此页面由 Cloud Translation API 翻译。

将 Cloud Identity 设置为 Google Cloud 管理员

本文介绍如何将 Cloud Identity 设置为 Google Cloud 管理员。创建新的 Google Cloud 组织时，设置 Cloud Identity 是首先要执行的步骤之一。

准备工作

供 Google Cloud 管理员参考的操作说明

如果您是 Google Cloud 管理员，请按照以下说明注册 Cloud Identity 免费版或 Cloud Identity 专业版。如要详细了解这两版服务之间的区别，请参阅 Cloud Identity 功能和版本对比。

使用要求

Cloud Identity 免费版 - 您需要贵公司的域名以及域名注册商网站管理员的用户名和密码才能开始操作。
Cloud Identity 专业版 - 您需要贵公司的域名才能开始操作，或者在注册过程中购买一个域名。

前往以下注册页面：
https://workspace.google.com/gcpidentity/signup?sku=identitybasic
按照引导说明操作。

要详细了解后续步骤，请参阅创建 Cloud Identity 账号和首个管理员用户。

如果您是 Google Workspace 客户

登录 Google 管理控制台。
请使用您的管理员账号（不是以“@gmail.com”结尾的账号）登录。
在管理控制台中，依次点击“菜单”图标结算获取更多服务。
点击 Cloud Identity。
点击 Cloud Identity 专业版旁边的开始免费试用。
按照引导说明操作。

如果您不是 Google Workspace 客户

前往以下注册页面：
https://workspace.google.com/gcpidentity/signup?sku=identitypremium
按照引导说明操作。

创建您的第一个用户

要使用设置向导创建 Cloud Identity 账号和首个管理员用户，请按以下步骤操作：

在关于您自己部分中的姓名字段，输入您的名字和姓氏。
在您目前用于办公的电子邮件地址字段中，输入您的电子邮件地址。
此电子邮件地址会用作辅助地址，必须与您要用作 Cloud Identity 管理员帐号（通过如下步骤创建）的地址不同。
在关于您的企业部分的公司或单位名称字段中，输入公司名称。
在国家/地区字段中，从下拉列表中选择适当的国家或地区。
点击下一步以设置您的网域。
在您的 Cloud Identity 域名窗口中，添加您已为公司购买的域名。您需要创建特定的 CNAME 记录或上传 html 文件，以验证您拥有该域名的所有权。
在创建 Cloud Identity 账号窗口中，输入用户名和密码。此账号是您的 Cloud Identity 管理员账号，必须与您在上述第 2 步中输入的电子邮件地址区别开来。根据最佳做法，我们建议您按照以下格式输入用户名：admin@example.com。

要获取关于验证域名的更多详细信息和说明，请参阅验证用于 Cloud Identity 的域名。

恭喜！您已成功启用 Cloud Identity 并创建了您的第一个用户。

完成设置

After you create your Cloud Identity account and verify your domain, you're returned to the Google Cloud console. Before you continue, you'll need to accept the Cloud Identity Agreement on behalf of your organization. You're then directed to the Identity page.

You now have a fully functioning Cloud Identity account. But you'll also have the option to complete a few more setup steps in the console as described below.

Note: Later, you may want to return to the Google Admin console to add more users and create groups. For instructions, see Manage users.

About your Cloud Identity organization

Your Cloud Identity organization is created after you finish your signup and setup steps for your Cloud Identity service. This maps a Cloud Identity account from the Admin console to Google Cloud, and is used to group all of your projects for billing and management purposes. For example, using your Cloud Identity organization you can restrict project access only to Cloud Identity users.

As the first super admin to access the Google Cloud console, you'll be assigned the role of Org Owner, and you'll be able to manage the organization settings and assign policies at the highest level.

Migrate projects and billing accounts and set permissions

Important:

Complete steps 1–2 below from your non-administrator Google Cloud account. This account is typically a personal Gmail account.
Complete steps 3–6 from your Cloud Identity administrator account.

To migrate content from a previous account, follow these steps:

Grant access to billing accounts

Use the steps below to migrate projects and billing accounts from accounts outside of your Cloud Identity organization to your new Cloud Identity organization. We recommend opening this page in a separate tab to use as reference while completing the steps.

Sign in to the Google Cloud account that has the existing billing account you want to connect to.
Grant your organization admin from Cloud Identity access to this billing account.
1. Go to the left nav and open Billing.
2. Navigate to the billing account you want to connect to.
3. Add the Organization admin of your Cloud Identity as a Billing administrator.

Grant access to projects

You can grant access to projects one at a time, or via the bulk permissions UI. Step 1 below walks through the one-at-a-time method, while step 2 walks through the bulk method.

Grant your organization admin Owner access to projects.
Navigate to the IAM & Admin page for the projects you want to migrate, and add your organization admin's account as Owner.
Set Bulk permissions (optional).
Navigate to the IAM & Admin section and click Manage Resources or All projects from the left navigation. From the Manage Resources view, select all the projects you want to migrate and use the IAM panel to add your new account as Owner to these projects.

For the projects you're migrating, you must accept the project invitation sent via email to your new account. You must click the link in each email for each project that you're migrating.

Remove access to the billing account.
Navigate to the billing account you connected from your old account, and remove access for any user accounts that are not within your company's domain, including your @gmail.com account.
Remove access to projects.
1. Navigate to the IAM & Admin page, and click Manage Resources.
2. From the Manage Resources page, select No organization from the dropdown next to the filter control.
3. The projects from your old account are displayed with a yellow warning icon. Select these projects and use the IAM panel to remove access for any accounts that are not within your company's domain, including your @gmail.com account.

Migrate projects

Navigate to the IAM & Admin section, and click Manage Resources.
From the Manage Resources page, click No organization from the dropdown list next to the filter control. The projects from your old account are displayed with a yellow warning icon.
Select these projects from your old account, and click Migrate from the top bar, or click the icon for each project.

After the migration is finished, your projects will be moved to your company's organization. You must switch the No organization drop-down to your company's organization to view the projects.

Set permissions

Navigate to the IAM & Admin section, and select your organization from the top bar dropdown. This will allow you to set IAM permissions that will affect all projects under your organization.
From the IAM page, add your Admin users and grant them the appropriate roles.

For more details, see also Configuring permissions on Google Cloud.