How to pull the list of IAM users from google cloud along with their last activity??
Tried "gcloud projects get-iam-policy"
but it gives only list of iam users/members but not their last activity
Ok, if it's for company, you have this information in the Google Cloud Identity platform. You can log in here: https://admin.google.com
Go to users and boom
Of course you can request these values by API with the admin sdk
It works only for managed accounts. If you have unmanaged account (in gmail.com or from another company) you don't have access to this information.
EDIT 1
To track the service account activity, you can rely on the documentation. Cloud Monitoring allow you to do that. If you need to export the data to BigQuery for analytics for example, let me know I could help on that.
To know the privilege that the users have, you can rely on the Asset Inventory, and especially on the IAM search policy feature.
Related
I created an account on Google Cloud Platform, but another user will need access to this account to work with me on managing the virtual machines.
How can I grant this access for this user to have access to a specific project?
I know that Google Ads and Google Analytics have options for this type of operation, but I haven't found anything similar on Google Cloud Platform.
Anyone accessing a GCP project will require a google account, but it need not be associated to your organization.
You can then add the user in the GCP IAM screen simply using their email address.
Then, add the user's email with appropriate roles. To work on the VMs, they will need Compute Admin role.
Once granted access, they will be able to use the gcloud commands or pantheon UI to administer the instances and gain access to the consoles.
I wanted to setup my cloud identity but its asking me to verify the domain that is already hosted on GCP. Can you help me with Cloud Identity setup with a proper organisation created (today its named "No Organisation"). I'm the admin for this account DOMAIN: we host our Corporate website on GCP with domain already registered with DNS services in google.
on the GCP Identity page its also giving me the following message.
Your current account, k*****.***a#DOMAIN.NL, is not associated with an organization on Google Cloud. This checklist is designed for administrators who are trusted with complete control over a company’s Google Cloud resources. If you already have an administrator account for your organization, sign in with the account now. Or, ask your company administrator to start the checklist.
I guess I'm stuck in a Chicken-n-Egg problem.
You need to create a Google Workspace account. Create it on your domain DOMAIN.NL, with you as 1st admin user and with subscription plan or not (in my case, I wasn't able to remove the 15 days of trial. Get it, you will be able to remove the trial subscription later (in the user list) on the admin.google.com Workspace console). You are able to create your org for free, but it's absolutely not clear!!
From the new user account that you have created on your Workspace domain (you#DOMAIN.NL), you will be able to reach the console (console.cloud.google.com) and you have your org.
Now you need to migrate the projects and to review the authorization. You also need to (re)create a Billing Account.
I didn't find another way to achieve this.
Using Google Cloud, there exists a BigQuery View table that queries two projects.
However, on the project where the view is located, we wish to run a query against it from Airflow/Composer. Currently it fails with a 403.
AFAIK it will use the default composer service account - however it doesn't have access to the 2nd project used in the sql of the view.
How do I give composer's service account access to the second project?
Think about a service account like a user account: you have a user email that you authorize on different project and component. Exactly the same thing with the service account email.
The service account belongs to a project. An user account belongs to a domain name/organisation. No real difference at the end.
So, you can use a service account email like any user accounts:
Grant authorization in any project
Add it in Google Groups
Even grant it viewer or editor role on GSuite document (Sheet, Docs, Slides,...) to allow it to access and to read/update these document!! Like any users!
EDIT
With Airflow, you can defined connexions and a default connexion. You can use this connexion in your DAG and thus use the service account that you want.
I think you have to add the service account into project IAM.
I want to create a user account for contacting developers using their own email addresses, not a new Gmail user in my account. Google Cloud Platform seems to let me create the users, but they never receive an email and hence can't complete the account creation.
As it happens, they are Google Docs users with their own Google accounts, but naturally they'd rather not have yet another email address. Is this even possible or does Google tie Google Cloud Platform into Google Docs? It seems a major limitation of Google Cloud Platform if they do.
Google Cloud Platform, G Suite (formerly "Google Docs") and all other Google services share an identity system. The identity system requires humans to have user accounts while software|machines have service accounts. One Google user account equals one user.
There are 2 flavors of (Google) user accounts: [your-name]#gmail.com and those created by an organization for its users someone#acme.com. For example, Google uses Google identity internally and so Googlers have emails [their-name]#google.com.
When you create a Google Cloud Platform project, anyone with a Google account may be added to it. Whether their Google account is something#gmail.com or an account created by their employer for them.
The only time your users will receive an email from you when you add them to a Google Cloud Platform project is if you make them project owners. This is because, ownership requires acceptance of Google's Terms of Service. Other types of users will be added without receiving an email (from Google about it) but will be able to access your project's resources.
I suspect your users have been added correctly and you're ready to go!
the most simple is to share a directory with those off-domain email addresses
this is possible, because Google Docs is backed by Google Drive as storage.
setting them up with IAM would only add complexity, which is not required
(at least, unless you won't have to grant them access to GCP resources).
At my company we want to start hosting our applications on Google Cloud Platform, so, I signed up, which asked me to create a Google Account, so, I used my business email address pablo.fernandez#example.com to do so. But now it looks like this is an organization-less account. When I try to sign up for Cloud Identity, so that we can have an organization and other users in the GCP account I get this error:
Does GCP require me to sign up with a temporary throway email so I can set it up correctly? At any point, how do I move forward from here?
Although Cloud identity is a separate service from G Suite, most probably the same rules apply when managing users: https://support.google.com/a/answer/7044710?hl=en
Before you add users to your organization's Google domain, you should check if they have a personal Google Account with the same email address that you plan to use for their managed Google Account. Two accounts can’t share the same email address. If they do, you have 2 options:
Option 1: Invite your users to transfer or rename their existing account (using a tool in the Google Admin console).
Option 2: Require users to rename their existing account.
Learn more about conflicting accounts.
I believe it is because ultimately they are all "google accounts" just that, G Suite and Cloud Identity accounts belong to an Organization.