I cannot find out if recurring billing is enabled/disabled. I was told that this setting can be changed to disable authorize.net to accept recurring transactions.
Looking for the API to check this setting, or if it exists because I cannot find it.
Related
I'm trying to pin pricing on a use case for Identity Platform and would appreciate if anyone can confirm how the pricing works.
The pricing documentation states:
Any account that has signed in within a given month is considered an active user. Inactive users are stored at no cost.
My reading of this is that I could create a user account programmatically (e.g. in a cloud function) and I would not be charged for that account, until and unless someone actually signs in to that account. (As opposed to the user being counted as active for the month in which the account is created, login or no.) Does anyone know if that reading is correct?
You should get verification from the Google itself if yor understanding of the charges is correct; open up a ticket with Google Cloud Billing here: https://cloud.google.com/support/billing
However - documentation clearly describes how do you define an active user here.
Alternatively you can experiment yourself - create a test account and don't login for over a month and then check the billing.
According to this identity platform pricing model document:
Identity Platform charges per Monthly Active User (MAU) for most sign-in methods.
That is, any account that has signed in within a given month is considered an active user. Inactive users are stored at no cost.
Phone and multi-factor authentication users are charged per successful verification.
My company works with IOT devices, and we have a product where each device should have a service account.
This scenario it's impossible to us right now because, follow that doc (https://cloud.google.com/iam/docs/understanding-service-accounts) studying more about it, was discovered GCP had a limit quota of 100 service accounts. Makes us impossible to work with 1 service account by device.
At that moment, in GCP, have another option than service accounts?
Are there a way to increase the amount of service accounts?
I would suggest to check this article that describes the authentication strategies you can use to work in GCP, in particular Google Cloud APIs.
If you have decided that you would rather have a service account for each of your IOT devices, instead if using another option such as the OAuth 2.0 client then you can request a quota increase from the default limit of 100.
The quota increase request is subject to evaluation, so it's best to add a clear note on why you need more than 100 SAs.
Maybe authenticating as a en user could be a better option as whenever you need to increase the number of devices you won't need to wait for any type of approval. However it's not possible to know for sure if this option is best, as your application flow is not clear with the details you have added in the question so far. As mentioned before, you could take a look to the documentation and select the best option for you use case.
Say I have a business and multiple DBA (doing business as), on AWS I can create a org hierarchy of the business and DBAs. I can invite the DBA accounts into the business org and link them so the business org is the payer. This keeps the operations of DBA independent and isolated with the convenience of consolidated billing for the business. This can also make it easy to transfer ownership of the DBA if desired without effecting the operations.
I was looking to setup something similar on GCP but it seems like each org is tied to a domain and there is no way to invite one org into another to link and provide billing. Is this correct or are there ways to link and provide billing for one org on behalf of the other?
Say I have a business and multiple DBA (doing business as), on AWS I
can create an org hierarchy of the business and DBAs.
You can create a similar hierarchy on Google Cloud.
I can invite the DBA accounts into the business org and link them so
the business org is the payer.
You can accomplish this with Google Cloud but in a different way. You cannot make one organization a branch/child of another organization, but you can add its members (identities) to another organization. The key to this is the members are not actually part of the organization. Identities are independent and added and removed easily.
This keeps the operations of DBA independent and isolated with the
convenience of consolidated billing for the business.
Google Cloud supports one or more billing accounts. Bill accounts can be assigned to projects independently of organizations. I can make my billing account responsible for any Google project (oversimplification).
This can also make it easy to transfer ownership of the DBA if desired
without affecting the operations.
Google does not have this flexibility without effort. In Google Cloud, I would not merge projects into an organization unless this objective was permanent. Instead, I would add the members required to access that project to IAM.
Projects independent of an organization can still participate in another organization and vice versa. Google Cloud Identity and Access Management (IAM) is very flexible. If I want bob#example.com to have access to Project ABC, I can add his email address to IAM and grant roles. You can also add an entire domain of users *#example.com to Google IAM. There are many more options.
You can move projects around inside the organization, but you cannot move projects to a different organization yourself - this requires opening a support ticket with Google Cloud Support.
I was looking to set up something similar on GCP but it seems like each
org is tied to a domain
Google Cloud is not tied to a domain name, Google G Suite is. If you plan to also use G Suite for multiple DBA, I would have separate Google accounts and not combine G Suite with my resources in Google Cloud. Note: G Suite supports multiple domains; for a single organization linking G Suite and Google Cloud is fine.
I find Google Cloud's method of organizations, folders, projects and IAM more flexible than AWS.
AWS and Google have powerful IAM systems. I know both very well, each has its positives and drawbacks.
While the answer from John tells what all might be possible, it didn't have details on how to do it. After a lot of searching online and experimenting I managed to do what I wanted. Below are the steps using the "business" and "dba" references in my question.
Create a payment profile with primary contact say
billing#businessdomain
Make sure the account type is Business and
not Individual. In my case, I some how ended up with an Individual
account. It is not allowed to change the account type once created.
Don't know why, but this was my first hurdle.
With business account type, it is possible to invite other users.
I wasn't sure
how to create a business account and if I could use the same email
for the business account type. From within GCP, I went ahead and did
the billing setup. Based on my login user which had the individual
payment profile, it defaulted the payment profile but allowed me to
create a new profile. I picked account type as Business but all
other details were same as what I had in the other personal account
that got created. Luckily, it went ahead and created a business
payment profile.
Once I had the business payment profile, I could
go ahead and invite user from my dba by specifying the email, say
billing#dbadomain
That email got an invitation and upon accepting
it, was linked to the same payment profile. This is the key! This
essentially allows payment profile associated with one domain
(organization) can be used for the billing account of another domain
(organization).
At this point, I went ahead and even closed the
payment profile with Individual account type and it seemed to have
worked. I didn't have any transactions so far and so it's like it
never need to exist. I wish it was possible to change the account
type for such profiles.
With this setup, the dba organization and its operations are done isolated and if ever it needs to change ownership, it can add a different billing method and separate out from the business org completely.
I have a domain registered with Google Domains. I was trying to sign up for the Cloud Identity free version but some how I ended up into 14-day free trial of G-Suite premium. Even if I abandon that flow and restart with a different session, I end up in the G-Suite registration process. Is there a way to not sign up for G-Suite and only use the rest of the GCP?
I also wanted to sign up for Free version.
When I tried to do it via G Suite console (Billing-> New services) it only allowed me to sign up for the Premium.
When I tried using a link from GCP, it said that my domain is already in use by another Google service.
So, how I made it working:
I went back to G Suite -> Billing -> New service
Sign up for Cloud Identity Premium
Came back to the Billing page scroll down and clicked on "Cloud Identity Free"
Signed up for it
On the Billing page cancelled the subscription to the Premium
I followed this guide to sign-up for Cloud Identity free (today) and was not prompted for GSuite free trial nor when I went to the billing section, under my active subscriptions, I did not see a GSuite free trial sub.
Since you already verified your domain and did the sign up, you can go to admin console, then go to the billing section and look for the subscriptions that you're currently using which should be GSuite premium (trail) and Cloud Identity free. Remove GSuite subscription and just stick with Cloud Identity. If you're not able to view this Cloud Identity free subscription, then take a look at the following doc to understand how to "Upgrade or downgrade Cloud Identity".
Even though you sign up for Cloud Identity, it still uses the admin console which is considered "GSuite console", here you can create/manage your users,groups etc. for your domain/organization (GCP).
It seems like I resolved my issue. As it's all trial-and-error I am not sure what worked and why. Just some observations if someone else runs into this situation.
I waited for more than 14 days, the trial period for G-Suite
premium which the system some how thought I needed to complete.
As part of signing up for Cloud Identity, it no longer redirected
me. However, it didn't accept the email I wanted to use (which I
already used for the GCP account) saying that it's a personal
account.
So I ended up using another email with my domain and
that allowed me to complete the Cloud Identity registration. As part
of this I completed domain verification.
After this, there is an
option to "Rename User" which includes changing the email. I used
this to change the email back to the one I wanted and it got
accepted without any issues!
After this I tried to login and the
system recognized that there is a personal and a business account
and which one I wanted to signin to. I used business account and
made sure everything was working.
I also noticed that the GCP
account I originally had got under the organization (can be verified
by looking for "this account is managed by ..." when you click on
the profile.
At this point I went ahead and deleted the
unnecessary personal account associated with my business email.
Everything seems to be working and as expected (except why a youtube redirect is needed when doing a sign-in for enterprise services?)
Looking at Cognito docs I can't seem to find any explanation of what the ARCHIVED status is for and whether it's something set by Cognito under certain circumstances, for example if user does not log into their account after a certain period of time or whether it's completely dependent on the developer to set! I need a better understanding of ARCHIVED so that I can leverage this status in my app.
The ARCHIVED state is currently not used by Amazon Cognito. It is just written as a placeholder in the documentation, and it may be used later in the future. For now, you can develop your Authentication Engine without worrying about the state.
AWS Premium Support would be able to confirm the same.