I want to build some service where one customer / company can provide a google cloud storage bucket + firestore db and i want to perform some operations on the bucket files and firestore (read/write) but i'm not sure whats the best way to get access to their resources.
[my gc project] -> [customer 1 gc project: bucket + firestore]
-> [customer 2 gc project: bucket + firestore]
-> [customer n gc project: bucket + firestore]
Solutions i can imagine:
Request access with OAuth but then its more like the user gives me the permissions and not the company
The customer creates a service account and gives me the "json"
I create a service account for each customer and he has to add it to his project, i don't know if thats possible and i think there is a limit of about 100 service accounts per customer
I create one service account and each customer has to add it to his projects
Some other requirements:
I need access to the customer project in a way that i can run scheduled jobs in background
I have to access the customer project with google cloud functions
What would be the best fit for me or am i missing something?
If the projects will be created by you on their behalf, I would suggest to create an organization. In an organization projects are classified in folders, similar to a file system. Then, you can add the access control to specific elements to all the projects inside. https://cloud.google.com/iam/docs/resource-hierarchy-access-control
Otherwise, you will have to manually (or create a script) to ask for a service account (second dot) or create on unique service account and add this unique service account to each customer project (third dot).
Related
I have a problem when create organization in GCP. I have a secondary domain and want to use it to set an organization in GCP but I can't see how to get it. So, It's possible to create another organization or create sub-organization?
There is no sub-organizations in GCP Resources hierarchy.
Yes, you can create another organization by creating a Google Workspace (formerly G-Suite) or Cloud Identity account and associate it with a domain.
As quoted from docs:
Once you have created your Google Workspace or Cloud Identity account
and associated it with a domain, your organization resource will be
automatically created for you. The resource will be provisioned at
different times depending on your account status:
If you are new to Google Cloud and have not created a project yet, the organization resource will be created for you when you log in to the Google Cloud console and accept the terms and conditions.
If you are an existing Google Cloud user, the organization resource will be created for you when you create a new project or billing account. Any projects you created previously will be listed under "No organization", and this is normal. The organization resource will appear and the new project you created will be linked to it automatically.
You will need to move any projects you created under "No organization" into your new organization resource. For instructions on how to move your projects, see Migrating projects into an organization.
I have 2 Google Cloud projects with GKE and various other services enabled and running.
None of those projects has an organization resource assigned. There are also many Users and serviceaccounts inside the projects that are used in production.
We use (example) adminaccount#example.com for those projects.
I would like to add Google Identity Free, so that I will be able to use Azure AD Users with SSO
So I created a new Google Identity Account with the username identityadmin#example.com which is not member of my existing Gcloud projects.
The domain (example.com) has not been verified so far.
What will I have to do to get this running with my existing projects?
I read that first I would need an organization resource, which would be created after I verify the domain.
Is it safe to do that? Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?
I don't understand how a new organization could be recognized by my existing projects, because there is no link between them.
The goal of course is not to have any downtime.
Sure, I would purchase Google support, but that's only possible If you have an organization, what I don't have.
I'm really confused and troubled.
Looking forward to any suggestions.
Many thanks in advance!
Roland
Firstly, you need to create your new organization. Start by creating a Google Workspace environment (go to https://admin.google.com and create it). You can create the org with a Google Workspace free trial and then cancel your subscription, no worry, I'm paying nothing!
Secondly, with your new Google Workspace account, and your new user, go to https://console.cloud.google.com. Here, select your organization, and go to IAM. Here add as member the user account where your project are created in the "No Organization" organisation, and grant it the role Organization Administrator
Perfect. Now, go back to your user account (freshly granted) and go to ressource manager. I use the project picker window to go there
And eventually, migrate your project. Select one project from "No Organization", click on migrate, select the Organization, and validate. That's all. No downtime
Your Cloud Identity organization is created when you finish your signup and setup steps for your Cloud Identity service
To answer your questions:
What will I have to do to get this running with my existing projects?
The simple answer is Migrate projects and billing accounts and set permissions
This documentation explains how Grant access to billing accounts and Grant access to projects
Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?
Once a Google Cloud Organization resource has been created for your domain, you can move your existing projects into the organization.
There should be NO server downtime or impact as a result of migration.
Take into consideration that the link between projects and billing accounts is preserved, irrespective of the hierarchy.
To migrate a project using you will need the following permissions: resourcemanager.projects.create on the destination organization, typically granted by the Project Creator role.
resourcemanager.projects.update and resourcemanager.projects.setIAMPolicy on the project you are migrating, typically granted by the Owner role.
You can get further information in the following link: Migrating projects with no organization
Additionally to contact support you could create a case using this link and it doesn’t matter if you don’t have an organization.
I am currently hosting several cloud storage buckets with archived data for some of my clients.
For one client I would like to transfer the ownership and subsequent billing of multiple storage buckets to that client, but continue to administer them myself.
The buckets in question are already in their own (the clients name) project, but the are all hosted within my company domain.
How would I go about that transfer? Does my client need to create their own company domain and I then somehow transfer the project to them? Or do they get user access within my company domain and get a separate billing instance within my company domain?
It all a bit confusing to me.
Buckets are owned by the Project ID. Objects within the bucket are owned by the IAM Member ID that created the objects.
Billing for buckets is controlled by the Project ID. If the customer already owns the project (which can be changed), all you need to do is change the billing account for the project.
You can continue to have access by granting your IAM Member ID access to the bucket and its objects.
Access to a bucket and its contents via a domain name is not a Cloud Storage issue. This is controlled via the HTTP(S) Load Balancer. You can domain transfer the domain to the customer via normal registrar transfer procedures. Ownership of the domain will not affect the load balancer. The project that owns the load balancer will, so you may need to recreate it to transfer billing responsibility.
To disattach this project from your organization, you need to check that the project is in compliance with this document after that is necessary to file a case with support.
when the project is disattached from an organization, the billing account for this project is deleted and your customer need to a billing account in order to attach it to the project that has the buckets.
A billing account is created when a GCP project is created and upgraded(non free trial project)
And Complementing the answer from #JohnHanley is necessary to change the billing account in the customer project, this change must be performed by a user with this permissions.
Project Owner or Project Billing Manager on the project, AND Billing Account Administrator or Billing Account User for the target Cloud Billing Account.
you can find more information on this link
Keep in mind that is not possible to transfer a bucket from one project to another or from a domain to another domain, you must copy the contents of the existing bucket to a new bucket that belongs to your customer's project.
This action need to be executed by an user that has access to read and write objects over the 2 buckets (source & target)
While using BigQuery Java Client, need to join between Table A present in project A.dataset A and Table B present in project B.dataset B
I am able to run the query using BigQuery console and get cross-project access to the tables by specifying the complete table id i.e. project.dataset.table
Is it possible to add both projects A and B to the same service account, so that the client can be initialized with a single Google Service Account Configuration and query the tables from both the projects?
Thanks.
Yes, it is possible to add the same Service Account to different projects.
Once you have created your Service Account in one project, copy the e-mail. Navigate to Cloud IAM page, choosing your second project. Add the Service Account as a member with necessary BigQuery role to your second project.
I plan to run hundreds of websites within one Google Cloud Platform project (using GKE). Each of them will use two Google Cloud Storage buckets for storing its assets.
I planned to create one service for every website in order to grant access to only its own respective buckets. However, there's a limit of 100 service accounts per project, which apparently can't be raised.
How can I make sure that each website only has access to the buckets (or sub paths in a bucket) which is allowed to see?
We have a similar use-case and I believe I've found a solution for this problem. The key is that service accounts from other projects can be given access to buckets of your GCS-enabled project.
Basically you'll use two kinds of GCP projects:
One main project that holds all the data (GCS buckets) and whatever shared resources you have, like Compute Engine VMs or App Engine services
Multiple other projects that are only holding 100 service accounts each
The service accounts from the second type of "user pool" projects can be given access to the buckets of your data project with a fine granularity (1 service account -> 1 bucket). When the last user pool is close to the 100 limit, just create a new project and start adding new service accounts there.