How to grant access to user from other Domain - google-cloud-platform

We are doing some development that involves BigQuery. One of our consultants does not have an account and does not have an email in our domain. Is there a way of granting him access?
Cheers,
Cris

Google cloud only accept a google account as a valid account, be it a google group, a gsuite account or a service account.
The best use case would be to generate a service account, and let him use this account with the gcloud sdk using the GOOGLE_APPLICATION_CREDENTIALS env variable.
In the case he would not be able to use the service account or if the product is not really friendly in the gcloud cli (I don't know much about bigquery), you could create a personnal account in your organization for him to used, or you could authorized his personal gmail account (check if 2fa is activated... We never know)...

Related

How do I give a Gsuite group or user access to impersonate all Google service accounts

This is frustrating because impersonation of a service account is much less flexible than AWS.
I want users of a Gsuite group to be able to impersonate ALL service accounts in a specific google project or project folder
But I'm only seeing example where you assign the serviceAccountTokenCreator role directly to the specific service account.
This is a pain to manage. If I have X number of service accounts in my dev gcp project I want to be able to just say "users in group X can impersonate all service accounts in project Y". Is this at all possible? Or do I need to create a binding for EVERY service account with a list of groups/users that can impersonate it.
To allow a member to impersonate all service accounts created in a project, folder, or organization, grant the necessary role on the project, folder, or organization.
Reference: https://cloud.google.com/iam/docs/impersonating-service-accounts#impersonate-parent-level

Is service account impersonation in GCP the best way to handle developer credentials and permissions?

In GCP, service account impersonation is a way to create temporary IAM credentials to perform an action as developer (see here). This has been described as equivalent to assuming a role in AWS - see this other question.
My question is:
is this the recommended/canonical way of doing this in google cloud, namely grouping permissions around service accounts & allowing developers to inpersonate that service account ?
Or alternatively is it better to create custom roles and assign them directly to developers identities (and not indirectly via a service account)? But then of course you lose the advantage of short living credentials.
If the first option is valid, it would also mean that you would end up having as many service accounts as roles in AWS.
In general, you should grant IAM roles to groups, and then add developers to the appropriate groups.
For example, you may want to grant all developers "Editor" access to a project. To do this, grant group:ll-developers#yourcompany.com the Editor role to the project. Then, use LDAP or G Suite to ensure that all developers are a member of that group.
You can give developers the ability to actAs a service account, but then the audit logs and principal would be the service account, not the developer.

AWS assume-role equivalent in Google cloud (GCP)?

How to setup multi-account(project) in GCP, it is possible in AWS by using assume-role, anyone knows how to do it in Google Cloud (GCP)?
I tried to explore AWS equivalent in GCP, but not able to find any document.
As documented, AssumeRole in AWS returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to.
In AWS you can create one set of long-term credentials in one account. Then you can use temporary security credentials to access all the other accounts by assuming roles in those accounts.
The equivalent of the above in GCP would be creating short-lived credentials for service accounts to impersonate their identities (Documentation link).
Accordingly, in GCP you have the “caller” and the “limited-privilege service account” for whom the credential is created.
To implement this scenario, first, use handy documentation on Service Accounts and Cloud IAM Permission Roles in GCP, as each account is a Service Account with specific role permissions, in order to understand how accounts work in GCP.
The link I posted above, provides detailed information on the flows that allow a caller to create short-lived credentials for a service account and the supported credential types.
Additionally, this link can assist you in visualizing and understanding the resource hierarchy architecture in GCP and give you examples on how to structure your project according to your organization’s structure.
The basic answer is "Service Roles". Limited-time service roles are available.
For assigning permissions across projects (but still in the same organization), you can create a custom role.
For letting any user assume the role of a service account, use the Service Account user role.
For limited-time authorization tokens, you have OAuth 2.0 for server-to-server calls, particularly with JWT where available.

is there a way to use your current credentials to assume a service account instead of having to use the json key?

My personal account is an admin in my gcp project.
If I want to use one of the service accounts I have created (from my local laptop) I do this:
gcloud auth activate-service-account --key-file=some-service-account.json
But I wonder, if I already have my own admin account active, is there a way to just assume a service account without the key? Can GCP use my current creds to give me access to assume that service account?
If so this also makes me wonder if I can use service accounts applied to GCE instances the same way. So I can attach a service account to a GCE instance that gives it access to assume other service accounts.
I think what you're looking for is "impersonation". You need roles like iam.serviceAccountUser to do this. Refer to these docs and articles:
https://cloud.google.com/iam/docs/service-accounts#the_service_account_user_role
https://medium.com/google-cloud/using-serviceaccountactor-iam-role-for-account-impersonation-on-google-cloud-platform-a9e7118480ed
https://medium.com/google-cloud/impersonating-users-with-google-cloud-platform-service-accounts-ba762db09092

How do you signup for Cloud Identity for Google Cloud Platform when you already signed up for Google Cloud Platform?

At my company we want to start hosting our applications on Google Cloud Platform, so, I signed up, which asked me to create a Google Account, so, I used my business email address pablo.fernandez#example.com to do so. But now it looks like this is an organization-less account. When I try to sign up for Cloud Identity, so that we can have an organization and other users in the GCP account I get this error:
Does GCP require me to sign up with a temporary throway email so I can set it up correctly? At any point, how do I move forward from here?
Although Cloud identity is a separate service from G Suite, most probably the same rules apply when managing users: https://support.google.com/a/answer/7044710?hl=en
Before you add users to your organization's Google domain, you should check if they have a personal Google Account with the same email address that you plan to use for their managed Google Account. Two accounts can’t share the same email address. If they do, you have 2 options:
Option 1: Invite your users to transfer or rename their existing account (using a tool in the Google Admin console).
Option 2: Require users to rename their existing account.
Learn more about conflicting accounts.
I believe it is because ultimately they are all "google accounts" just that, G Suite and Cloud Identity accounts belong to an Organization.