud IAM. In your case, that is what you did. If you want to use Microsoft identities with Google Cloud you will need to set up federation with Active Directory.
When using GCP with cloud identity, we have a special a group which includes all users of the organization (all from cloud identity directory). It is perfect to give access to all users in the projects.
However, it doesn't include the service accounts in projects.
My question is, is there any special group to include all service account which exists in the organisation and in their projects?
Describing the use case:
We have some agents which we need to install in our compute engine instances. So, we would like to store the installers in a central bucket, and give permission in that bucket to all service accounts in our organization (with a special group permission, not handle all individual service account in the bucket...).
Thanks.
Regards,
Vassco Silva
You can use Google groups which uses a collection of user and/or service accounts. Once this is done, add the service accounts to the Google group and then assign the necessary IAM roles to the Google group.
The GCP Best Practices doc has this statement;
We recommend collecting users with the same responsibilities into
groups and assigning Cloud IAM roles to the groups rather than to
individual users.
I assume this refers to Cloud Identity Groups, yes?
Where do I assign Cloud IAM roles to groups?
Thanks
You should be able to create a Google Group with the imported members in Cloud Identity. If you use Google Group, that group must have an email address (normally <grou-name>#<domain>). You can then use this email address in IAM to give access to all people in that group.
See this doc for more info.
There is plenty of documentation explaining how to assign IAM roles in GCP to all members of a GSuite organization, but none discuss any more granular permissioning.
Is it possible to create an admin console group in GSuite and then apply specific IAM roles to all members of that group in GCP?
yes this works the same way you would assign to a user. The GSuite group is represented by an email address. Simply assign the roles/permissions you want to that group email and all users within that group will receive them.