I'm new to GCP and trying to set it up for our startup. We are not using GSuite or Cloud Identity. We have one Google account we have setup for billing. My question is around how many Google Accounts should we setup for GCP access for our team (not endusers). Is it best practice to create one for each customer/application or is it better to just to create one master Google account?
We would be creating a project per application/environment.
Any advice or recommendations would be most appreciated.
If you own a domain name, it's free to create a Cloud Identity and thus an organisation. Each user in your team need to have a Google identity (and it's better if it's centrally managed in Cloud Identity for example). Think to the people movement: new team member, resign, creation of groups for simplifying the access management,...
Related
I am using a Google Cloud Project to automate the creation of some users inside of our organization. I have been using some API's that are hosted using the Google Cloud and have had no problem authenticating and using the API's, however I am not sure if I should be using a service account for this. I am currently using the Google Drive API, the Google Admin SDK(Directory API), the Sheets API, and the Docs API to create some accounts and manage an error log.
What I am asking is, should I be creating a service account to use the API's or is my own personal Google Workspace account okay for creating these? Is there a site/video/something that can guide me in the right direction if I do need to create a service account. I personally would rather have all of the automation using a service account for authentication, but the only videos and tutorials I found on using the service accounts are trying to use resources pertaining to Cloud Computing and service accounts that are impersonating other service accounts.
Using a Service Account is the best course of action for security reasons when you are the one giving authorization and authentication to your organization.
It is identical to granting access to any other identity to allow a service account access to a resource. For instance, suppose you only want an application that runs on Compute Engine to be able to generate items in Cloud Storage.
As a result, instead of managing each and every one of your users, you may limit and manage service accounts, assign certain roles to specific users or groups, and keep track of them because several service accounts can be created in a project.
Since you use Google Workspaces, I also advise you to read the shared documentation posted in the comments by #John Hanley.
I am unable to select google cloud individual billing account when trying to enable billing on mine google cloud account. Can't select that option and have Individual profile set for Play developer.
I am not an citizen of EU country (saw on some threads that this could be the cause).
I need this account for development purposes (Google maps API to be more exact).
If you manage your Google Cloud resources using an Organization node, and you are a member of that Google Cloud Organization, then you must be a Billing Account Creator to create a new Cloud Billing account.
Specifically, if you are a Google Cloud user within an Organization, to perform this task, you must have the following permission.
billing.accounts.create
If you are not a member of a Google Cloud Organization but instead are managing your Google Cloud resources or Google Maps Platform APIs using projects, you do not need any specific role or permission to create a Cloud Billing account.
I am creating a service account in a project en GCP, but a friend told me not to do that, instead to use a service account that already exists in another project.
So, the question is.
A service account created in a project in GCP can be used to access resources of diferent projects? or, it is only valid to access resources of the project where it was created?
Creating a service account is similar to adding a member to your project, but the service account belongs to your applications rather than an individual end user.
#dishant makwana is right, you can use a Service Account in any project, but you need to take in consideration some security factors.
Per my experience you should only grant the service account the minimum set of permissions required, even though you are only using your Service Account in a single project.
You can get more information in the following link: Granting minimum permissions to service accounts
Another good practice is to create service accounts for each service with only the permissions required for that service.
You could check this documentation with some best practices for Service Accounts.
Additionally, depending on your requirements you could consider to create short-lived credentials that allow you to assume the identity of a Google Cloud service account.
The most common use case for these credentials is to temporarily delegate access to Google Cloud resources across different projects, organizations, or accounts.
You could find more information in this link
I want to create a user account for contacting developers using their own email addresses, not a new Gmail user in my account. Google Cloud Platform seems to let me create the users, but they never receive an email and hence can't complete the account creation.
As it happens, they are Google Docs users with their own Google accounts, but naturally they'd rather not have yet another email address. Is this even possible or does Google tie Google Cloud Platform into Google Docs? It seems a major limitation of Google Cloud Platform if they do.
Google Cloud Platform, G Suite (formerly "Google Docs") and all other Google services share an identity system. The identity system requires humans to have user accounts while software|machines have service accounts. One Google user account equals one user.
There are 2 flavors of (Google) user accounts: [your-name]#gmail.com and those created by an organization for its users someone#acme.com. For example, Google uses Google identity internally and so Googlers have emails [their-name]#google.com.
When you create a Google Cloud Platform project, anyone with a Google account may be added to it. Whether their Google account is something#gmail.com or an account created by their employer for them.
The only time your users will receive an email from you when you add them to a Google Cloud Platform project is if you make them project owners. This is because, ownership requires acceptance of Google's Terms of Service. Other types of users will be added without receiving an email (from Google about it) but will be able to access your project's resources.
I suspect your users have been added correctly and you're ready to go!
the most simple is to share a directory with those off-domain email addresses
this is possible, because Google Docs is backed by Google Drive as storage.
setting them up with IAM would only add complexity, which is not required
(at least, unless you won't have to grant them access to GCP resources).
I'm new to Google Cloud so I'm hoping for some guidance around "organizations".
Can I move a project from one "organization" to another? I'm starting up some projects under my personal GSuite organization, but I'll have to move them to a more professional organization and billing in the future once they are set up.
Is that possible?
As mentioned on the migration docs this is only possible by contacting support.
If your intention is to develop apps in one account, and then move them to another Google Account, there might be a couple of possibilities.
Use a free account which will put new Cloud Projects under "No organization"
Intentionally create new Cloud Projects under "No organization"
You can give another Google account ownership of your Cloud Project and transfer ownership without the need for Google Support if the original Cloud Project is under the "No organization" category.
Google Cloud Projects created in a free/consumer account are NOT in an organization. And therefore, if you want the G Suite account to get ownership of the Google Cloud Project from your free/consumer account, then you can do that without needing to get Google support involved.
To set up an organization, you need to go to: admin.google.com
https://admin.google.com/ac/accountchooser?continue=https://admin.google.com/
If you try to set up an organization in a free/consumer account, then you will get a message stating that it's for G Suite accounts only.
Your Cloud Projects in a free/consumer account will be put under the organization category of "No organization"