Skip to main content

Support access to Google Cloud

DoiT provides complete transparency when accessing your Google Cloud environment.

  • Technical support access: Use a gcloud command to establish the necessary permissions required to provide technical support as outlined in your contract.

    Note

    We access your Google Cloud environment solely to provide technical support as outlined in your contract. We do not access your environment for any other purpose and never have access to resources beyond the scope of an active inquiry.

  • Ava access: Grant Ava read-only access to your Google Cloud organizations and projects. This provides a secure way to generate contextualized and granular insights for specific areas of your Google Cloud environment, enabling Ava to provide more tailored, precise, and relevant answers without exposing data from your entire Google Cloud environment.

Grant technical support access

When creating a new expert inquiry with DoiT, you will be prompted to grant DoiT access to the Google Cloud project that you specified in your inquiry.

Note

  • We only access your Google Cloud environment to provide technical support per our contractual obligations. We never access your Google Cloud environment for any other reason.

  • Support engineers do not have write access to your Google Cloud environment. The only exception is, if you use Google Cloud Direct Support, we can raise Google Cloud support requests on your behalf.

Grant access

When creating a new expert inquiry with DoiT, you will be prompted to grant DoiT access to the Google Cloud project that you specified in your inquiry.

A typical access grant is implemented with a gcloud command. The access is view-only, limited, and provides access only to the support engineers handling your inquiry. The role that is requested is the Viewer role.

gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="group:ticket-$TICKET_ID@cre.doit-intl.com" \
--role=roles/viewer --condition=None

For example, to add an IAM policy binding for the group assigned to the expert inquiry #1234 on a Google Cloud project example-project-id, run:

gcloud projects add-iam-policy-binding example-project-id \
--member="group:[email protected]" \
--role=roles/viewer --condition=None

In some cases, your issue may not be limited to one project and we may request access to your entire organization. In these cases, we usually request the following roles:

  • Viewer (roles/viewer)
  • Browser (roles/browser)
  • Security Reviewer (roles/iam.securityReviewer)
  • Bigquery Resource Viewer (roles/bigquery.resourceViewer)

However, the engineer may decide to request additional or different roles depending on the nature of the issue. These permissions are never granted automatically; you retain full control over which roles are granted.

DoiT workspace customer ID

If you use GCP organization policy to restrict identities by domain, make sure to whitelist cre.doit-intl.com using the DoiT Google Workspace customer ID C04eumws5.

Revoke access

Support access is automatically revoked for security reasons when the expert inquiry is resolved. The next time you create an expert inquiry, you will need to grant our support engineers access again.

Grant Ava access

If you have a Cloud Intelligence Essentials plan, Ava can investigate inquiries and provide more tailored, precise, and relevant answers, without exposing data from your entire cloud environment. You can grant Ava access to individual organizations or projects, as needed, providing a secure way to generate contextualized and granular insights into your Google Cloud environment.

  1. Sign in to the DoiT console, select Integrate from the top navigation bar, and then select Google Cloud.

  2. Select the kebab menu () at the rightmost end of the Google Cloud organization or project that you want to grant access to Ava and select Edit. The Edit project window is displayed.

  3. From Available features, check the box next to Ava read-only. You can expand Ava read-only to see a list of the read-only permissions Ava requires to analyze your Google Cloud resources.

  4. Select Generate gcloud commands. The generated gcloud commands you need to run are displayed in the DoiT console.

  5. In Find your Organization ID, copy the provided code block.

  6. Select Open Google Cloud Shell.

  7. Paste the code and run the command. This retrieves a list of your Google Cloud organizations and their IDs.

  8. Go back to the DoiT console.

  9. In Update Custom Role, copy the code block provided.

  10. Go back to Google Cloud Shell. Paste the code, replacing ORGANIZATION ID with the organization ID of the organization for which you are adding the required permissions and run the command.

  11. Go back to the DoiT console and select Done.

  12. Repeat these steps for the Google Cloud organizations and projects that you want to grant access to Ava.

Last updated on