Support access to Google Cloud
DoiT provides complete transparency when accessing your Google Cloud environment.
When you open a technical support request with DoiT International, we may occasionally need to access your Cloud environment to help you effectively. This document describes how to grant access and how access control works.
We access your Google Cloud environment solely to provide technical support as outlined in our contract. We do not access your environment for any other purpose and never have access to resources beyond the scope of an active support request.
Key points
-
We only access your Google Cloud environment to provide technical support per our contractual obligations. We never access your Google Cloud environment for any other reason.
-
Support engineers do not have write access to your Google Cloud environment. The only exception is, if you use Google Cloud Direct Support, we can raise Google Cloud support requests on your behalf.
Grant access
When creating a new service request with DoiT, you will be prompted to grant DoiT access to the Google Cloud project that you specified in your request.
A typical access grant is implemented with a gcloud
command. The access is view-only, limited, and provides access only to the support engineers handling your request. The role that is requested is the Viewer role.
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="group:[email protected]" \
--role=roles/viewer --condition=None
For example, to add an IAM policy binding for the group assigned to the service request #1234
on a Google Cloud project example-project-id
, run:
gcloud projects add-iam-policy-binding example-project-id \
--member="group:[email protected]" \
--role=roles/viewer --condition=None
In some cases, your issue may not be limited to one project and we may request access to your entire organization. In these cases, we usually request the following roles:
- Viewer (
roles/viewer
) - Browser (
roles/browser
) - Security Reviewer (
roles/iam.securityReviewer
) - Bigquery Resource Viewer (
roles/bigquery.resourceViewer
)
However, the engineer may decide to request additional or different roles depending on the nature of the issue. These permissions are never granted automatically; you retain full control over which roles are granted.
DoiT workspace customer ID
If you use GCP organization policy to restrict identities by domain, make sure to whitelist cre.doit-intl.com
using the DoiT Google Workspace customer ID C04eumws5
.
Revoke access
Support access is automatically revoked for security reasons when the support request is resolved. The next time you create a support request, you will need to grant our support engineers access again.