Our company uses different Google services (one of them being GCP). We are going to move our e-mail accounts to another mail supplier and we are wondering what the impact will be on the existing GCP services that certain users use. To make it clear our #companyname.com mails are currently hosted by Google and they will be moved to another supplier.
Will the users (identified by their e-mail address) keep on working "seamlessly" with GCP even we do not use Google's mail anymore?
Thanks in advance.
Posting this community wiki answer for better usability.
John Hanley wrote:
If you are using Google Workplace for email and for Google Cloud IAM, you will NOT be able to move those identities to another email platform without keeping the Workplace account. The authentication must be handled by a Google account (Gmail, Workplace, Identity Platform).
You can move your email (send/receive) to another platform. It is the authentication/authorization part that must stay with Google. You can have email for your domain hosted by another provider and still keep Google Workplace. Otherwise, you will need to create new Gmail or Identity Platform identities for Google Cloud IAM.
Related
Looking at this document (https://cloud.google.com/identity-platform/docs/concepts-manage-users) that talks about email verification which is necessary for Google Cloud identity platforms automatic account linking and de-duplication features.
Under the heading "Untrusted providers" Both Google and GitHub are listed.
How is it possible for someone to have a Google and/or GitHub account without a verifying their email? I have explored various different ways to create a Google accounts and/or to modify the email address of my Google account but I have not been able to change my email address without confirming ownership of the email address.
Migrating on-premise services and applications to Google Cloud Platform and during an extended transition will be in a blended GCP, on-Prem, third party service provided platform. Looking to standardize on GCP OAuth2 provider with the OpenIdentity provider as single source of authentication and verification.
I have poured over the documentation provided by Google Identity Platform and I see Authorization As a Service which appears to be based on Firebase and is close to what I need/want but not exactly.
The Open Identity provider has an SDK and can be integrated with Web, Server, and mobile device applications. Good!
What I am looking to confirm is that I can also use the OAuth2 SDK to authenticate a user with a token, and then use that token with the OpenIdentity APIs to control user access and features. I know this is entirely possible for the GCP native applications.
Presently it looks like using SAML to integrate with another OAuth2 platform within the Identity Product and then enabling the OpenIdentity provider will meet "most" of my needs. What would be missing would be standardizing on the Google Identity Platform before we migrate all our products and services onto GCP.
The burning question, can I use the OAuth2 implementation with services and apps not hosted on GCP?
The documentation seems to suggest to me yes and no simultaneously.
Any help appreciated at his point.
See Hanley's response above. I had read the documentation available for several identity related products for Google Cloud Platform.
My question made sense to me but it does not translate to those who actually understand the the Identity Platform itself, and even say just one (1) of the integration implementation methods. Reading through the developer docs I caught upon a really important piece of perspective that answered nearly all of my questions.
In case it is helpful:
- Google Sign-in uses #gmail.com (or others) google identities which applications or organizations can leverage
- One can configure, create, import domain user identities using the Google Admin console
- These are both considered domain entities and one can configure single sign-on (OAuth, SAML, 509x, JWT, OICD) for these by using providers, or writing custom providers
- Either permits organizations and projects to utilize IAM and other Security-Identity features within GCP out of the box with minimal overhead
This covers about 90% of my initial use case and once I understood that domain user identities are either Google, or your own private domain identities created through the Admin Console through Group and User management, the remaining 10% was easy enough to solve.
I'm going to stop commenting here as this was key in understanding why things did not make sense, and why Mr. Hanley (thank you for your patience) was unable to answer my question at the beginning.
Hoping this helps someone else.
I want to create a user account for contacting developers using their own email addresses, not a new Gmail user in my account. Google Cloud Platform seems to let me create the users, but they never receive an email and hence can't complete the account creation.
As it happens, they are Google Docs users with their own Google accounts, but naturally they'd rather not have yet another email address. Is this even possible or does Google tie Google Cloud Platform into Google Docs? It seems a major limitation of Google Cloud Platform if they do.
Google Cloud Platform, G Suite (formerly "Google Docs") and all other Google services share an identity system. The identity system requires humans to have user accounts while software|machines have service accounts. One Google user account equals one user.
There are 2 flavors of (Google) user accounts: [your-name]#gmail.com and those created by an organization for its users someone#acme.com. For example, Google uses Google identity internally and so Googlers have emails [their-name]#google.com.
When you create a Google Cloud Platform project, anyone with a Google account may be added to it. Whether their Google account is something#gmail.com or an account created by their employer for them.
The only time your users will receive an email from you when you add them to a Google Cloud Platform project is if you make them project owners. This is because, ownership requires acceptance of Google's Terms of Service. Other types of users will be added without receiving an email (from Google about it) but will be able to access your project's resources.
I suspect your users have been added correctly and you're ready to go!
the most simple is to share a directory with those off-domain email addresses
this is possible, because Google Docs is backed by Google Drive as storage.
setting them up with IAM would only add complexity, which is not required
(at least, unless you won't have to grant them access to GCP resources).
I created a google cloud instance for a client and handed over the details to them but now, they don't know the google console email address. They know the IP because the app deployed there is still running. It may be time to pay soon and not knowing the console detail means they will not be able to pay.
Is there a way to get the details from the IP address of the console instance?
Without being able to login to the Google Cloud Console, you will have problems.
Note: I am listing contact Google Support as a last example because you do not have paid Google Support. Google Support only offers billing question support for free. Since you cannot sign into the Google Cloud Console, you cannot sign up to pay for support. However, losing your login might qualify as billing support since you need to pay for your services to keep them running.
Techniques:
If you have access to a computer that has logged into the Google Cloud Console, try. A list of Google Accounts will be displayed to choose from. No guarantee, but usually people do not delete old accounts from Google Accounts. Try each one to access the Google Console. If you / they have forgotten the password, go thru the lost password process.
When you sign up for Google Cloud, emails are sent to the account email address. Have everyone do a search for Google Cloud. My welcome email came from CloudPlatform-noreply#google.com.
If you have created a Service Account, the json file will have the Project ID. This is globally unique and Google could lookup the account holder and send that person an email. Contact Google Support in this case.
If you have a system that you setup the gcloud tools on for this project, run the command gcloud auth list. This will display the authenticated accounts. Usually one of them is a Google Accounts account that can login to the Google Console.
Google Support can map the public IP address to an account. Contact Google Support in this case.
At my company we want to start hosting our applications on Google Cloud Platform, so, I signed up, which asked me to create a Google Account, so, I used my business email address pablo.fernandez#example.com to do so. But now it looks like this is an organization-less account. When I try to sign up for Cloud Identity, so that we can have an organization and other users in the GCP account I get this error:
Does GCP require me to sign up with a temporary throway email so I can set it up correctly? At any point, how do I move forward from here?
Although Cloud identity is a separate service from G Suite, most probably the same rules apply when managing users: https://support.google.com/a/answer/7044710?hl=en
Before you add users to your organization's Google domain, you should check if they have a personal Google Account with the same email address that you plan to use for their managed Google Account. Two accounts can’t share the same email address. If they do, you have 2 options:
Option 1: Invite your users to transfer or rename their existing account (using a tool in the Google Admin console).
Option 2: Require users to rename their existing account.
Learn more about conflicting accounts.
I believe it is because ultimately they are all "google accounts" just that, G Suite and Cloud Identity accounts belong to an Organization.