Google Cloud Account
gcloud SDK in the browser based shell
michael@cloudshell:~$ cd cloudshell_open/pbmm-on-gcp-onboarding/ michael@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding$
gcloud SDK on a local OSX machine
michaelobrien@mbp7 opt % gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* mich..labs.dev
michaelobrien@mbp7 opt % gcloud config set account "micha...erized.org"
Updated property [core/account].
michaelobrien@mbp7 opt % gcloud auth login
Your browser has been opened to visit:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32....RuPa19X_5zYc&code_challenge_method=S256
You are now logged in as [mich...org].
michaelobrien@mbp7 opt % gcloud projects list
PROJECT_ID NAME PROJECT_NUMBER
dope-dod-audit DoPe-dod-audit 989029907531
dope-dod-dodev-dbx DoPe-dod-dodev-dbx 902607893471
landingzone-stg LandingZone-stg 403373923652
michaelobrien@mbp7 opt % gcloud config set project dope-dod-dodev-dbx
Google Cloud Onboarding
Onboarding Prerequisites
https://cloud.google.com/billing/docs/onboarding-checklist
https://cloud.google.com/docs/enterprise/setup-checklist
Google Cloud Onboarding Categories
There are two types of google cloud accounts (workspace and cloud identity). Cloud Identity has 2 types of accounts (gmail and 3rd party based (such as AWS Workmail). There are 3 types of DNS Zone configurations (none, Google Domains, 3rd Party (such as AWS Route53). Therefore there are 9 types of onboarding categories (3 x 3).
Onboarding Category 1: Workspace Email - GCP Domain
This category is the common workspace and GCP organization domain hosted on Google Domains use case.
Onboarding Category 2: 3rd party Email - GCP Domain
This category is where the client uses their own email system but has the organization domain with GCP
Onboarding Category 3: Gmail Email - GCP Domain
This category is where the client uses a new gmail email with optional redirect records on a GCP hosted domain for their organization
Onboarding Category 5: 3rd party Email - 3rd party Domain
This category is common for organizations new to GCP or multicloud where both the email system and DNS hosting zone are 3rd party
Onboarding Category 6: Gmail Email - 3rd party Domain
This category is a variant of category 3 where there is a gmail account with option redirect where the organization zone records are on a 3rd party DNS system
Onboarding Category 8: 3rd party Email - no Domain
This category is common for individual consumers where they do not have a gmail account or any domain. This option will not have an organization top node in IAM
Onboarding Category 9: Gmail Email - no Domain
This category is common for individual consumers where they gmail account but no domain. This option will not have an organization top node in IAM
Google Workspace Accounts
Google workspace accounts are ideal for organizations that exist inside the Google ecosystem and subscribe to the workspaces services list.
Open an incognito chrome window
Look for an open domain to match your business name
Navigate to creating a new workspace account https://workspace.google.com/business/signup/welcome
Google Cloud Identity
Google Cloud Identity accounts are ideal for cloud account organizations where the user identities are maintained outside of Google cloud in for example AWS Workmail or Azure Active Directory.
Planning
Create or gain access to the domain you wish to associate or federate users from. For example packet.global.
You will need access to the domain zone to add TXT records for domain validation under a subdomain like gcp.packet.global
Open Chrome Window with no Google Account
Google Cloud Identity account with 3rd party email and domain on the same organization
Google Cloud Identity Account with 3rd party email and domain registered on a different organization
For example cloudlift.ca is the domain but obrienlabs.dev is the email
launch
https://accounts.google.com/SignUpWithoutGmail
Google Cloud Identity Account with gmail and 3rd party Domain
Launch SignUpWithoutGmail - select gmail
https://accounts.google.com/SignUpWithoutGmail
Select gmail, register and launch a new browser - add new account - login
launch google cloud
https://console.cloud.google.com/
do not select an org yet - as the domain under GCP registration does not have an email yet and is not registered with workspace.
You will not be able to run the organization checklist account as a gmail user - https://console.cloud.google.com/cloud-setup/organization
Add Cloud Identity free in
https://cloud.google.com/identity/docs/set-up-cloud-identity-admin
follow
https://workspace.google.com/signup/gcpidentity/welcome#0
add your gmail address and GCP domain
Add email capability https://support.google.com/cloudidentity/answer/7667994
Select the email left tab on
https://domains.google.com/registrar/eventstream.dev/email?hl=en-US
Select email forwarding to to your gmail account
Launch gmail to verify email - don't worry it will launch domains in your current gmail account - verify that the verify worked in your other account that holds the domain registration
Check email forwarding on the DNS tab
wait for DNS record propagation 30 sec and recheck the cloud identity wizard warning on no email MX records
continue wizard regardless of warning - use your new email forward address
https://workspace.google.com/signup/gcpidentity/tos
goto setup after creation
Launch admin
Since I have used this phone a couple times - get past the unusual activity dialog
Identity account OK
select getting started
https://admin.google.com/u/1/ac/signup/setup/v2/gettingstarted
Verify domain - sign in option will not work on this browser - as I have it registered on another account - in this case select "Switch Verification Method" and select the 2nd TXT option.
add the TXT record
Click Verify back on the admin page
The org in this case will automatically create when you click the link below (no subdomain as the TXT record is the first on the domain. If there is already a root domain TXT record - you will need to use a subdomain like gcp.domain.com
org is setup as the TXT record is against the root domain on the separate GCP account
Launch SignUpWithoutGmail - select outside email
https://accounts.google.com/SignUpWithoutGmail
Fill in the form with an existing email address outside of Google
Launch from step 2 of the IAM | Cloud Identity & Organization | checklist https://console.cloud.google.com/cloud-setup/organization
to https://workspace.google.com/signup/gcpidentity/welcome
Finish and Login to new Google account
https://myaccount.google.com/?utm_source=sign_in_no_continue&pli=1&nlr=1
Navigate to GCP
https://console.cloud.google.com/
If not on a federated account - activate the trial to setup billing or setup billing later
Navigate to IAM| Identity and Organization
select the checklist
If you see a warning - you do not have a cloud identity account yet
| Your current account, mich..services, is not associated with an organization on Google Cloud. This checklist is designed for administrators who are trusted with complete control over a company’s Google Cloud resources. If you already have an administrator account for your organization, sign in with the account now. Or, ask your company administrator to start the checklist. In order to become a Google Cloud administrator, complete the initial task in the checklist, which will create a new administrator account. |
Begin Setup button - I am a new customer
(you will end up with 2 users - one already hosted on your domain, the other on the google identity subdomain)
Phone numbers can be used a max 3-5 times for verification
The process is
use an email that is on your target domain (the root domain not the subdomain) - use AWS Workmail for example
Use that user to create the google account above
Login to cloud.google.com with this user and navigate to organization onboarding
hit the checklist - but goto create identity account
create a new user with the subdomain - this will be your super admin account
goto billing and activate your account - to keep credits
wait 24h for the additional 100 org credit
Domain Validation via Zone TXT record
Make sure to configure a subdomain - example gcp.obrien.systems
You have several options depending on whether the domain is on GCP, AWS or Azure for example.
Google Domains Zone TXT record
Select "manage" and DNS on your domain at https://domains.google.com/registrar/eventstream.dev/dns
AWS Route53 Zone TXT record
https://console.aws.amazon.com/route53/v2/hostedzones#ListRecordSets/Z05779022O0W927A7QCEB
Google Cloud Identity Federation with Azure Active Directory
https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-introduction
Start with Google Cloud Directory Sync
IAM Additional Roles
| action | role | pre state | |
|---|---|---|---|
| change organization quotas | serviceusage.quotas.update | admin user is already in administrator group with roles
action Quota Administrator to group | |
Google Cloud Developer Bootstrap
Authenticate and verify your cloud shell
gcloud auth list gcloud components list | grep Name
