Cloud Identity Beta Overview
Cloud Identity is identity as a service (IDaaS) for Google Cloud Platform. If you are already familiar with GCP IAM, Cloud Identity enables extended organizational user management features for organizations using GCP resources. Think active directory or G Suite without Gmail, Drive or Apps, just the user services and admin controls at no additional cost to GCP projects. Most interesting to me, Cloud Identity allows organizations to migrate outlier GCP billing accounts and projects that were set up by individuals or teams to an owned organizational domain to meet corporate security or compliance requirements.
Getting Started
With your active GCP account, after you sign up for Cloud Identity in IAM and admin -> Identity you will have to verify your domain ownership. If you have set up analytics or adwords it’s the same process. Upload a html file to the root server on the domains web server or add a meta tag in the index page.
Migrate an Individual Accounts Project
As I mentioned, my favorite thing about Cloud Identity is that it allows you to migrate personal GCP projects and billing accounts into an organization. So say you have a few teams in your organization using their own credit cards and their own email accounts for GCP projects. Now you can corral and organize those accounts under one domain.
In order to move a project from a non domain GCP account (personal), you need the main admin account (destination) to be added as a Owner in the source GCP account. In my case my admin account is admin@mikekahn.net and my source is my personal gmail GCP account with the project mike-kahn-sandbox.
After the main admin account is added to the source project in the individual’s account, the main admin can view the project. Next step is to migrate that project to the domain. Go to the project view select the project and click migrate.
Now in the organization you can see my personal GCP sandbox project in my newly created organization.
Note this only changes the projects ownership and hierarchy. In the case above, billing would not be moved to my domain account only the project. Next step would be to Migrate existing billing accounts to the domain.
❗️To complete the migration, dont forget to remove the source project user ID, probably the individual’s personal email account from the migrated account’s IAM. This will ensure that the project is fully moved over to the new organization.
You have a few options here with migrating projects to the organization. If you wish you can keep billing in the individual’s account and only migrate the project and take ownership over it. This scenario could apply if the individual is expensing resources for their team on their corporate card but still corporate security requires ownership of the cloud project.
Read more: Migrating Existing Projects into the Organization
Another Layer of User Administration
If your organization is using another main identity management platform service such as LDAP or AD, you can still use Cloud Identity today to help organize multiple GCP projects in your company or try out G Suite with your team. You can also use Google Cloud Directory Sync (GCDS) to maintain consistency between your AD or LDAP server. More info on GCDS here.
Google Admin with Cloud Identity is like G Suite without the apps. If you decide you want to start using Docs, Drive, and other G Suite Services you can easily add within Google Admin for the company and domain you just created. G Suite basic starts around $6/per user account.
As of writing this article, Cloud Identity is a free subscription that can be cancelled at anytime.
Cloud Identity is an excellent new feature of GCP to help organize multiple individuals or teams GCP projects and cloud platform users in your organization. Cloud Identity can help your organization comply with corporate security or compliance policies for cloud users and resources. If you have an existing identity management system such as AD or LDAP setup in your organization you can still utilize Cloud Identity and synchronize both services if you wish.
More details:
Google Cloud Platform Identity and Access Management
What is Cloud Identity
Compare Cloud Identity features
