Skip to main content

Connect your Google Cloud Organization

To offer the full capabilities of the DoiT Platform, we request permissions to access the Google API and obtain information for monitoring or alerts, and help you act on recommendations if applicable.

Required permissions

  • Your DoiT account must have the Manage Settings permission.

  • You have been granted the Organization Role Administrator (roles/iam.organizationRoleAdmin) IAM role on your Google Cloud organization. You need this role to create and attach custom roles to service accounts under the organization.

Service account authentication

Google Cloud supports using service accounts as identities for workloads. Starting June 2023, the preferred way to authenticate the service account for DoiT console workloads changes to service account impersonation, which mitigates the security risks associated with service account keys.

Service account impersonation involves two principals:

  • The privilege-bearing service account that has the required permissions to access the target resource.

  • The caller that needs to access the target resource but lacks permissions.

Configure identities for DoiT workloads

When connecting DoiT console to your organization, you need to perform the following tasks to configure the identities for DoiT workloads:

  1. Create a service account with the permissions to access the relevant resources of your organization.

  2. Grant the DoiT-owned service account [email protected] (the caller) permissions to impersonate the privilege-bearing service account.

Create a service account

To create a service account:

  1. Sign in to the DoiT console, select the gear icon () from the top navigation bar, and then select Google Cloud.

  2. Under Features, in the Service account dropdown, select Connect a new organization.

    Google Cloud settings screen

  3. Select the features you want to enable on your account. You can expand features to review the required permissions.

  4. Select Connect a new organization. You'll see the gcloud commands you need to run in the DoiT console.

    If you want to use a custom name for your service account, in the Create service account command, replace doit-cmp by a custom name. Bear in mind that if you edit the service account name, you need to replace it in all subsequent commands of the procedure.

    Create service account

    Edit a service account name

    To change the name of a service account after its creation, you need to remove the service account and create a new one with the updated name.

  5. Start a Google Cloud Shell session (e.g., Launch the Cloud Shell Editor) and select a suitable Google Cloud project to create your service account.

    Select a suitable Google Cloud project
    • The project must belong to your organization.

    • The project must be connected to a Google Cloud Billing account (see Verify the billing status of your projects).

    • You intend to keep the project for the long term and make it accessible only to trusted people.

  6. Run the commands provided in the DoiT console sequentially to perform the following tasks:

    Note

    Permissions are granted on the organization level. See Security and data access policy for more information.

  7. Sign in to the Google Cloud console, go to the Roles page and verify that you have created a doit_cmp_role linked to the DoiT Service Account in your organization.

Allow service account impersonation

After creating the privilege-bearing service account of your organization, you need to grant the DoiT caller service account the Service Account Token Creator role roles/iam.serviceAccountTokenCreator to allow it to impersonate the former.

Note

If you use GCP organization policy to restrict identities by domain, make sure to whitelist the DoiT caller service account [email protected] using its Organization Resource ID C03rw2ty2 before proceeding.

Run the following command:


gcloud iam service-accounts add-iam-policy-binding $YOUR_SA --member=serviceAccount:[email protected] --role=roles/iam.serviceAccountTokenCreator

Update role

To add or remove features on the service account:

  1. Select the gear icon () from the top navigation bar, and then select Google Cloud.

  2. Select your service account.

  3. Modify the selection of features as needed.

  4. Select Update role.

    You'll be asked to run gcloud commands to update your service account's role.

Add multiple service accounts

If you have multiple Google Cloud organizations, you can create a service account for each organization to regulate which organization gets access to which features.

Note

BigQuery Lens doesn't support multiple service accounts at the moment. See Set up BigQuery Lens.

Remove service accounts

In case you need to remove a service account from the DoiT console and then create a new one, be aware that:

  • Removing a service account from the DoiT console also removes the related datasets and sinks created by BigQuery Lens.

  • Once the BigQuery Lens permissions are granted to the new service account, we'll re-create the sink and trigger historical jobs backfill, which may lead to increased costs during your service account setup.