I'd like to know if anyone else experienced this issue before (and if so, how did you solve it):
We've added 28 users to our google admin panel, then we've enabled Gsuite apllications for all of the users, and everyone of those 28 accounts works fine, however then we've added 2 more accounts (we've re-enabled Gsuite for everyone), but none of those 2 users have access to the Gsuite, even after 24 hours (As the admin panel advices to wait 24 hours after re-enabling the Gsuite)
You may follow this documentation. Make sure that you have Enabled API access in the Admin console. You must be signed in as a super administrator for this task.
Also, another reason why some of your users don't have access to Gsuite is they are tagged as Suspended Users.
What happens to a suspended user’s account and data?
G Suite access—G Suite services, such as Google Drive files, Gmail, and so on are unavailable to the user.
Here are possible reasons:
Automatically suspended by the system for being at risk.
Temporarily restricted from some or all actions in their Gmail account for exceeding some account limits.
Automatically suspended from Gmail for potential spam abuse.
If this is the issue, you may check the documentation on how to fix it. However, you can’t restore an account that was suspended for abuse or for breaching the Google Terms of Service. See the page for your corresponding recovery options.
Related
The manager holds the account that provides billing to the said project, now I cannot go to Cloud Scheduler page due to my account not having a billing setup, therefore my workaround is to manually input the link directly to the page like this
https://console.cloud.google.com/cloudscheduler?project={PROJECT_ID}
but now it no longer work and throwing error page. Supposedly I am able to access "Cloud Scheduler" page regardless if the account I use does not have a billing setup since the billing was already made by other account on this shared the project right? Is anyone having the same issue as of this date? Any solution?
It seems the billing card that being used is no longer valid or having some issue.
I have recently made a program that listens to a PUB/SUB topic that is connected to a Gmail account. I have it all working fine. When a push notification arrives it will do different tasks based on the message content.
The problem is that I use a Service Account to connect to all the API's on Google Cloud Platform that I need. The Service Account allows access to ALL of our Gmail accounts in our organization. I need to somehow limit the access to a specific Gmail account.
The closest I could find to this issue was this question Impersonating list of users with Google Service Account. However, the only solution presented there was to turn my project into a marketplace app which I do not want to do.
I have tried setting up an Organizational Unit and trying to limit the scope to that somehow, but there seems to be know way (that I can find) to do it. I did try speak with Google Cloud Platform help but they didn't know the answer as it didn't quite fall under their area of expertise and referred me on to another help group, but I'm not eligible for them because I don't pay for support.
Edit: It doesn't actually appear that what I want to do is possible. I'll be going back to an OAuth2 method of authentication.
Understanding service accounts explains the possibilities:
Service accounts can be thought of as both a resource and as an identity.
When thinking of the service account as an identity, you can grant a role to a service account, allowing it to access a resource (such as a project).
When thinking of a service account as a resource, you can grant roles to other users to access or manage that service account.
Now try to fit that impracticable intent into there ...
If you need to limit the access of the service account to user-specific resources, this can only be done on the application level, not the system level - since a service account can impersonate just any user identity; eg. in order not to mess up the ownership, when uploading files on behalf of a user. If you want 1 user identity to access 1 user-specific resource, why even use a service account? And when using a service account, why not just impersonate as the correct identity? This could even be hard-coded, if it's only 1 user identity. But nevertheless, it can only be done on the application level - but cannot be configured for the service account itself.
I have a domain registered with Google Domains. I was trying to sign up for the Cloud Identity free version but some how I ended up into 14-day free trial of G-Suite premium. Even if I abandon that flow and restart with a different session, I end up in the G-Suite registration process. Is there a way to not sign up for G-Suite and only use the rest of the GCP?
I also wanted to sign up for Free version.
When I tried to do it via G Suite console (Billing-> New services) it only allowed me to sign up for the Premium.
When I tried using a link from GCP, it said that my domain is already in use by another Google service.
So, how I made it working:
I went back to G Suite -> Billing -> New service
Sign up for Cloud Identity Premium
Came back to the Billing page scroll down and clicked on "Cloud Identity Free"
Signed up for it
On the Billing page cancelled the subscription to the Premium
I followed this guide to sign-up for Cloud Identity free (today) and was not prompted for GSuite free trial nor when I went to the billing section, under my active subscriptions, I did not see a GSuite free trial sub.
Since you already verified your domain and did the sign up, you can go to admin console, then go to the billing section and look for the subscriptions that you're currently using which should be GSuite premium (trail) and Cloud Identity free. Remove GSuite subscription and just stick with Cloud Identity. If you're not able to view this Cloud Identity free subscription, then take a look at the following doc to understand how to "Upgrade or downgrade Cloud Identity".
Even though you sign up for Cloud Identity, it still uses the admin console which is considered "GSuite console", here you can create/manage your users,groups etc. for your domain/organization (GCP).
It seems like I resolved my issue. As it's all trial-and-error I am not sure what worked and why. Just some observations if someone else runs into this situation.
I waited for more than 14 days, the trial period for G-Suite
premium which the system some how thought I needed to complete.
As part of signing up for Cloud Identity, it no longer redirected
me. However, it didn't accept the email I wanted to use (which I
already used for the GCP account) saying that it's a personal
account.
So I ended up using another email with my domain and
that allowed me to complete the Cloud Identity registration. As part
of this I completed domain verification.
After this, there is an
option to "Rename User" which includes changing the email. I used
this to change the email back to the one I wanted and it got
accepted without any issues!
After this I tried to login and the
system recognized that there is a personal and a business account
and which one I wanted to signin to. I used business account and
made sure everything was working.
I also noticed that the GCP
account I originally had got under the organization (can be verified
by looking for "this account is managed by ..." when you click on
the profile.
At this point I went ahead and deleted the
unnecessary personal account associated with my business email.
Everything seems to be working and as expected (except why a youtube redirect is needed when doing a sign-in for enterprise services?)
I have a SaaS application with a bunch of users, and I want to provide the ability for my users to work with their data in google bigquery. The thing is, I want my users to be able to use any random application out there (like say, tableau or powerbi) using their standard built-in bigquery connectors. BigQuery connectors generally show the google login page to retrieve google credentials to call bigquery with...but my users are not google users, they don't have google credentials. So my question is: how can I sign my users into google using my application's sign-in credentials, from the google login page?
The options I know about are:
G-Suite - I provision a new google user account for each of my users on a custom domain, and setup my application as their identity provider (SAML or whatever). This is a good option, but at $6 per user per month it's extremely steep.
Gmail - I could provision each user their own gmail account, which would be free...but afaik I could not set my application to be their identity provider, so I'd have to provide them another password and manage rotating it etc...it would be hacky/fragile and sounds like a support nightmare.
BYO google account - Require the user to provide their own google account...they configure it in my app and I grant that account access to their data in bigquery. I personally like this option, but I'm told it is not acceptable from a business/product design/user experience POV (we can not require the user to manually go create an account in a different system to use a feature of our application)
Google identity platform - This almost seems like exactly what I want, except from what I can tell there's no way to actually create a real google identity that you can use to login on the real google login page - you can only create identities that can authenticate on your own custom login page...which won't work (cuz 3rd party app bigquery connectors will always display the real google login page)
GCP service accounts - Included for the sake of completeness, but these accounts also can not login via the standard google login page, so they also will not work.
From what I can tell G-suite is my only real option....but it's disproportionately pricey - I will be paying more for my users simply to be able to authenticate than I will be for all the GBs of bigquery data transfer/querying...which seems odd.
I'm hoping I'm missing an option, or misunderstanding something. Can someone shed some additional light on this for me?...or confirm that these are, indeed, the only google user account options available?
how can I sign my users into google using my application's sign-in
credentials, from the google login page?
You cannot. Your users will need a Google Account or supported account such as G Suite or Identity Platform.
From what I can tell G-suite is my only real option....but it's
disproportionately pricey - I will be paying more for my users simply
to be able to authenticate than I will be for all the GBs of bigquery
data transfer/querying...which seems odd.
Your assumption is incorrect. You can have G Suite + Identity Platform together. This means you only need to license users that need to receive email or Google apps, other users are free. This does mean that you need to create users in G Suite / Identity Platform.
BYO google account
I strongly recommend not using BYO Google accounts. You have no control over these accounts.
Gmail
This is the same thing (usually) as a BYO Google Account. Again, I strongly recommend not using Gmail accounts either.
My recommendation is to create a G Suite Account, make yourself the Super Admin and license yourself. This does require a domain name*. Then add Identity Platform and create all the users you need.
*I have not personally verified this but I am confident that you can create a subdomain from your top level domain for G Suite. Example accounts.example.com.
I've been trying to get data from GA using a service account, however, my issue is that it keeps saying;
Error: User does not have sufficient permissions for this profile.
I have enabled GA reporting API and given access to GA account using the email of the service account. In addition, it was granted "read and analyze" permissions on the account.
Tried this method on a personal account, and everything worked fine, however, when working on a client project, the issue comes back.
What could I be missing?
This was interesting to figure out.
I've used Account ID against one Google Analytics Account and that worked.
For the one I have been having an issue with, I needed to use the View ID.