Page tree
Skip to end of metadata
Go to start of metadata


Google Cloud Account


gcloud SDK in the browser based shell

michael@cloudshell:~$ cd cloudshell_open/pbmm-on-gcp-onboarding/
michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding$


gcloud SDK on a local OSX machine


michaelobrien@mbp7 opt % gcloud auth list
    Credentialed Accounts
ACTIVE  ACCOUNT
*       mich..labs.dev
michaelobrien@mbp7 opt % gcloud config set account "micha...erized.org"
Updated property [core/account].
michaelobrien@mbp7 opt % gcloud auth login
Your browser has been opened to visit:
    https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32....RuPa19X_5zYc&code_challenge_method=S256
You are now logged in as [mich...org].
michaelobrien@mbp7 opt % gcloud projects list
PROJECT_ID          NAME                PROJECT_NUMBER
dope-dod-audit      DoPe-dod-audit      989029907531
dope-dod-dodev-dbx  DoPe-dod-dodev-dbx  902607893471
landingzone-stg     LandingZone-stg     403373923652
michaelobrien@mbp7 opt % gcloud config set project dope-dod-dodev-dbx


Google Cloud Onboarding

Onboarding Prerequisites


https://cloud.google.com/billing/docs/onboarding-checklist

https://cloud.google.com/docs/enterprise/setup-checklist

Google Cloud Onboarding Categories


There are two types of google cloud accounts (workspace and cloud identity).  Cloud Identity has 2 types of accounts (gmail and 3rd party based (such as AWS Workmail).  There are 3 types of DNS Zone configurations (none, Google Domains, 3rd Party (such as AWS Route53).  Therefore there are 9 types of onboarding categories (3 x 3).

Onboarding Category 1: Workspace Email -  GCP Domain

This category is the common workspace and GCP organization domain hosted on Google Domains use case.

Onboarding Category 2: 3rd party Email -  GCP Domain

This category is where the client uses their own email system but has the organization domain with GCP

Onboarding Category 3: Gmail Email -  GCP Domain

This category is where the client uses a new gmail email with optional redirect records on a GCP hosted domain for their organization

Onboarding Category 5: 3rd party Email - 3rd party Domain

This category is common for organizations new to GCP or multicloud where both the email system and DNS hosting zone are 3rd party

Onboarding Category 6: Gmail Email - 3rd party Domain

This category is a variant of category 3 where there is a gmail account with option redirect where the organization zone records are on a 3rd party DNS system

Onboarding Category 8: 3rd party Email - no Domain

This category is common for individual consumers where they do not have a gmail account or any domain.  This option will not have an organization top node in IAM

Onboarding Category 9: Gmail  Email - no Domain

This category is common for individual consumers where they gmail account but no domain.  This option will not have an organization top node in IAM

Google Workspace Accounts

Google workspace accounts are ideal for organizations that exist inside the Google ecosystem and subscribe to the workspaces services list.

Open an incognito chrome window

Look for an open domain to match your business name


Navigate to creating a new workspace account https://workspace.google.com/business/signup/welcome


Google Cloud Identity

Google Cloud Identity accounts are ideal for cloud account organizations where the user identities are maintained outside of Google cloud in for example AWS Workmail or Azure Active Directory.

Planning

Create or gain access to the domain you wish to associate or federate users from.  For example packet.global.

You will need access to the domain zone to add TXT records for domain validation under a subdomain like gcp.packet.global


Open Chrome Window with no Google Account


Google Cloud Identity account with 3rd party email and domain on the same organization


Google Cloud Identity Account with 3rd party email and domain registered on a different organization

For example cloudlift.ca is the domain but obrienlabs.dev is the email

launch

https://accounts.google.com/SignUpWithoutGmail

Google Cloud Identity Account with gmail and 3rd party Domain

Launch SignUpWithoutGmail - select gmail

https://accounts.google.com/SignUpWithoutGmail

Select gmail, register and launch a new browser - add new account - login

launch google cloud

https://console.cloud.google.com/

do not select an org yet - as the domain under GCP registration does not have an email yet and is not registered with workspace.

You will not be able to run the organization checklist account as a gmail user - https://console.cloud.google.com/cloud-setup/organization

Add Cloud Identity free in

https://cloud.google.com/identity/docs/set-up-cloud-identity-admin

follow

https://workspace.google.com/signup/gcpidentity/welcome#0

add your gmail address and GCP domain

Add email capability https://support.google.com/cloudidentity/answer/7667994

Select the email left tab on
https://domains.google.com/registrar/eventstream.dev/email?hl=en-US

Select email forwarding to to your gmail account

Launch gmail to verify email - don't worry it will launch domains in your current gmail account - verify that the verify worked in your other account that holds the domain registration

Check email forwarding on the DNS tab



wait for DNS record propagation 30 sec and recheck the cloud identity wizard warning on no email MX records



continue wizard regardless of warning - use your new email forward address

https://workspace.google.com/signup/gcpidentity/tos

goto setup after creation

Launch admin

Since I have used this phone a couple times - get past the unusual activity dialog


Identity account OK

select getting started

https://admin.google.com/u/1/ac/signup/setup/v2/gettingstarted

Verify domain - sign in option will not work on this browser - as I have it registered on another account - in this case select "Switch Verification Method" and select the 2nd TXT option.




add the TXT record







Click Verify back on the admin page



The org in this case will automatically create when you click the link below (no subdomain as the TXT record is the first on the domain.  If there is already a root domain TXT record - you will need to use a subdomain like gcp.domain.com




org is setup as the TXT record is against the root domain on the separate GCP account



Launch SignUpWithoutGmail - select outside email

https://accounts.google.com/SignUpWithoutGmail

Fill in the form with an existing email address outside of Google




Launch from step 2 of the IAM | Cloud Identity & Organization | checklist https://console.cloud.google.com/cloud-setup/organization

to https://workspace.google.com/signup/gcpidentity/welcome



Finish and Login to new Google account

https://myaccount.google.com/?utm_source=sign_in_no_continue&pli=1&nlr=1

Navigate to GCP

https://console.cloud.google.com/

If not on a federated account - activate the trial to setup billing or setup billing later

Navigate to IAM| Identity and Organization

https://console.cloud.google.com/iam-admin/cloudidentity/consumer?orgonly=true&supportedpurview=project,organizationId,folder

select the checklist

https://console.cloud.google.com/cloud-setup/overview?orgonly=true&supportedpurview=project,organizationId,folder

If you see a warning - you do not have a cloud identity account yet


Your current account, mich..services, is not associated with an organization on Google Cloud. This checklist is designed for administrators who are trusted with complete control over a company’s Google Cloud resources. If you already have an administrator account for your organization, sign in with the account now. Or, ask your company administrator to start the checklist. In order to become a Google Cloud administrator, complete the initial task in the checklist, which will create a new administrator account.

Begin Setup button - I am a new customer


(you will end up with 2 users - one already hosted on your domain, the other on the google identity subdomain)

Phone numbers can be used a max 3-5 times for verification
The process is

use an email that is on your target domain (the root domain not the subdomain) - use AWS Workmail for example

Use that user to create the google account above

Login to cloud.google.com with this user and navigate to organization onboarding

hit the checklist - but goto create identity account

create a new user with the subdomain - this will be your super admin account

goto billing and activate your account - to keep credits

wait 24h for the additional 100 org credit


Domain Validation via Zone TXT record

https://console.cloud.google.com/cloud-setup/organization?orgonly=true&supportedpurview=project,organizationId,folder

Make sure to configure a subdomain - example gcp.obrien.systems

You have several options depending on whether the domain is on GCP, AWS or Azure for example.

Google Domains Zone TXT record

Select "manage" and DNS on your domain at https://domains.google.com/registrar/eventstream.dev/dns



AWS Route53 Zone TXT record

https://console.aws.amazon.com/route53/v2/hostedzones#ListRecordSets/Z05779022O0W927A7QCEB








Google Cloud Identity Federation with Azure Active Directory

https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-introduction

Start with Google Cloud Directory Sync





IAM Additional Roles


actionrolepre state

change organization quotasserviceusage.quotas.update

admin user is already in administrator group with roles

action Quota Administrator to group










Google Cloud Developer Bootstrap


Authenticate and verify your cloud shell


gcloud auth list
gcloud components list | grep Name





  • No labels