Skip to main content

Connect Google Cloud Organization or Project

To offer the full capabilities of the DoiT platform, we request permissions to access the Google API and obtain information for monitoring or alerts, and help you act on recommendations if applicable.

Required permissions

To connect with the DoiT console:

  • Your DoiT account must have the Manage Settings permission.

  • Most of the DoiT features require permissions at the organization level. To connect a Google Cloud Organization, you must have been granted the Organization Role Administrator (roles/iam.organizationRoleAdmin) IAM role on the organization. You need this role to create and attach custom roles to service accounts under the organization.

  • A small set of feature and core functionality permissions can be granted at the project level. Project-level access applies when you want to connect projects that are not part of an already connected organization. To connect a project, you must have been granted the Role Administrator (roles/iam.RoleAdmin) IAM role on the project. You need this role to create and attach custom roles to service accounts under the project.

Service account authentication

Google Cloud supports using service accounts as identities for workloads. Starting June 2023, the preferred way to authenticate the service account for DoiT console workloads changes to service account impersonation, which mitigates the security risks associated with service account keys.

Service account impersonation involves two principals:

  • The privilege-bearing service account that has the required permissions to access the target resource.

  • The caller that needs to access the target resource but lacks permissions.

Configure identities for DoiT workloads

When connecting the DoiT console, you mainly need to perform two tasks to configure the identities for DoiT workloads:

  1. Create a service account with the permissions to access the relevant resources of your organization or project.

  2. Grant the DoiT-owned service account [email protected] (the caller) permissions to impersonate the privilege-bearing service account.

Below are the detailed configuration steps.

Connect an organization

To connect a Google Cloud organization:

  1. Sign in to the DoiT console, select the gear icon () from the top navigation bar, and then select Google Cloud.

  2. Select Connect a new organization.

    Google Cloud settings empty

  3. Select the features you want to enable for the organization. You can expand features to review the required permissions.

    Google Cloud settings new organization

  4. Select Generate gcloud commands. The generated gcloud commands you need to run will be displayed in the DoiT console.

    Create service account

  5. Launch a Google Cloud Shell session (see Launch Cloud Shell).

  6. Select a Google Cloud project that meets the following conditions:

    • The project belongs to your organization.

    • The project is connected to a Google Cloud Billing account (see Verify the billing status of your projects).

    • You intend to keep the project for the long term and restrict its access only to trusted people.

  7. Run the commands provided in the DoiT console sequentially:

    1. Create a new service account in the current project.

      • If you want a custom name for the service account, replace doit-cmp with the desired name in the Create service account command and all the relevant subsequent commands.

      • To change the name of a service account after its creation, remove the service account and create a new one with the updated name.

    2. Enable service usage API and resource manager API in the current project.

    3. Get your Google IAM organization ID and then create a custom role with the permissions required by your chosen features.

    4. Add a policy binding with the custom role for the new service account under the organization. Permissions are granted at the organization level. See Security and data access policy for more information.

    5. Grant the DoiT caller service account the Service Account Token Creator role roles/iam.serviceAccountTokenCreator to allow it to impersonate the former.

      Note

      If you use GCP organization policy to restrict identities by domain, make sure to whitelist the DoiT caller service account [email protected] using its Organization Resource ID C03rw2ty2 before proceeding.

  8. Sign in to the Google Cloud console, go to the Roles page and verify that you have created a doit_cmp_role linked to the DoiT Service Account in your organization.

Connect a project

Feature availability

Only limited features work with permissions at the project level. To enable other features, connect an organization instead.

To connect an project:

  1. Sign in to the DoiT console, select the gear icon () from the top navigation bar, and then select Google Cloud.

  2. Select Connect a new project.

  3. Select the features you want to enable for your project. You can expand features to review the required permissions.

    Google Cloud settings new project

  4. Select Generate gcloud commands. The generated gcloud commands you need to run will be displayed in the DoiT console.

    Create service account

  5. Launch a Google Cloud Shell session (see Launch Cloud Shell) and select the project you want to connect.

  6. Run the commands provided in the DoiT console sequentially:

    1. Get your Google IAM Project ID and create a new service account in the project.

      • If you want a custom name for the service account, replace doit-cmp with the desired name in the Create service account command and all the relevant subsequent commands.

      • To change the name of a service account after its creation, remove the service account and create a new one with the updated name.

    2. Enable service usage API and resource manager API in the project.

    3. Create a custom role with the permissions required by your chosen features.

    4. Add a policy binding with the custom role for the new service account. Permissions are granted at the project level. See Security and data access policy for more information.

    5. Grant the DoiT caller service account the Service Account Token Creator role roles/iam.serviceAccountTokenCreator to allow it to impersonate the former.

      Note

      If you use GCP organization policy to restrict identities by domain, make sure to whitelist the DoiT caller service account [email protected] using its Organization Resource ID C03rw2ty2 before proceeding.

  7. Sign in to the Google Cloud console, go to the Roles page and verify that you have created a doit_cmp_role linked to the DoiT Service Account in your project.

Update role

To add or remove features on an organization or project:

  1. Select the gear icon () from the top navigation bar, and then select Google Cloud.

  2. Select the three-dot menu next to the organization or project you want to update, and then select Edit.

  3. Modify the selection of features as needed.

  4. Select Update role.

    You'll be asked to run gcloud commands to update your service account's role.

Add multiple organizations or projects

If you have multiple Google Cloud organizations or projects, connect each separately to regulate which organization or project has access to specific features.

Note that BigQuery Lens doesn't support multiple service accounts at the moment. See Set up BigQuery Lens.

Remove service accounts

In case you need to remove a service account under a connected organization from the DoiT console and then create a new one, be aware that:

  • Removing a service account from the DoiT console also removes the related datasets and sinks created by BigQuery Lens.

  • Once the BigQuery Lens permissions are granted to the new service account, we'll re-create the sink and trigger historical jobs backfill, which may lead to increased costs during your service account setup.

Last updated on