Cannot view/create tenants in Google Identity Platform - google-cloud-platform

I've got a GCP project shared with me with the "project owner" access.
So, I can open and manage the "Identity Platform" users.
But I can't open the "Tenants" page (it's loading infinitely).
So, maybe it requires some additional roles, although I'm an owner of the project and I have the following roles assigned:
App Engine Admin
Cloud Build Editor
Cloud Scheduler Admin
Environment and Storage Object Administrator
Cloud Datastore Owner
Firebase Admin
Logging Admin
Google Cloud Managed Identities Admin
Admin of Tenancy Units
Storage Admin
Storage Object Admin
Storage Transfer Admin
Some people also suggest to open the page in incognito mode, but unfortunately it, not my case.
I also have noticed that "Tenants" currently in the BETA stage.
But I'm not sure if it's related somehow.
Thanks.
UPDATE:
Does it make sense to use Tenants in Google Identity Platform?

I'm owner of my project and the tenant work well. You should lack of some permissions (and it's very hard to find information. I'm in contact with the PM, I will try to know more)
About the relevance of tenant, all depends of your use cases. If you have user from different context/customer and you want to manage authentication in different manner according to this context.
If a customer don't pay, you can also deactivate a tenant, and you can disrupt the authentication (and thus the service) until the payment.
Your use case has to make sense, not the technical capabilities.
UPDATE
About permission, there is not yet predefined roles and you have to build a custom role for this. The list of permission are the same as for firebase

Related

Add cloud identity to existing Google Cloud Projects

I have 2 Google Cloud projects with GKE and various other services enabled and running.
None of those projects has an organization resource assigned. There are also many Users and serviceaccounts inside the projects that are used in production.
We use (example) adminaccount#example.com for those projects.
I would like to add Google Identity Free, so that I will be able to use Azure AD Users with SSO
So I created a new Google Identity Account with the username identityadmin#example.com which is not member of my existing Gcloud projects.
The domain (example.com) has not been verified so far.
What will I have to do to get this running with my existing projects?
I read that first I would need an organization resource, which would be created after I verify the domain.
Is it safe to do that? Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?
I don't understand how a new organization could be recognized by my existing projects, because there is no link between them.
The goal of course is not to have any downtime.
Sure, I would purchase Google support, but that's only possible If you have an organization, what I don't have.
I'm really confused and troubled.
Looking forward to any suggestions.
Many thanks in advance!
Roland
Firstly, you need to create your new organization. Start by creating a Google Workspace environment (go to https://admin.google.com and create it). You can create the org with a Google Workspace free trial and then cancel your subscription, no worry, I'm paying nothing!
Secondly, with your new Google Workspace account, and your new user, go to https://console.cloud.google.com. Here, select your organization, and go to IAM. Here add as member the user account where your project are created in the "No Organization" organisation, and grant it the role Organization Administrator
Perfect. Now, go back to your user account (freshly granted) and go to ressource manager. I use the project picker window to go there
And eventually, migrate your project. Select one project from "No Organization", click on migrate, select the Organization, and validate. That's all. No downtime
Your Cloud Identity organization is created when you finish your signup and setup steps for your Cloud Identity service
To answer your questions:
What will I have to do to get this running with my existing projects?
The simple answer is Migrate projects and billing accounts and set permissions
This documentation explains how Grant access to billing accounts and Grant access to projects
Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?
Once a Google Cloud Organization resource has been created for your domain, you can move your existing projects into the organization.
There should be NO server downtime or impact as a result of migration.
Take into consideration that the link between projects and billing accounts is preserved, irrespective of the hierarchy.
To migrate a project using you will need the following permissions: resourcemanager.projects.create on the destination organization, typically granted by the Project Creator role.
resourcemanager.projects.update and resourcemanager.projects.setIAMPolicy on the project you are migrating, typically granted by the Owner role.
You can get further information in the following link: Migrating projects with no organization
Additionally to contact support you could create a case using this link and it doesn’t matter if you don’t have an organization.

Grant users from CloudSQL instance IAM permissions to Cloud Storage objects

I have a question about GCP and this Django app I am making. I am using Google cloud storage to hold documents that I need to provide access permissions for to my users, but I can't think of how to link users from my app (being saved to CloudSQL-PostgresSQL) to my Google Cloud project.
This feels like it should be an easy case to handle, but i'm used to services like Cognito handling this for me.
Should I make a service account for every user?

Google Project with consent set to internal / Who is a "member of my organization" and how do I manage members?

Disclaimer: https://console.cloud.google.com/support/community leads here. Google's documentation is horrific so giving this a whirl on the off chance that I don't get downvoted to the depths of dev/null
Out of impending necessity I am migrating a private application that monitors our Gmail accts to OAuth 2, and as part of this process it was necessary to create an OAuth consent screen. Since this application will only be used internally it makes the most sense to choose "Internal" for Application Type - which is described as follows:
Only users with a Google Account in your organization can grant access to the scopes requested by this app.
The users on this Project consist of two "owners" — myself using my personal Gmail acct, and
another employee who is part of the company G Suite account.
My question is who qualifies as a "user in my organization"? Is this based on the project owners? Does my non-G-Suite account (which is an owner of the project) qualify? Does the inclusion of one member in a G Suite account automatically associated the other employee accounts? Is the anywhere to actually see these users or manage them directly?
I'd actually like to add another couple accounts to the mix but still keep the application private, but I'm confused about how Google determines which gmail accounts will be able to authorize the app.
UPDATE: To clarify, when I visit the consent page while logged in as a member of our G Suite on the same domain as the project owner, everything is fine. However, we have other members managed in the same G Suite account who are under a different domain and for these I get the message:
Error 403: org_internal
This client is restricted to users within its organization.
Furthermore, I am not even able to grant access using my own email which is the creator and owner of the application. I'd like to know how I can add myself and the other G Suite members to be able to grant access to the application without making it public. It was suggested below that I add them (or their domain) to Google Cloud IAM but I'm unclear about how to get this working. My own email does already exist in IAM with role of "owner" and apparently that doesn't satisfy the requirement.
In order for internal apps to be used for OAuth, the project must belong to the organization associated with the same GSuite customer as all the users.
non-GSuite accounts cannot be used by internal apps. There's more information about this here: https://support.google.com/cloud/answer/6158849#public-and-internal.
Who is a member of my organization?
Anyone that you have added to Google Cloud IAM for a project, folder or at the organization level. This can include Google Accounts (Gmail email addresses), G Suite and Google Identity. The last two use a domain name (example.com) and anyone with an identity in that domain (someone#example.com).
Google's goal is to tighten up security for Google Cloud Platform. In the past anyone with a Google Accounts email address could use your projects OAuth to request access. The level of access is controlled by OAuth Scopes. Today, granting that access results in a Consent Screen with an unverified application warning. To get beyond (remove) that warning often requires a security audit of your application with a cost estimated at $75,000 USD.
How do I manage members?
Through Google Cloud IAM. You can add and remove members; assign and remove IAM roles attached to member IDs. Through G Suite or Google Identity by adding or removing member accounts. Don't forget that members can be part of a Google Group and part of a Domain each of which are also an identity in Google Cloud Platform.
For GSuite Users:
Cloud IAM only deals with authorisation you would need to handle authentication elsewhere. By default GSuite integrates with CloudIAM as a default authentication provider.
For Non-GSuite Users:
You can use cloud identity free edition but users will have to manage separate set of credentials.
Single Sign On without GSuite
If you want Single Sign On Option you can also use Google Cloud Directory Sync to sync with your on-premise Active Directory or LDAP server for authentication. So users can keep their login details.
That's how authentication works on GCP. As for authorisation you have CloudIAM where you can manage access through Predefined Roles, Primitive Roles and Custom Roles.
Cloud IAM and Authorisation
Typically you assign access using google groups and resource hierarchy to make it easier for you to manage user access. But bear in mind that if you grant an access to something through a ascenstor folder in resource hierarchy then you can't deny access downstream. So you need to plan access hierarchy accordingly.
To answer your question who qualifies as a "user in my organization"?, everyone can login but by default they cannot access any projects, it's resources or apis unless they are given access to either individually or through a group.
Hope this clarifies things for you a little.

GSuite/Cloud Platform - Fixing or Resetting Permissions

I had created a Google Cloud Platform project and an associated service account for accessing the Directory API in the Admin SDK. After some experimentation I decided to remove that project and the service account and start from scratch. Around that same time I also changed the primary domain on our GSuite account.
I believe this combination has screwed up my permissions in the Google Cloud Platform. I'm the only SuperAdmin on our GSuite account, and yet it seems I'm unable to do many things (examples below). Any way to completely reset permissions or the Cloud Platform account entirely? There are no projects to lose at this point.
Examples:
When I try to create a new project, when choosing "location", the only option (the name of the organization, still using the old primary domain) tells me "You do not have permission to create projects in this location"
If I go to IAM & Admin > Settings and try to rename the organization, it says "You do not have the permission to rename this resource.
Required permission(s): All of resourcemanager.organizations.get and resourcemanager.organizations.update"
If I go to IAM & Admin > Roles a banner at the top says "You do not have sufficient permissions to view this page"
I contacted GSuite support, but since the problem itself was on the Cloud Platform side they couldn't really do much for me.
I'm still not sure what caused the permissions to get mangled, but creating another GSuite admin and using that one to repair permissions took care of it.

Creating a new project in Google Cloud using python without service account credentials

I am aiming to do a pythonic automated Google Cloud project manager. Just testing a bunch of models of Tensorflow and stuff. Even when I can fully access training, deploying and testing models inside a project, I can't mke any new projects since I am authenticated with a service account through:
google.oauth2.service_account.Credentials.from_service_account_file("thisisakey.json")
But as far as I understand, services account are project-binded so it's perfectly correct that creating a new project with it raises an error. In fact it does:
googleapiclient.discovery.build("cloudresourcemanager", "v1", cache_discovery=False)
Falis with:
Service accounts cannot create project without a parent.
So either creating/finding a "parent" for this project or log in a more "powerful" account could solve this. But I can't figure them out. Are there any other credential types to download and embed into python? Can I create a project from python? Everything I've checked about this is at least 2 years old and seems to be very outdated (back then projects were just not possible to create via APIs)
Update:
I've tried creating a project using the "parent" flag on the project's body, on the Organization made from the corp I work on. and even when this service account has "Owner" and "Organization Administrator" roles the create requests fails with:
Encountered 403 Forbidden with reason "forbidden"
User is not authorized.
So the problem persists.
You can assign privileges to Service Accounts to do just about anything in Google Cloud. You have hit one of just a few that you cannot.
The problem is that your project is not part of an Organization (you have no parent). Your solution is to either setup Organizations or create your projects via the Google Cloud Console. Note: I do not recommend creating projects via software. You also need to setup billing in order to do anything useful.
There are two types of credentials with Google Cloud: User Credentials and Service Account Credentials. You cannot embed User Account Credentials into an application. User Account Credentials are created interactively as part of a login / authentication process using OAuth 2.0.
There are other types of access to cloud services such as API Keys, but these do not apply to your issue.
Quickstart Using Organizations