Onboarding GCP Projects to CloudLabs

Overview

We will learn how to set up and onboard GCP accounts to CloudLabs AI platform.

Pre-requisites:

• A valid domain eg: cloudlabsgcporg01.com
• A valid google account to log in to the Console and set up an Organization

Getting Started

Setting up a Google Account

A google account can be set-up by visiting the Google Account Sign-in Page.

For detailed steps on setting up a google account follow Creating a Google Account

Purchasing a domain

The domain purchase & set-up can be carried out through different Cloud Providers, you can refer to the below mentioned links to set-up a custom domain in various Clouds:

Creating a custom domain in GCP

Creating a custom domain in AWS

Creating a custom domain in Azure

In-case of any issues in purchasing or registering for a domain please reach out CloudLabs Team, we will be happy to assist.

Once the domain is purchased we will proceed with the next steps of setting up a GCP organization.

Setting up an Organization in GCP

To begin with the setup of the Organization, navigate to Google Cloud Platform

1. Login to the Google Cloud Platform Console with the valid Google account.

   

2. Navigate to the left side of the page to check on the IAM (Identity & Access Management)(1), locate & click on Identity & Organization(2)

   

3. Select Go to Checklist(1) & click on Begin The setup(2)

   

4. Select I am a new customer & click on Sign up for Cloud Identity

   

5. It will take you to a new page to fill in your Business details. Provide the required details (Business name(1), Number of Employees(2), Region(3)) and then click on Next(4)

   

6. Provide the contact details. First Name(1), Last Name(2), Current Email Address(3), Business Phone Number(4), and then click on Next(5)

   

7. Provide the details of the valid domain.

   

8. Confirm the domain & click Next.

   

9. Create an Admin-user(1), Password(2) and Click on Agree and Continue(3). Save these credentials as this username & password will be used to access the new Organization.

   

10. Verify the Cloud Identity account creation & click on Continue to setup

    

11. After clicking on Continue to Set-up you will be redirected to the new GCP organization recently set-up, where you need to click on Protect.

    

12. Here you will find the instructions to Navigate to Domain Host, scroll down & click on Go to Step2

    

13. In this step you will receive the TXT record details, you would require to add these record details in the newly purchased domain, once the record is added, navigate back to record verfication tab & click on Protect Domain

    

14. Once the above step is initiated, it may take up to 5 minutes for domain verification, once the domain is verified you will be able to see a green check on the Screen stating that your Domain is Verified. Post Verification, click on Continue.

    

15. You would be Redirected to the Google Admin Console where you would be required to add users (this is optional), but important to verify that the admin user is present in the console.

    

16. Now use the credentials which were setup in Step-9 to log in to GCP console & navigate to the left side of the page and locate IAM >> Identity & Organization & continue with the next steps

    

17. Set-Up Users & Groups. Adding groups helps you to manage users at a scale, & defining users helps you to grant granular access to specific Google Cloud resources and helps prevent access to other resources.

    

18. Select default users & groups & continue:

    

19. Next you will be asked to set-up access for the users, where you must grant admininstrative access on all services to the admin user while provide restricted fine grained access to the other users created in Step-15.

20. Once the Admin user has been granted all administrative access, click on Mark Task As Completed

    

• Organization SetUp is Done. Next we will learn about enabling a billing account & creating projects in GCP.

21. Sign in to the Manage billing accounts page in the Google Cloud console.

    

22. Click Create account.

    • Enter the Name of the Cloud Billing account.

    • Depending on your configuration, you will also need to select one of the following:

      • Organization: If prompted, select an Organization from the drop-down menu.

      • Country: Select the country corresponding to your billing mailing address.

      • Currency

      • Business the billing account will pay for.

        Note: The selected country determines payment options and currency. This choice is permanent.

    • Click Continue.

    

23. Choose the Google payments profile that will be associated with this Cloud Billing account. A payments profile is shared and used across all Google products (such as Google Workspace, Google Cloud, Google Fi, and more). You can choose an existing Google payments profile, or create a new payments profile.If you choose to create, follow the instructions on the screen to set up your Google payments profile.

    Selecting Account Type

• If you are creating a new Google payments profile, when setting your Account type, be aware that this setting is permanent and may be used for tax (such as value-added tax (VAT)) and identity verification.

• If this is for a business, organization, partnership, or educational institution, or if you want more than one person to have access to the profile, select Business. Otherwise, select Individual.

• If you are choosing an existing Google payments profile to be associated with this Cloud Billing account, select a Business profile for Cloud account.

  

24. Specify the payment method - DebitCard or CreditCard, which will be used for billing purpose, then click on Submit and Enable Billing

    

25. Now you can see the newly created billing account under the billing >> manage account

    

Creating Projects in GCP

A project organizes all your Google Cloud resources.This project forms the basis for creating, enabling, and using all Google Cloud services, including managing APIs, enabling billing, adding & removing collaborators, and managing permissions. We will learn more about different ways to create a GCP project.

Creating Projects using GCP Console

1. Log in to the GCP Console & Navigate to the Project Selector Tab (1) & click on New Project (2).

   

2. Fill in the required details including the Billing Account Details & click on Create.

   

Creating Projects using Cloudshell

1. For creating projects through cloudshell, you need to activate cloudshell from the top right corner of the GCP console.

   

2. Once, the Cloudshell opens up, modify the following commands as per the actual naming & details and run them.

     gcloud projects create PROJECT_ID --organization=ORGANIZATION_ID
     gcloud projects create PROJECT_ID --folder=FOLDER_ID
     gcloud billing projects link my-project --billing-account 0X0X0X-0X0X0X-0X0X0X

   The first command you need to run when you wish to create a project directly under an organization. The second command you need to run when you wish to create a project under a folder. The third command will associate your newly created project with the billing account.

   

Note: You can create projects in bulk by creating a shell script file with the above commands for all the projects, saving it in the editor then directly running it in the terminal.

Onboarding GCP Organization to CloudLabs

1. Select the Subscriptions tab from the right-hand menu and then click on + ADD button to add subscription group for GCP accounts.

   

2. Create a subscription group by filling in the details like image below:

   • Group Name: Test-GCP-xxx
   • Description: Provide the Description of the Subscription group.
   • Cloud Platform: Choose Google Cloud Platform from the drop-down.
   • Subscription Type: Choose the Subscription type as Dedicated Subscription.
   • Cloud Provider Billing Type: Choose Google Cloud Platform(GCP) from the drop-down.
   • Labs Rate Card: Choose GCP from the drop-down.
   • Then, Click on the Submit Button.

   

3. Click on the settings Icon to the right of the Subscription group name you just created.

   

4. Click on + ADD ACCOUNT to add subscription to the subscription group.

   

5. Here we are required to add the Project Name, Organization Id, Organization Domain Name, Billing Account Id, Admin User Name, Service Account Key, App Secret Expiry Date, App Secret Key Identifier, once these details are provided click on SUBMIT. You can repeat the steps (1) to (5) if you have more subscriptions to onboard.

   

   Note: If you need to onboard the subscriptions in BULK, you can share these details with us, and we'll be happy to assist you with the backend onboarding.

Steps to Create a Billing Report in GCP

1. Login to GCP Console

2. In the Search bar, search for Billing and Navigate to the billing dashboard.

   

3. Select appropriate billing account.

   

4. Locate & select Billing Export (left panel)(1), choose the admin project select the Dataset Id(2) option, click on “Create new datasetId(3)” & then click on Ok(4).

   

5. Enter the DatasetId: cloudlabsds, then click on “Create Dataset”.

   

6. Click on “Save”.

   

7. Confirm the details provided related to Dataset.

   

8. Please create an excel file with below details and send it over to CloudLabs so we can start generating reports. OrganisationId: [root account Id] AccessKey: [access key of database user] SecretKey: [secret key of database user] DatasetId: [Dataset Id of Project]

9. Navigate to the Admin Project.

   

   

10. Once the reports are generated you can search for BigQuery in searchbar and Click on BigQuery.

    

    

11. In the BigQuery dashboard, locate your admin project(1), expand Dataset(2) find & click on Table(3) where your cost details are Exported and saved.

    

12. You can Query your Dataset and fetch the required details. Click on Query, select the option In new tab.

    

13. Enter the SQL Query based on your requirements and then click on Run to get the details.

    

Important Customizations in the Admin Console

Google Cloud Platform has a very strict monitoring process over any unusual activities or accounts compromisation, so there are a set of rules specified by Google which send out alerts to their alert centres on encountering any such activity. Since we provide GCP sandbox environments to the users, there are multiple users creation & deletion of users performed daily which is again detected as a suspicious activity by Google. To avoid any such issues occuring we need to disable few of the alerts in the admin console. We will learn more about disabling these alerts in the upcoming steps.

Enabling/Disabling alert rules

1. Log in to the GCP Admin Console

2. Navigate to the left side of the page & locate & click on Rules .

   

3. Here we need to disable alerts for some rules as given below:

   • User suspended due to suspicious activity.
   • Suspicious login.
   • User suspended.
   • User's Admin privilege revoked.
   • User suspended(by admin).
   • User granted Admin privilege.
   • User deleted.
   • TLS failure.
   • Suspended user made active.
   • Smarthost failure.
   • Rate limited recipient.
   • New user added.
   • Mobile settings changed.
   • Exchange journaling failure.
   • Email settings changed.
   • Drive settings changed.
   • Calendar settings changed.
   • Apps outage alert.

   Note: The above mentioned rules have been listed based on our requirements for hosting GCP sandbox environments, based on your requirements you can update these rules accordingly.

   

4. As an example here we would be disabling one alert rule i.e. User suspended due to suspicious activity. Select this rule click on Edit Rule.

   

5. Click on Next: View Conditions.

   

6. Click on Next: Add Actions.

   

7. Here you will find two options:

   • Send to alert center: Selecting this option will send out alerts to Google alert center & Google might block the Orgnaization due to suspicious activity detected in the Organization.
   • Send email notifications: Selecting this option will send out e-mail notifications to all super administrators or other recepients added in this rule.

   We can enable or diable these options as per the requirements, but it is advisable to always disable the Send to alert center option.

   

   

Disabling 2-step authentication

1. Navigate to the left side of the page & locate Security(1), find Authentication(2), click & open 2-step verification(3).

   

2. Uncheck the Allow users to turn on 2-step Verification(1) & click on Save(2).

   

Troubleshooting Log in issues

In GCP sometimes even if we have disabled the 2-step verification users might face a log in challenge. To troubleshoot this issue follow the below given steps.

1. Navigate to the user facing issues with log in.

   

2. Here under Recovery Information you can find a recovery e-mail id which can be used to log in to the GCP console.

   

3. Alternatively, under the 2-step verification you will get an option called Login challenge, you need to slect this option & disable it. This would provide user to bypass the authentication for 10 minutes & user would be able to log in without any issues.

   

The GCP Admin console is one stop for managing all your Google Workspace services. You can add or remove users, manage billing, set-up mobile devices & much more. To get more familiar with the GCP Admin console follow this link About GCP Admin Console