Moved to pbmm-on-gcp-onboarding
Table Of Contents
There are 2 primary steps when getting onboarded to cloud.
https://cloud.google.com/billing/docs/onboarding-checklist
https://cloud.google.com/docs/enterprise/setup-checklist
#Google Cloud Onboarding Categories
There are two types of google cloud accounts (workspace and cloud identity). Cloud Identity has 2 types of accounts (gmail and 3rd party based (such as AWS Workmail). There are 3 types of DNS Zone configurations (none, Google Domains, 3rd Party (such as AWS Route53). Therefore there are 9 types of onboarding categories (3 x 3).
Workspaces accounts can also have cloud identity accounts
This category is the common workspace and GCP organization domain hosted on Google Domains use case.
This category is where the client uses their own email system but has the organization domain with GCP
This cloud identity category is where the client uses a new gmail email with optional redirect records on a GCP hosted domain for their organization. Here the gmail address is a formality - you could use your own 3rd party email
We will be using a domain from another google account that owns the domain we will use in our new account for the org (at this point we are using Google Domains as the DNS zone)
Start with an incognito chrome window and goto https://accounts.google.com/SignUpWithoutGmail
create your new cloud identity account
select new gmail
fill in the account details
verify MFA
gmail account created
Check account
Start a new chrome profile for the initial gmail account
Sign in
Select account
Choose gmail account
Goto console.cloud.google.com
we won't be using this account but lets verify we don't have an organization yet
Goto IAM
Check Identity & Organization
Verify no organization rights yet
Scroll down to add a new cloud identity account
Select I am a new customer
Start the cloud identity wizard
fill in your org
use the gmail account as base - or your own email
Here - the domain name is important - usually you will not verify/use the base domain - create a subdomain like gcp.* - here business name = domain
See the same subdomain (from the business name) - notice the warning on email redirection - we will setup this in the domain owner account
Switch windows to the account owning the domain - select email on the left - see no email forwarding record yet
Fill in the email forwarding to your gmail email - use the super admin account you will create later in cloud identity
View the change - we will test propagation - usually less than 1 min - click send test email
This will open gmail - click the verify - don't worry as even though this gmail account is not the account owning the domain - the test email will get sent
You can ignore the domains check - not the right chrome account
send your own test email to verify the redirect -from the new super admin account to your email
Check the email was forwarded to gmail
Go back to the cloud identity wizard and click next to get to the new super admin account setup
accept the new account
verify account
Click the setup button
Sign in to your cloud identity super admin account
Accept MFA
Cloud identity account created
Here we setup the organization and domain verify - click verify
Check "switch verification method" - there are 2 - we will use a TXT record - you can email/copy this code manually
select TXT
Copy the TXT verification text
in the account owning the domain (after switching windows or sending to IT) - go back to your DNS zone records (Google Domains or AWS Route53)
Add custom record - here we add the "gcp" subdomain in the host name and the TXT record in the data - selet type TXT
Add record page - scrol down
select "verify domain" - wait for DNS propagation < 1 min
Notice domain record being checked - we will check ourselves with dig
run a dig on the subdomain
Cloud identity screen will change to "verified"
log into your new cloud identity super admin account using console.cloud.google.com
Organization will auto create - first time entering IAM
Try selecting a project - better to create a new chrome profile to see the org
Create new chrome profile for the user (to get away from the gmail bootstrap account)
Sign in
Select profile
Goto admin.google.com to verify SA user and subdomain
Login to console.cloud.google.com - goto IAM - select a project - notice the organization dropdown
Select the new organization
View IAM super admin has the organization administrator role
This category is common for organizations new to GCP or multicloud where both the email system and DNS hosting zone are 3rd party
Usually copy/paste or email
- using the original super admin/owner create another cloud identity account with an email on the organization domain - with optional email forward to their work email. Give rights such as "Owner" or "Folder Admin" to this 2nd+ user, when they login to console.cloud.google.com they will already have proper access to the organization (no domain validation required)
goto the admin page at admin.google.com
Add the new user - using an existing super admin user
send login instructions - with temp password
Start witn an incognito chrome window
launch accounts.google.com
Login to new user
new account splash
auto change password
view new account
select profile picture on top right - add (to get a new chrome profile for the user)
login again
accept profile
Navigate to the cloud at console.cloud.google.com
Accept the license
View that you are already on the existing organization (no DNS verify required)
Attempt to create a project - switch to the org
select the organization - normal without a higher role we will set with the super admin user
verify you don't have rights yet to the organization
check the onboarding checklist to verify
Yes, you don't have the rights yet
Switch tabs to the other super admin user - goto IAM to verify roles
Add the new user to the role of "Owner" for now - normally use "Folder creator" and "Organization Administrator" for example
Verify the user 2 role change
back at user 2 navigate to IAM | cloud identity | verify your new rights
Notice you now have rights to the organization - good to go
This category is a variant of category 3 where there is a gmail account with option redirect where the organization zone records are on a 3rd party DNS system
This category is common for individual consumers where they do not have a gmail account or any domain. This option will not have an organization top node in IAM
This category is common for individual consumers where they gmail account but no domain. This option will not have an organization top node in IAM
Google Cloud Identity accounts are ideal for cloud account organizations where the user identities are maintained outside of Google cloud in for example AWS Workmail or Azure Active Directory.
Create or gain access to the domain you wish to associate or federate users from. For example packet.global.
You will need access to the domain zone to add TXT records for domain validation under a subdomain like gcp.packet.global
Open Chrome Window with no Google Account
Onboarding to Google Cloud using a cloud identity account and a 3rd party managed domain - AWS Route53
.. continuing from "open chrome window" above
Launch SignUpWithoutGmail - select gmail
https://accounts.google.com/SignUpWithoutGmail
Select gmail, register and launch a new browser - add new account - login
Create your Google Account (gmail)
launch google cloud
https://console.cloud.google.com/
do not select an org yet - as the domain under GCP registration does not have an email yet and is not registered with workspace.
You will not be able to run the organization checklist account as a gmail user - https://console.cloud.google.com/cloud-setup/organization
Add Cloud Identity free in
https://cloud.google.com/identity/docs/set-up-cloud-identity-admin
follow
https://workspace.google.com/signup/gcpidentity/welcome#0
add your gmail address and GCP domain
Add email capability https://support.google.com/cloudidentity/answer/7667994
Select the email left tab on https://domains.google.com/registrar/eventstream.dev/email?hl=en-US
Select email forwarding to to your gmail account
Launch gmail to verify email - don't worry it will launch domains in your current gmail account - verify that the verify worked in your other account that holds the domain registration
image
Check email forwarding on the DNS tab
image
wait for DNS record propagation 30 sec and recheck the cloud identity wizard warning on no email MX records
image
continue wizard regardless of warning - use your new email forward address
https://workspace.google.com/signup/gcpidentity/tos
goto setup after creation
image
Launch admin
Since I have used this phone a couple times - get past the unusual activity dialog
Identity account OK
select getting started
https://admin.google.com/u/1/ac/signup/setup/v2/gettingstarted
Verify domain - sign in option will not work on this browser - as I have it registered on another account - in this case select "Switch Verification Method" and select the 2nd TXT option.
add the TXT record
Click Verify back on the admin page
The org in this case will automatically create when you click the link below (no subdomain as the TXT record is the first on the domain. If there is already a root domain TXT record - you will need to use a subdomain like gcp.domain.com
org is setup as the TXT record is against the root domain on the separate GCP account
https://accounts.google.com/SignUpWithoutGmail
Fill in the form with an existing email address outside of Google
Launch from step 2 of the IAM | Cloud Identity & Organization | checklist https://console.cloud.google.com/cloud-setup/organization