Google Cloud Identity free user limit exceed - google-cloud-platform

I have a Google Cloud Identity Free with one domain. As I know it's possible to create 50 user in it. I synced approx 30 users but I cannot create more. I've deleted some users but I still cannot create new ones. I've tried the sync from LDAP throug GCDS application and it said I've reached the user limit. Tried to upload a csv file. And at the end create a user on the admin interface. All of them were unsuccessful.
When I tried to create a user on the admin interface I've got an error message I reached the ONE user limit.
Currently I have 4 users. All of them can use the services only (GCP).
I really need more users. Anybody experienced the same or similar? The support only shows the help, which does not contains any relevant information about this problem.

Are you also synching groups?
Please reach out to our billing team to increase the limit to 100 via:
https://support.google.com/cloudidentity/answer/7295541 (see link to form)
or use the general contact form:
https://support.google.com/cloud/contact/cloud_platform_billing
~ Luc

Related

How to send parameters to "Open in Cloud Shell" URL?

I want to create a button that will open GCP cloud shell and run code that create some resources in the account.
I am trying to use "Open in Cloud Shell" (https://cloud.google.com/shell/docs/open-in-cloud-shell) URL and adding my GIT repo to the URL, but the problem is that my code should get different arguments in every run. There is a way to send arguments with this URL? Or maybe there is another solution for running code with arguments in GCP cloud shell via URL?
This is NOT a direct answer to your original question however it might be useful for an overall answer. If we don't like this answer, simply let me know and we'll delete it.
From you clarification in the comments, what I now sense is that you want to create GCP resources that the user can work with. For example, a PubSub topic. We'll use that as an illustration. The first thing I want to do is disavow us of the notion that there is anything "special" about a resource and the identity that it used to create that resource other than the identity must have authority to create it. For example, if user "john" creates a topic, that doesn't mean that the topic is "owned" by john. A GCP resource "just exists" after it is created. In order for a user to "use" a resource, it (the resource) must authorize the sets of users to work with it. This is where GCP IAM comes into play. Separate your goal into two parts.
Upon request, a new GCP topic is created
Once the GCP topic is created, you grant permissions on the topic to be worked with by named identities (users/groups)
Don't think "The user who creates the topic is immediately the one who can work with it".
For example, you may wish to grant your users the ability to subscribe to a topic but may not want those users to be able to "manipulate" topics such as creation/update/delete.
I am assuming that the solution you are working against is for end users rather than internal developers?
Off the top of my head, I'm tempted to suggest that you review the following very short video:
How to authenticate calls to your Google Cloud Run service
This is just a teaser but it does give us a clue. It alludes to the notion that a request from an authenticated (to Google) user can be received by a Cloud Run instance and Cloud Run can then know who the user is. With that in mind, in the code of your Cloud Run, you can then make a "yes/no" decision as to whether to proceed. If yes to proceed, then Cloud Run (which is indeed running as a single user and we won't change that) creates the topic and then assigns subscription (or publication or other) permissions to the topic on behalf of the identity that came in with the request.

G Suite Directory User creation is failing with the error - "Invalid Input: primary_user_email"

Issue:
Intermittently new user creation is not working. It is failing with the error - Invalid Input: primary_user_email
Account creation is stopping for both the Admin UI and API also
Is issue Reproducible?
We have automation in place which hits the G suite directory API for user/group/role - creation/modification/deletion. So when we have frequent and parallel executions of this automation we are seeing this issue.
Please note when we don't encounter an issue at the user creating the automation runs smoothly and all the scenarios covered in it are executing properly
Observations
We are not seeing this issue consistently
Mostly after a window of 24 hours, we are able to create a new user once again with Admin UI and API also
We are not reaching the API quotas which are available from the Google's end for 100 seconds and for 24 hours
With the API connection, we are having 2 options - Client credentials(with offline refresh token) and service account approach - both of them have the same inconsistent issue
What we are feeling is that there might be some policies or limits for these API which are blocking the user creation. We have checked the docs available but didn't found any related info.
So we will like to know what actually triggering the user creation blockade so we can work accordingly
References
Directory API used for user creation: https://www.googleapis.com/admin/directory/v1/users
Google DOC we are following: https://developers.google.com/admin-sdk/directory/v1/guides/manage-users?refresh=1
Thank you !!
Seems that the issue you are encountering might be related to your G Suite account.
Therefore, the best solution in this situation is to contact G Suite Support here and choose the most convenient option for you.
Reference
Contact G Suite Support.
The action of creating and deleting users constantly in a short period of time will trigger an internal system flag at Google and the account will be prevented from these actions for a short time-frame(Approximately 24hrs).
Basically this flag detects im-proper use of the API and to protect the infrastructure, user creation is blocked even for valid email addresses.

Deploy multiple agents with dialogflow

I'm developing a dialogflow agent for bookings. My problem is that I need to deploy the agent for multiple clients with their own calendars. Unfortunately on the Google Cloud Platform is possible to have just one agent per project but at the same time the number of project is limited. How can i solve this? I may have 3 solutions but I'm open to suggestions.
Ask more projects to Google and associate each project to each of my clients. I will be able to manage the projects with a service account. But how much will it cost? May I request like more than 1000 projects?
Create a new Google Cloud Platform account for every client and create a project for each account (Like the qwicklabs account in the google courses). The problem is that I don't know how to scale this solution since I'd need to automate this process and i don't want to create an account manually each time.
Use the same GCP account and the same agent for multiple clients. This may require to insert a unique code when starting the chat to identify to which calendar we are referring. In this way though I won't be able to integrate the chat on the client's website or facebook page unless I don't give the same credentials to everyone.
What do you think could be the best solution? Do you have any other ideas to solve this problem?
Thank you guys
In terms of the best solution, it would best to create a project for each client. As for when using dialogflow products, Each project can have at most one agent, so you need multiple projects if you need multiple agents either way.
Additionally, when it comes to the amount of projects you can have in GCP, the limit for the average user is 30 projects. However, you can always increase the amount of projects by requesting a higher limit. You can do so by referencing this document here.

Is there a way to get GCP service cost by access email ID?

I'm looking to get help on the GCP billing. I know we can get cost info based on the service and project, however, is it possible to get info based on the access email ID? because I'm planning to give access to my colleagues and I want to know how much each one their access cost and against which service.
Something like: Date, Email ID, Service, Cost
With respect to another project, how should we know which access cost us so much?
We are running ~30 sandbox projects internally, each allocated to a specific person that can test and run his/her stuff on GCP.
I strongly suggest you create isolated workspaces (projects) for your colleagues so they don't accidentally delete/update services of other people. You will get a separate billing report for each project as well.
I am also setting up a billing alert for all my colleagues so they get an early notification if they left something running on their testbench.
There are three ways I think you could do that kind of cost segregation, I will number them in order of complexity.
1.- Cloud Export Billing, For this one the best practice is to segregate your resources and users by "Labels", as administrator, you may ask the users to use them and assign them to any resource they create, e.g. If they create a new VM instance, then you will be able to filter by field the exported table and create the reports as you want.(Also your GCP billing dashboard will show these "labels" segregations)
2.- Use Billing API to curl directly the information you need to get from it,you can manage to use in the request the information you need like SKU, User, Date and description.
3.- Usage Reports. This solution is more GSuite scope,and I can't vouch that will work as the documentation say but you can take a look to it, there is an option to get "Usage reports", this usage reports can be made from GSuite to any resource below, GCP included if you already have an organization.

Sitecore User Manager extremely slow when using Active Directory Module

Does anyone else have performance issues when using Sitecore Active Directory module?
I configured it, we are using 26 different domains but that is not an issue, it just makes it even slower I guess, but when I open the user manager, it takes about 25 seconds to go to the next page in the usermanager.
I have about 8000 users in total.
On the other hand, when I go to the roles, I have about 12,000 roles coming from AD, and there is no performance issue whatsoever.
I tried disabling the profiles from AD, but that didn't make a noticeable difference. When I comment out 25 of the 26 domains in the config (leaving me with about 1000 AD users), there is a noticeable improvement in performance.
If I browse through the set, I can see that the cache created for the domain gets populated, but I don't see any performance improvement from that cache being filled. What is the cache used for? Just for batch updates?
What is the difference between the members, memberOf and User caches created?
Thanks!
Erwin
It has been a while, but going from memory this is what I recall:
The issue is that User Manager has to query AD for each page as you request it, whereas Role Manager gets all Roles and then pages through that cache. This is a limitation of the underlying .NET provider. The best advice I can give is to try to limit your query if possible.
Consider using the "CustomFilter" capabilities of the AD module as described in the Chapter 4.1 "Custom Filter" of the Active Directory module Administrator's Guide document on SDN: http://sdn.sitecore.net/Products/AD/Documentation.aspx