I'm creating a group for the organization from IAM & Admin. There is a "Group email address" input box, but I don't know what kind of email address they are asking for. Should I put a group email address that already being used? Or is this for the new email address that GCP will create? If so, when and how can I use this new email address?
Let me summarize our discussion at the comment section. Let's start with IAM Overview where at the section Google group you can see:
A Google group is a named collection of Google Accounts and service accounts. Every Google group has a unique email address that's associated with the group. You can find the email address that's associated with a Google group by clicking About on the homepage of any Google group. For more information about Google Groups, see the Google Groups homepage.
Google Groups are a convenient way to apply an access policy to a collection of users. You can grant and change access controls for a whole group at once instead of granting or changing access controls one at a time for individual users or service accounts. You can also easily add members to and remove members from a Google group instead of updating an IAM policy to add or remove users.
More information you can find at the documentation page Managing groups in the Cloud Console, for example instructions how to create, edit or delete a group.
Group email address is a unique identifier in form of the email address, similar concept you can see for a service account such as sa-name#project-id.iam.gserviceaccount.com.
Related
How do I find a list of all groups that I am a member of for an organization in GCP? I am able to go to the IAM > Groups page and see a list of member users for an individual selected group, but I have not been able to find a list of all of the groups that I am a part of.
I found the View a user's group memberships article that walks through the steps of seeing a user's group memberships, but this requires an admin account. I am not an admin and only want to see my own group memberships. How can I do this?
For general google workspace groups, there is this page that shows an overview for the currently logged in account:
https://groups.google.com/my-groups
I have user owned objects in a Google Cloud Storage bucket which I'm controlling access to through a webapp backend. Currently, the webapp backend authenticates the user and then generates signed read URLs for the object. This works great, but can result in high volume of URLs being generated in response to a bulk action. The failure rate of these signed URLs is very low, but when enough of them are generated some fail and a timeout or connection reset is noticeable to users.
Is there any way to give this kind of controlled, time limited access to users at the bucket level, or in bulk in another way, without creating GCP accounts for users?
You are correct, all these the methods require a service account. After further investigation, there is no way to provide access without a GCP account.
At the bucket level, there is uniform bucket-level access, Identity and Access Management (IAM) and Access Control List (ACL). If you want to avoid creating GCP accounts for the users, then try Access Control List (ACL).
In this access control you can also determine who the reader, writer and owners will be. But this access control lets you use grant access to anyone who has external email addresses. This will save you the time of creating GCP accounts for the users, here are the scope of who can grant access:
And here it's what each scope covers:
Google account email address:
Every user who has a Google account must have a unique email address associated with that account. You can specify a scope by using any email address that is associated with a Google account, such as a gmail.com address.
Cloud Storage remembers email addresses as they are provided in ACLs until the entries are removed or replaced. If a user changes email addresses, you should update ACL entries to reflect these changes.
Google group email address:
Every Google group has a unique email address that is associated with the group. For example, the Cloud Storage Announce group has the following email address: gs-announce#googlegroups.com. You can find the email address that is associated with a Google group by clicking About on the homepage of every Google group.
Like Google account email addresses, Cloud Storage remembers group email addresses as they are provided in ACLs until the entries are removed. You do not need to worry about updating Google Group email addresses, because Google Group email addresses are permanent and unlikely to change.
Convenience values for projects:
Convenience values allow you to grant bulk access to your project's viewers, editors, and owners. Convenience values combine a project role and an associated project number. For example, in project 867489160491, editors are identified as editors-867489160491. You can find your project number on the homepage of the Google Cloud Console.
You should generally avoid using convenience values in production environments, because they require granting basic roles, a practice which is discouraged in production environments.
G Suite or Cloud Identity:
G Suite and Cloud Identity customers can associate their email accounts with an Internet domain name. When you do this, each email account takes the form USERNAME#YOUR_DOMAIN.com. You can specify a scope by using any Internet domain name that is associated with G Suite or Cloud Identity.
Special identifier for all Google account holders:
This special scope identifier represents anyone who is authenticated with a Google account. The special scope identifier for all Google account holders is allAuthenticatedUsers. Note that while this identifier is a User entity type, when using the Cloud Console it's labeled as a Public entity type.
Special identifier for all users:
This special scope identifier represents anyone who is on the Internet, with or without a Google account. The special scope identifier for all users is allUsers. Note that while this identifier is a User entity type, when using the Cloud Console it's labeled as a Public entity type.
You have full control of the access you want the users to have. You can learn about the access and what each does with the following link 1, Link 2.
I have Google identity with a domain example.com and have created a group, say my-admins#example.com. I can create users a-user#example.com and say another-user#example.com and add them to group my-admins#example.com.
I have a Google Cloud organization example.com and have successfully added my-admins#example.com and assigned it the roles I want (e.g Organization Admins).
It's possible for me to add google accounts, e.g googleaccount123#gmail.com as principals to my organization and assign them roles, but I can't seem to add them to the my-admins#example.com group.
Are my Google identity groups always scoped to users with the same domain? If so how do I get to a place where I can manage a mixed group of example users and google accounts?
I've realized the issue is that there is a group attribute allowing/denying adding members from outside of the organization.
The GCP Best Practices doc has this statement;
We recommend collecting users with the same responsibilities into
groups and assigning Cloud IAM roles to the groups rather than to
individual users.
I assume this refers to Cloud Identity Groups, yes?
Where do I assign Cloud IAM roles to groups?
Thanks
You should be able to create a Google Group with the imported members in Cloud Identity. If you use Google Group, that group must have an email address (normally <grou-name>#<domain>). You can then use this email address in IAM to give access to all people in that group.
See this doc for more info.
I am trying to set up access control using google groups instead since our team is getting larger. I have created a group in Google group admin and added given that group access to our GCP project, but the members of the group doesn't see the GCP project in the list of available groups.
Am I missing something?
According to the doc: https://cloud.google.com/iam/docs/overview it should be possible to do exactly what I am doing.
Reference:
https://cloud.google.com/iam/docs/overview
enter link description here
We can create Group in google account through administrator account