Skip to main content

Connect your Google Cloud Organization

Overview

To offer the full capabilities of the DoiT Platform, we request permissions to access the Google API and obtain information for monitoring or alerts, and help you act on recommendations if applicable.

Required permissions
  • Your DoiT account must have the Manage Settings permission.

  • Your Google Cloud account must have the Organization Role Administrator role to create and attach custom roles to service accounts under the organization.

Service account authentication

Google Cloud supports using service accounts as identities for workloads. Starting June 2023, the preferred way to authenticate the service account for DoiT console workloads changes to service account impersonation, which mitigates the security risks associated with service account keys.

Service account impersonation involves two principals:

  • The privilege-bearing service account that has the required permissions to access the target resource.

  • The caller that needs to access the target resource but lacks permissions.

Configure identities for DoiT workloads

When connecting DoiT console to your organization, you need to perform the following tasks to configure the identities for DoiT workloads:

  1. Create a service account with the permissions to access the relevant resources of your organization.

  2. Grant the DoiT-owned service account [email protected] (the caller) permissions to impersonate the privilege-bearing service account.

Create a service account

To create a service account:

  1. Log in to the DoiT console, select the gear icon () from the top navigation bar, and then select Google Cloud.

  2. Under Features, in the Service account dropdown, select Connect a new organization.

    Google Cloud settings screen

  3. Select the features you want to enable on your account. You can expand features to review the required permissions.

  4. Select Connect a new organization. You'll see the gcloud commands you need to run in the DoiT console.

    If you want to use a custom name for your service account, in the Create service account command, replace doit-cmp by a custom name.

    Create service account

    Edit a service account name

    To change the name of a service account after its creation, you need to remove the service account and create a new one with the updated name.

  5. Start a Google Cloud Shell session (e.g., Launch the Cloud Shell Editor) and select a suitable Google Cloud project to create your service account.

    Select a suitable Google Cloud project
    • The project must belong to your organization.

    • The project must be connected to a Google Cloud Billing account (see Verify the billing status of your projects).

    • You intend to keep the project for the long term and make it accessible only to trusted people.

  6. Run the commands sequentially to perform the following tasks:

    Note

    Permissions are granted on the organization level. See Security and data access policy for more information.

  7. Log in to the Google Cloud console, go to the Roles page and verify that you have created a doit_cmp_role linked to the DoiT Service Account in your organization.

Allow service account impersonation

After creating the privilege-bearing service account of your organization, you need to grant the DoiT caller service account the Service Account Token Creator role roles/iam.serviceAccountTokenCreator to allow it to impersonate the former.

Note

If you use GCP organization policy to restrict identities by domain, make sure to whitelist the DoiT caller service account [email protected] using its Organization Resource ID C03rw2ty2 before proceeding.

Run the following command:


gcloud iam service-accounts add-iam-policy-binding $YOUR_SA --member=serviceAccount:[email protected] --role=roles/iam.serviceAccountTokenCreator

Update role

To add or remove features on the service account:

  1. Select the gear icon () from the top navigation bar, and then select Google Cloud.

  2. Select your service account.

  3. Modify the selection of features as needed.

  4. Select Update role.

    You'll be asked to run gcloud commands to update your service account's role.

Info

For BigQuery Lens Advanced, you also need to enable Google Cloud Resource Manager API in the project where you create your service account.

Add multiple service accounts

If you have multiple Google Cloud organizations, you can create a service account for each organization to regulate which organization gets access to which features.

Remove service accounts

In case you need to remove a service account from the DoiT console and then create a new one, be aware that:

  • Removing a service account from the DoiT console also removes the related datasets and sinks created by BigQuery Lens.

  • Once the BigQuery Lens permissions are granted to the new service account, we'll re-create the sink and trigger historical jobs backfill, which may lead to increased costs during your service account setup.

Service accounts with account keys

If you have service accounts with account keys (for example, you're using BigQuery Lens), to avoid potential connection issues, we strongly recommend keeping the account keys and also allowing service account impersonation.

Rotate service account keys

In case you're using BigQuery Lens or for other reasons cannot switch to service account impersonation yet, if you want to rotate the service account key, you need to remove the service account from the DoiT console, create a new one, and then upload the new key JSON file.

Caution

Make sure you understand the consequences of removing service accounts from the DoiT console before proceeding.