Connect your Google Cloud Organization
Overview
To offer the full capabilities of the DoiT Platform, we request permissions to access the Google API and obtain information for monitoring or alerts, and help you act on recommendations if applicable.
-
Your DoiT account must have the Manage Settings permission.
-
Your Google Cloud account must have the Organization Role Administrator role to create and attach custom roles to service accounts under the organization.
Service account authentication
Google Cloud supports using service accounts as identities for workloads. Starting June 2023, the preferred way to authenticate the service account for DoiT console workloads changes to service account impersonation, which mitigates the security risks associated with service account keys.
Service account impersonation involves two principals:
-
The privilege-bearing service account that has the required permissions to access the target resource.
-
The caller that needs to access the target resource but lacks permissions.
Configure identities for DoiT workloads
When connecting DoiT console to your organization, you need to perform the following tasks to configure the identities for DoiT workloads:
-
Create a service account with the permissions to access the relevant resources of your organization.
-
Grant the DoiT-owned service account
[email protected]
(the caller) permissions to impersonate the privilege-bearing service account.
Create a service account
To create a service account:
-
Sign in to the DoiT console, select the gear icon () from the top navigation bar, and then select Google Cloud.
-
Under Features, in the Service account dropdown, select Connect a new organization.
-
Select the features you want to enable on your account. You can expand features to review the required permissions.
-
Select Connect a new organization. You'll see the gcloud commands you need to run in the DoiT console.
If you want to use a custom name for your service account, in the Create service account command, replace
doit-cmp
by a custom name. Bear in mind that if you edit the service account name, you need to replace it in all subsequent commands of the procedure.Edit a service account nameTo change the name of a service account after its creation, you need to remove the service account and create a new one with the updated name.
-
Start a Google Cloud Shell session (e.g., Launch the Cloud Shell Editor) and select a suitable Google Cloud project to create your service account.
Select a suitable Google Cloud project-
The project must belong to your organization.
-
The project must be connected to a Google Cloud Billing account (see Verify the billing status of your projects).
-
You intend to keep the project for the long term and make it accessible only to trusted people.
-
-
Run the commands provided in the DoiT console sequentially to perform the following tasks:
-
Create a new service account in the current project.
-
Enable service usage API in the current project.
-
Create a custom role with the permissions required by your chosen features.
-
Add a policy binding with the custom role for the new service account.
NotePermissions are granted on the organization level. See Security and data access policy for more information.
-
-
Sign in to the Google Cloud console, go to the Roles page and verify that you have created a
doit_cmp_role
linked to the DoiT Service Account in your organization.
Allow service account impersonation
After creating the privilege-bearing service account of your organization, you need to grant the DoiT caller service account the Service Account Token Creator role roles/iam.serviceAccountTokenCreator
to allow it to impersonate the former.
If you use GCP organization policy to restrict identities by domain, make sure to whitelist the DoiT caller service account [email protected]
using its Organization Resource ID C03rw2ty2
before proceeding.
Run the following command:
gcloud iam service-accounts add-iam-policy-binding $YOUR_SA --member=serviceAccount:[email protected] --role=roles/iam.serviceAccountTokenCreator
Update role
To add or remove features on the service account:
-
Select the gear icon () from the top navigation bar, and then select Google Cloud.
-
Select your service account.
-
Modify the selection of features as needed.
-
Select Update role.
You'll be asked to run
gcloud
commands to update your service account's role.
Add multiple service accounts
If you have multiple Google Cloud organizations, you can create a service account for each organization to regulate which organization gets access to which features.
BigQuery Lens doesn't support multiple service accounts at the moment. See Set up BigQuery Lens.
Remove service accounts
In case you need to remove a service account from the DoiT console and then create a new one, be aware that:
-
Removing a service account from the DoiT console also removes the related datasets and sinks created by BigQuery Lens.
-
Once the BigQuery Lens permissions are granted to the new service account, we'll re-create the sink and trigger historical jobs backfill, which may lead to increased costs during your service account setup.