Connect Google Cloud Organization or Project
To offer the full capabilities of the DoiT platform, we request permissions to access the Google API and obtain information for monitoring or alerts, and help you act on recommendations if applicable.
Required permissions
To connect with the DoiT console:
-
Your DoiT account must have the Manage Settings permission.
-
Most of the DoiT features require permissions at the organization level. To connect a Google Cloud Organization, you must have been granted the Organization Role Administrator (
roles/iam.organizationRoleAdmin
) IAM role on the organization. You need this role to create and attach custom roles to service accounts under the organization. -
A small set of feature and core functionality permissions can be granted at the project level. Project-level access applies when you want to connect projects that are not part of an already connected organization. To connect a project, you must have been granted the Role Administrator (
roles/iam.RoleAdmin
) IAM role on the project. You need this role to create and attach custom roles to service accounts under the project.
Service account authentication
Google Cloud supports using service accounts as identities for workloads. Starting June 2023, the preferred way to authenticate the service account for DoiT console workloads changes to service account impersonation, which mitigates the security risks associated with service account keys.
Service account impersonation involves two principals:
-
The privilege-bearing service account that has the required permissions to access the target resource.
-
The caller that needs to access the target resource but lacks permissions.