This page describes how to configure user access for Backup and DR Service with workforce identity federation. Contact Google Cloud Customer Care to enable Backup and DR Service using a workforce identity federation.
Workforce identity federation lets you use an external identity provider (IdP) to authenticate and authorize a workforce—a group of users, such as employees, partners, and contractors—using IAM, so that the users can access Google Cloud services.
If workforce identity federation is configured in your project, users in your workforce can access the following:
- Backup and DR Service in Google Cloud console
- Management console
Set up access to Backup and DR Service with workforce identity federation
This section describes how to configure access for workforce identity federation users to Backup and DR Service.
Configure your identity provider
Use the Configure workforce identity federation guide to configure the workforce identity federation for your identity provider.
Grant IAM roles to workforce identity federation users
In Identity and Access Management (IAM), grant IAM roles to sets of workforce identity federation users, so that they can access Backup and DR Service and the management console to protect workloads:
- For a list of roles specific to Backup and DR Service, see Grant roles to users.
- For instructions about assigning these roles to external users, see Grant IAM roles to principals.
- The formats used for representing workforce identity federation users in IAM policies, see Represent workforce pool users in IAM policies.
Backup and DR Service handles workforce identity federation users the same way as Google Account users–instead of an email address, a principal identifier is used.
Access the Backup and DR Service page in the Google Cloud console
The Google Cloud workforce identity federation console provides access to the Backup and DR Service page.
From the Backup and DR Service page in Google Cloud workforce identity federation console, you can deploy the management console, backup/recovery appliances, and view Backup and DR Service logs. You can also access the management console to backup resources.
Access the management console
Workforce identity federation users access the management console through a different URL than Google-managed users, as follows:
The URL for workforce identity federation users is
https://bmc-PROJECT_NUMBER-GENERATED_ID-dot-REGION.backupdr.byoid.googleusercontent.com/
The URL for Google managed user accounts is
https://bmc-PROJECT_NUMBER-GENERATED_ID-dot-REGION.backupdr.googleusercontent.com/
Only users that are authenticated with external identities can access the URL for external identities. If a user visits the URL for external identities while not logged in, they are first redirected to the authentication portal where they specify their workforce pool provider name. Then they are redirected to their identity provider to sign in, and finally they are redirected to the management console.
Workforce identity federation users cannot directly access the management console using the URL shared by Google-managed users. To access the management console as a workforce identity federation user, manually update the link to URL for workforce identity federation users.