Page tree
Skip to end of metadata
Go to start of metadata

Google Cloud Account

gcloud SDK in the browser based shell

michael@cloudshell:~$ cd cloudshell_open/pbmm-on-gcp-onboarding/

gcloud SDK on a local OSX machine

michaelobrien@mbp7 opt % gcloud auth list
    Credentialed Accounts
michaelobrien@mbp7 opt % gcloud config set account ""
Updated property [core/account].
michaelobrien@mbp7 opt % gcloud auth login
Your browser has been opened to visit:
You are now logged in as [].
michaelobrien@mbp7 opt % gcloud projects list
PROJECT_ID          NAME                PROJECT_NUMBER
dope-dod-audit      DoPe-dod-audit      989029907531
dope-dod-dodev-dbx  DoPe-dod-dodev-dbx  902607893471
landingzone-stg     LandingZone-stg     403373923652
michaelobrien@mbp7 opt % gcloud config set project dope-dod-dodev-dbx

Google Cloud Onboarding

Onboarding Prerequisites

Google Cloud Onboarding Categories

There are two types of google cloud accounts (workspace and cloud identity).  Cloud Identity has 2 types of accounts (gmail and 3rd party based (such as AWS Workmail).  There are 3 types of DNS Zone configurations (none, Google Domains, 3rd Party (such as AWS Route53).  Therefore there are 9 types of onboarding categories (3 x 3).

Onboarding Category 1: Workspace Email -  GCP Domain

This category is the common workspace and GCP organization domain hosted on Google Domains use case.

Onboarding Category 2: 3rd party Email -  GCP Domain

This category is where the client uses their own email system but has the organization domain with GCP

Onboarding Category 3: Gmail Email -  GCP Domain

This category is where the client uses a new gmail email with optional redirect records on a GCP hosted domain for their organization

Onboarding Category 5: 3rd party Email - 3rd party Domain

This category is common for organizations new to GCP or multicloud where both the email system and DNS hosting zone are 3rd party

Onboarding Category 6: Gmail Email - 3rd party Domain

This category is a variant of category 3 where there is a gmail account with option redirect where the organization zone records are on a 3rd party DNS system

Onboarding Category 8: 3rd party Email - no Domain

This category is common for individual consumers where they do not have a gmail account or any domain.  This option will not have an organization top node in IAM

Onboarding Category 9: Gmail  Email - no Domain

This category is common for individual consumers where they gmail account but no domain.  This option will not have an organization top node in IAM

Google Workspace Accounts

Google workspace accounts are ideal for organizations that exist inside the Google ecosystem and subscribe to the workspaces services list.

Open an incognito chrome window

Look for an open domain to match your business name

Navigate to creating a new workspace account

Google Cloud Identity

Google Cloud Identity accounts are ideal for cloud account organizations where the user identities are maintained outside of Google cloud in for example AWS Workmail or Azure Active Directory.


Create or gain access to the domain you wish to associate or federate users from.  For example

You will need access to the domain zone to add TXT records for domain validation under a subdomain like

Open Chrome Window with no Google Account

Google Cloud Identity account with 3rd party email and domain on the same organization

Google Cloud Identity Account with 3rd party email and domain registered on a different organization

For example is the domain but is the email


Google Cloud Identity Account with gmail and 3rd party Domain

Launch SignUpWithoutGmail - select gmail

Select gmail, register and launch a new browser - add new account - login

launch google cloud

do not select an org yet - as the domain under GCP registration does not have an email yet and is not registered with workspace.

You will not be able to run the organization checklist account as a gmail user -

Add Cloud Identity free in


add your gmail address and GCP domain

Add email capability

Select the email left tab on

Select email forwarding to to your gmail account

Launch gmail to verify email - don't worry it will launch domains in your current gmail account - verify that the verify worked in your other account that holds the domain registration

Check email forwarding on the DNS tab

wait for DNS record propagation 30 sec and recheck the cloud identity wizard warning on no email MX records

continue wizard regardless of warning - use your new email forward address

goto setup after creation

Launch admin

Since I have used this phone a couple times - get past the unusual activity dialog

Identity account OK

select getting started

Verify domain - sign in option will not work on this browser - as I have it registered on another account - in this case select "Switch Verification Method" and select the 2nd TXT option.

add the TXT record

Click Verify back on the admin page

The org in this case will automatically create when you click the link below (no subdomain as the TXT record is the first on the domain.  If there is already a root domain TXT record - you will need to use a subdomain like

org is setup as the TXT record is against the root domain on the separate GCP account

Launch SignUpWithoutGmail - select outside email

Fill in the form with an existing email address outside of Google

Launch from step 2 of the IAM | Cloud Identity & Organization | checklist


Finish and Login to new Google account

Navigate to GCP

If not on a federated account - activate the trial to setup billing or setup billing later

Navigate to IAM| Identity and Organization,organizationId,folder

select the checklist,organizationId,folder

If you see a warning - you do not have a cloud identity account yet

Your current account,, is not associated with an organization on Google Cloud. This checklist is designed for administrators who are trusted with complete control over a company’s Google Cloud resources. If you already have an administrator account for your organization, sign in with the account now. Or, ask your company administrator to start the checklist. In order to become a Google Cloud administrator, complete the initial task in the checklist, which will create a new administrator account.

Begin Setup button - I am a new customer

(you will end up with 2 users - one already hosted on your domain, the other on the google identity subdomain)

Phone numbers can be used a max 3-5 times for verification
The process is

use an email that is on your target domain (the root domain not the subdomain) - use AWS Workmail for example

Use that user to create the google account above

Login to with this user and navigate to organization onboarding

hit the checklist - but goto create identity account

create a new user with the subdomain - this will be your super admin account

goto billing and activate your account - to keep credits

wait 24h for the additional 100 org credit

Domain Validation via Zone TXT record,organizationId,folder

Make sure to configure a subdomain - example

You have several options depending on whether the domain is on GCP, AWS or Azure for example.

Google Domains Zone TXT record

Select "manage" and DNS on your domain at

AWS Route53 Zone TXT record

Google Cloud Identity Federation with Azure Active Directory

Start with Google Cloud Directory Sync

IAM Additional Roles

actionrolepre state

change organization quotasserviceusage.quotas.update

admin user is already in administrator group with roles

action Quota Administrator to group

Google Cloud Developer Bootstrap

Authenticate and verify your cloud shell

gcloud auth list
gcloud components list | grep Name

  • No labels