Add cloud identity to existing Google Cloud Projects - google-cloud-platform

I have 2 Google Cloud projects with GKE and various other services enabled and running.
None of those projects has an organization resource assigned. There are also many Users and serviceaccounts inside the projects that are used in production.
We use (example) adminaccount#example.com for those projects.
I would like to add Google Identity Free, so that I will be able to use Azure AD Users with SSO
So I created a new Google Identity Account with the username identityadmin#example.com which is not member of my existing Gcloud projects.
The domain (example.com) has not been verified so far.
What will I have to do to get this running with my existing projects?
I read that first I would need an organization resource, which would be created after I verify the domain.
Is it safe to do that? Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?
I don't understand how a new organization could be recognized by my existing projects, because there is no link between them.
The goal of course is not to have any downtime.
Sure, I would purchase Google support, but that's only possible If you have an organization, what I don't have.
I'm really confused and troubled.
Looking forward to any suggestions.
Many thanks in advance!
Roland

Firstly, you need to create your new organization. Start by creating a Google Workspace environment (go to https://admin.google.com and create it). You can create the org with a Google Workspace free trial and then cancel your subscription, no worry, I'm paying nothing!
Secondly, with your new Google Workspace account, and your new user, go to https://console.cloud.google.com. Here, select your organization, and go to IAM. Here add as member the user account where your project are created in the "No Organization" organisation, and grant it the role Organization Administrator
Perfect. Now, go back to your user account (freshly granted) and go to ressource manager. I use the project picker window to go there
And eventually, migrate your project. Select one project from "No Organization", click on migrate, select the Organization, and validate. That's all. No downtime

Your Cloud Identity organization is created when you finish your signup and setup steps for your Cloud Identity service
To answer your questions:
What will I have to do to get this running with my existing projects?
The simple answer is Migrate projects and billing accounts and set permissions
This documentation explains how Grant access to billing accounts and Grant access to projects
Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?
Once a Google Cloud Organization resource has been created for your domain, you can move your existing projects into the organization.
There should be NO server downtime or impact as a result of migration.
Take into consideration that the link between projects and billing accounts is preserved, irrespective of the hierarchy.
To migrate a project using you will need the following permissions: resourcemanager.projects.create on the destination organization, typically granted by the Project Creator role.
resourcemanager.projects.update and resourcemanager.projects.setIAMPolicy on the project you are migrating, typically granted by the Owner role.
You can get further information in the following link: Migrating projects with no organization
Additionally to contact support you could create a case using this link and it doesn’t matter if you don’t have an organization.

Related

Google Cloud - Can't find the owner of a project

We have some Google Cloud Projects which use Google Calendar APIs and Sheets.
Developers who created this projects have left and their accounts have been deleted. The credentials created by them still work but we can't access those projects in Google Cloud dashboard from any of our existing accounts.
I tried accessing like this: https://console.cloud.google.com/apis/credentials?project=project-name-goes-here
All of us get
You do not have sufficient permissions to view this page. You are missing the following required permissions:
Project
project-name-here
resourcemanager.projects.get
How can an admin can reclaim these projects?
If an account created these projects deleted, will these projects still work?
We don't pay for support so we can't contact anyone from Google Cloud team.
Is there a way to find which Google account do these projects belong to?
Can anyone from Google cloud team clarify?
Thanls
If your Project is under an Organization, the organization is still the owner. You would need to contact the Organization Owners and modify the Owners of the resource.
You can also create a support ticket to the GCP Account and Resource Recovery Request team

Projects under No Organization that cannot be accessed

In the cloud-resource-manager page, there are 2 projects listed under No organization, one of them curiously has the id you-can-see-this-project, the other looks like an automatically generated project with the prefix My Project xxx.
The issue is that there seems to be no way to access these 2 projects even though I can see them under my account. The IAM page shows that I do not have the permission resourcemanager.projects.getIamPolicy and every other page or action notes some missing permission.
Is there a way to shutdown/delete these projects or a way to remove myself from these projects?
Edit:
Seems like the 2 projects that are showing up in my account are the same with other people that have the same issue.
They are
Update (20221114): Checked recently and both the rogue projects are gone with no action on our part. Probably it was finally cleaned-up?
Root cause
Your Google Cloud Account is subscribed to "google-appengine#googlegroups.com".
Solution
Unsubscribing from this group will remove these projects. See Google Groups Help for reference.
I got this feedback directly from the Google Cloud Support team and confirmed it working on with my account. I did not consciously subscribe to that group, maybe this happens or happened automatically in the past. Also why these ghost projects are added remains a mystery to me, no idea what they should be used for. Here's hoping that Google will fix this in the future...
You will need to identify the Projects' members that have the Owner role; I think that there is not a specific IAM permission that permits Project deletion but that some identities must have the Owner role.
I suspect (!) you can't orphan Projects by removing the last Owner, so there must be at least one.
If you're unable to determine Ownership, Google Cloud Support can determine the Owners for you though I suspect Support won't be able to disclose this information to you but will need to contact the Owners directly about this.
Once you have created your Google Workspace or Cloud Identity account and associated it with a domain, your organization resource will be automatically created for you. The resource will be provisioned at different times depending on your account status:
If you are new to Google Cloud and have not created a project yet,
the organization resource will be created for you when you log in to
the Google Cloud console and accept the terms and conditions.
If you are an existing Google Cloud user, the organization resource
will be created for you when you create a new project or billing
account. Any projects you created previously will be listed under "No
organization", and this is normal. The organization resource will
appear and the new project you created will be linked to it
automatically. You will need to move any projects you created under
"No organization" into your new organization resource. For
instructions on how to move your projects, see Migrating projects
into an organization.
Users can only view and list projects they have access to via IAM roles. The Organization Administrator can view and list all projects in the organization.
The No organization option in the Organization drop-down lists the following projects:
Projects that do not belong to the Organization yet.
Projects for which the user has access to, but are under an
Organization to which the user does not have access.
Refer to this documentation for more information on creating and managing organizations.

Is it possible to add an organization to an existing GCP account?

I am not being able to add an organization to an already exisiting GCP account. The account has two projects running. I created a different account in order to create an organization, because GCP would not let me add an organization in the same account. After creating the account I get the following message:
When you use only your personal account, the projects are attached to a virtual organization named "No Organisation".
If you have a domain name, you can create a Cloud Identity account and an admin user. Remove all licence on your user to pay nothing (even if you need to enroll for a free trial, do this and then remove the licences to pay nothing).
So, now you have a new user (with #domainName), but you don't have your old project. No problem, go to the organisation level, in the IAM page and grand your personal account as Organisation Admin.
Go back in your personal account and you will be able to see your No Organization project and your new organization with the same account. Now, you simply need to migrate project if you want to attach them to the new organization.
Note: it's maybe lot of new stuff and step, but I did it and it worked well. Let me know if you need more guidance!

Creating a new project in Google Cloud using python without service account credentials

I am aiming to do a pythonic automated Google Cloud project manager. Just testing a bunch of models of Tensorflow and stuff. Even when I can fully access training, deploying and testing models inside a project, I can't mke any new projects since I am authenticated with a service account through:
google.oauth2.service_account.Credentials.from_service_account_file("thisisakey.json")
But as far as I understand, services account are project-binded so it's perfectly correct that creating a new project with it raises an error. In fact it does:
googleapiclient.discovery.build("cloudresourcemanager", "v1", cache_discovery=False)
Falis with:
Service accounts cannot create project without a parent.
So either creating/finding a "parent" for this project or log in a more "powerful" account could solve this. But I can't figure them out. Are there any other credential types to download and embed into python? Can I create a project from python? Everything I've checked about this is at least 2 years old and seems to be very outdated (back then projects were just not possible to create via APIs)
Update:
I've tried creating a project using the "parent" flag on the project's body, on the Organization made from the corp I work on. and even when this service account has "Owner" and "Organization Administrator" roles the create requests fails with:
Encountered 403 Forbidden with reason "forbidden"
User is not authorized.
So the problem persists.
You can assign privileges to Service Accounts to do just about anything in Google Cloud. You have hit one of just a few that you cannot.
The problem is that your project is not part of an Organization (you have no parent). Your solution is to either setup Organizations or create your projects via the Google Cloud Console. Note: I do not recommend creating projects via software. You also need to setup billing in order to do anything useful.
There are two types of credentials with Google Cloud: User Credentials and Service Account Credentials. You cannot embed User Account Credentials into an application. User Account Credentials are created interactively as part of a login / authentication process using OAuth 2.0.
There are other types of access to cloud services such as API Keys, but these do not apply to your issue.
Quickstart Using Organizations

Can you move a project from one Google Cloud Platform organization to another

I'm new to Google Cloud so I'm hoping for some guidance around "organizations".
Can I move a project from one "organization" to another? I'm starting up some projects under my personal GSuite organization, but I'll have to move them to a more professional organization and billing in the future once they are set up.
Is that possible?
As mentioned on the migration docs this is only possible by contacting support.
If your intention is to develop apps in one account, and then move them to another Google Account, there might be a couple of possibilities.
Use a free account which will put new Cloud Projects under "No organization"
Intentionally create new Cloud Projects under "No organization"
You can give another Google account ownership of your Cloud Project and transfer ownership without the need for Google Support if the original Cloud Project is under the "No organization" category.
Google Cloud Projects created in a free/consumer account are NOT in an organization. And therefore, if you want the G Suite account to get ownership of the Google Cloud Project from your free/consumer account, then you can do that without needing to get Google support involved.
To set up an organization, you need to go to: admin.google.com
https://admin.google.com/ac/accountchooser?continue=https://admin.google.com/
If you try to set up an organization in a free/consumer account, then you will get a message stating that it's for G Suite accounts only.
Your Cloud Projects in a free/consumer account will be put under the organization category of "No organization"