I want to change the email address behind the Google cloud platform project or if that is not possible i want to migrate the project to the new account. How can that be done?
Using Cloud IAM you can do this in 2 steps:
"Add" a new identity (email address) as an "owner" of the project
"Remove" the current identity from being an "owner" of the project.
Go to the console in your browser, navigate to your project you want to update, go to "IAM & admin", and perform the above steps.
Related
I want to migrate my Google action project from one Google account to another.
However, I am not part of any organization hence the migration option on Google cloud for my project doesn't work.
Can anyone help me understand how we can migrate the Google action with no organization from one google account to another google account without any organization created on Google cloud console?
To migrate your GCP project, follow these steps:
Navigate to google cloud console
Select the source account where you want to migrate project from
In the navigation menu select "IAM"
At the top, click "ADD"
Add the destination account using Permissions/Add Member/Is Owner
Accept the Invitation from destination account
If you want to remove ownership of the source account, on the destination account, go back to the IAM section and delete your account from the list.
Refer granting access for information.
I have 2 Google Cloud projects with GKE and various other services enabled and running.
None of those projects has an organization resource assigned. There are also many Users and serviceaccounts inside the projects that are used in production.
We use (example) adminaccount#example.com for those projects.
I would like to add Google Identity Free, so that I will be able to use Azure AD Users with SSO
So I created a new Google Identity Account with the username identityadmin#example.com which is not member of my existing Gcloud projects.
The domain (example.com) has not been verified so far.
What will I have to do to get this running with my existing projects?
I read that first I would need an organization resource, which would be created after I verify the domain.
Is it safe to do that? Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?
I don't understand how a new organization could be recognized by my existing projects, because there is no link between them.
The goal of course is not to have any downtime.
Sure, I would purchase Google support, but that's only possible If you have an organization, what I don't have.
I'm really confused and troubled.
Looking forward to any suggestions.
Many thanks in advance!
Roland
Firstly, you need to create your new organization. Start by creating a Google Workspace environment (go to https://admin.google.com and create it). You can create the org with a Google Workspace free trial and then cancel your subscription, no worry, I'm paying nothing!
Secondly, with your new Google Workspace account, and your new user, go to https://console.cloud.google.com. Here, select your organization, and go to IAM. Here add as member the user account where your project are created in the "No Organization" organisation, and grant it the role Organization Administrator
Perfect. Now, go back to your user account (freshly granted) and go to ressource manager. I use the project picker window to go there
And eventually, migrate your project. Select one project from "No Organization", click on migrate, select the Organization, and validate. That's all. No downtime
Your Cloud Identity organization is created when you finish your signup and setup steps for your Cloud Identity service
To answer your questions:
What will I have to do to get this running with my existing projects?
The simple answer is Migrate projects and billing accounts and set permissions
This documentation explains how Grant access to billing accounts and Grant access to projects
Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?
Once a Google Cloud Organization resource has been created for your domain, you can move your existing projects into the organization.
There should be NO server downtime or impact as a result of migration.
Take into consideration that the link between projects and billing accounts is preserved, irrespective of the hierarchy.
To migrate a project using you will need the following permissions: resourcemanager.projects.create on the destination organization, typically granted by the Project Creator role.
resourcemanager.projects.update and resourcemanager.projects.setIAMPolicy on the project you are migrating, typically granted by the Owner role.
You can get further information in the following link: Migrating projects with no organization
Additionally to contact support you could create a case using this link and it doesn’t matter if you don’t have an organization.
I want to use Google Cloud Platform
I go to https://console.cloud.google.com/, then go to Identity and Organization.
It says "To view this page, select an organization."
I did not yet create an organization, so I am expecting a button "create new organization" to appear on this page, but there is only "select", and when I click on "select", nothing happens.
An organization seems to be required for many tasks (for example, creating a new projects requires me to put it in an organization), but how can one create a new organization using Google Cloud Platform?
You need to have either a Gsuite or Cloud Identity account before you can create an Org. If you're on free trial then you don't need an Org to create a project.
I need a service account that can access multiple projects, but I have not been able to find a way to do this at all. It seems that a service account is always bound to a project.
Another option is to create a service account on the separate projects and then authenticate them using gcloud auth activate-service-account --key-file SOME_FILE.json, but the problem here is that it does not seem possible to automate the creation of service accounts.
So the question is then: Is it possible to create a cross project service account or to automate the creation of a service accounts? Even better would be if I could do both
You should be able to add a service account to another project:
Create the first service account in project A in the Cloud Console. Activate it using gcloud auth activate-service-account.
In the Cloud Console, navigate to project B. Find the "IAM & admin" > "IAM" page. Click the "Add" button. In the "New members" field paste the name of the service account (it should look like a strange email address) and give it the appropriate role.
Run gcloud commands with --project set to project B. They should succeed (I just manually verified that this will work).
Automatic creation of service accounts is something that we're hesitant to do until we can work through all of the security ramifications.
I know its a bit old, but if anyone is still looking for this,To add to #Zachary Newman answer, To make things clear, After you created a service account in project A you should go to project B to "IAM" (not "Service Accounts"), There you will be able to add the email you just created with proper roles.
I have confirmed that custom token signing worked with #Zachary Newman's procedure.
My concrete procedure of how I created a custom token in a GAE app in project A which can be used to connect to Firestore of project B is as follows:
In "IAM" page of project B, add service account {project-a}#appspot.gserviceaccount.com which is a GAE default service account of project A.
In "IAM" page of project B, assign "Service Account Token Creator" role to {project-a}#appspot.gserviceaccount.com.
Call the Firebase Admin SDK initializeApp method in a GAE app in project A with specifying firebase-adminsdk-xxxxx#{project-b}.iam.gserviceaccount.com, which is a service account with "Firebase Admin SDK Administrator Service Agent" in project B, as serviceAccountId and https://{project-b}.firebaseio.com as databaseURL and then create a custom token.
I need a service account that can access multiple projects, but I have not been able to find a way to do this at all. It seems that a service account is always bound to a project.
Another option is to create a service account on the separate projects and then authenticate them using gcloud auth activate-service-account --key-file SOME_FILE.json, but the problem here is that it does not seem possible to automate the creation of service accounts.
So the question is then: Is it possible to create a cross project service account or to automate the creation of a service accounts? Even better would be if I could do both
You should be able to add a service account to another project:
Create the first service account in project A in the Cloud Console. Activate it using gcloud auth activate-service-account.
In the Cloud Console, navigate to project B. Find the "IAM & admin" > "IAM" page. Click the "Add" button. In the "New members" field paste the name of the service account (it should look like a strange email address) and give it the appropriate role.
Run gcloud commands with --project set to project B. They should succeed (I just manually verified that this will work).
Automatic creation of service accounts is something that we're hesitant to do until we can work through all of the security ramifications.
I know its a bit old, but if anyone is still looking for this,To add to #Zachary Newman answer, To make things clear, After you created a service account in project A you should go to project B to "IAM" (not "Service Accounts"), There you will be able to add the email you just created with proper roles.
I have confirmed that custom token signing worked with #Zachary Newman's procedure.
My concrete procedure of how I created a custom token in a GAE app in project A which can be used to connect to Firestore of project B is as follows:
In "IAM" page of project B, add service account {project-a}#appspot.gserviceaccount.com which is a GAE default service account of project A.
In "IAM" page of project B, assign "Service Account Token Creator" role to {project-a}#appspot.gserviceaccount.com.
Call the Firebase Admin SDK initializeApp method in a GAE app in project A with specifying firebase-adminsdk-xxxxx#{project-b}.iam.gserviceaccount.com, which is a service account with "Firebase Admin SDK Administrator Service Agent" in project B, as serviceAccountId and https://{project-b}.firebaseio.com as databaseURL and then create a custom token.