以 Google Cloud 管理員身分設定 Cloud Identity

本文說明如何設定 Cloud Identity,並成為可管理使用者和資源的 Google Cloud管理員 Google Cloud 。建立Google Cloud 資源階層時,您會先設定 Cloud Identity。

事前準備

Instructions for Google Cloud admins

If you're a Google Cloud administrator, use the instructions below to sign up for either Cloud Identity Free or Cloud Identity Premium. For details about the differences between these services, see Compare Cloud Identity features & editions.

Requirements

  • Cloud Identity Free—You need your company's domain name and the admin username and password to your domain registrar to get started.
  • Cloud Identity Premium—You need your company's domain name to get started, or you need to purchase a domain during sign-up.

Sign up for Cloud Identity Free

  1. Go to the following sign-up page:
    https://workspace.google.com/gcpidentity/signup?sku=identitybasic
  2. Follow the guided instructions.

For details about your next steps, see Create your Cloud Identity account and first admin user.

Sign up for Cloud Identity Premium

If you're a Google Workspace customer

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Billingand thenGet more services.
  3. Click Cloud Identity.
  4. Next to Cloud Identity Premium, click Start Free Trial.
  5. Follow the guided instructions.

If you're not a Google Workspace customer

  1. Go to the following sign-up page:
    https://workspace.google.com/gcpidentity/signup?sku=identitypremium
  2. Follow the guided instructions.

建立 Cloud Identity 帳戶和第一位管理員使用者。

如何使用設定精靈建立 Cloud Identity 帳戶和第一位管理員使用者: 

  1. 在「關於您」部分的 [名稱] 欄位中,輸入您的姓名。
  2. 在「您目前使用的公司電子郵件」欄位中輸入您的電子郵件地址。
    這個電子郵件地址將成為您的備援地址,因此必須「不同於」您在下方步驟中為自己的 Cloud Identity 管理員帳戶所建立的電子郵件地址。
  3. 在「關於貴公司」部分的 [公司或機構名稱] 欄位中,輸入公司名稱。
  4. 在 [國家/地區] 欄位的下拉式清單中,選擇適當的國家或地區。
  5. 按一下 [繼續] 來設定網域。
  6. 您稍後可透過「您的 Cloud Identity 網域」視窗新增您為貴公司購買的網域。您必須建立特定的 CNAME 紀錄或上傳 HTML 檔案,驗證您的擁有權。
  7. 在「建立您的 Cloud Identity 帳戶」視窗中,輸入使用者名稱和密碼。這個帳戶是您的 Cloud Identity 管理員帳戶,請勿使用您在上方步驟 2 輸入的電子郵件地址。建議您使用以下格式輸入使用者名稱:admin@example.com

如需更多驗證網域的詳細資料和操作說明,請參閱驗證您的 Cloud Identity 網域

恭喜!您已成功啟用 Cloud Identity 並建立第一位使用者。

完成設定

After you create your Cloud Identity account and verify your domain, you're returned to the Google Cloud console. Before you continue, you'll need to accept the Cloud Identity Agreement on behalf of your organization. You're then directed to the Identity page.
 
You now have a fully functioning Cloud Identity account. But you'll also have the option to complete a few more setup steps in the console as described below.
 
Note: Later, you may want to return to the Google Admin console to add more users and create groups. For instructions, see Manage users.

About your Cloud Identity organization

Your Cloud Identity organization is created after you finish your signup and setup steps for your Cloud Identity service. This maps a Cloud Identity account from the Admin console to Google Cloud, and is used to group all of your projects for billing and management purposes. For example, using your Cloud Identity organization you can restrict project access only to Cloud Identity users.
 
As the first super admin to access the Google Cloud console, you'll be assigned the role of Org Owner, and you'll be able to manage the organization settings and assign policies at the highest level. 

Migrate projects and billing accounts and set permissions

Important: 

  • Complete steps 1–2 below from your non-administrator Google Cloud account. This account is typically a personal Gmail account.
  • Complete steps 3–6 from your Cloud Identity administrator account.

To migrate content from a previous account, follow these steps:

Grant access to billing accounts

Use the steps below to migrate projects and billing accounts from accounts outside of your Cloud Identity organization to your new Cloud Identity organization. We recommend opening this page in a separate tab to use as reference while completing the steps.

  1. Sign in to the Google Cloud account that has the existing billing account you want to connect to.
  2. Grant your organization admin from Cloud Identity access to this billing account.
    1. Go to the left nav and open Billing.
    2. Navigate to the billing account you want to connect to.
    3. Add the Organization admin of your Cloud Identity as a Billing administrator.

Grant access to projects

You can grant access to projects one at a time, or via the bulk permissions UI. Step 1 below walks through the one-at-a-time method, while step 2 walks through the bulk method.

  1. Grant your organization admin Owner access to projects.
    Navigate to the IAM & Admin page for the projects you want to migrate, and add your organization admin's account as Owner.
  2. Set Bulk permissions (optional).
    Navigate to the IAM & Admin section and click Manage Resources or All projects from the left navigation. From the Manage Resources view, select all the projects you want to migrate and use the IAM panel to add your new account as Owner to these projects.

Sign in to your Cloud Identity account, and accept the project invitations

Sign in to your Cloud Identity account and check your email.

For the projects you're migrating, you must accept the project invitation sent via email to your new account. You must click the link in each email for each project that you're migrating.

Go to Google Cloud, sign in with your Cloud Identity account, and remove access

  1. Remove access to the billing account.
    Navigate to the billing account you connected from your old account, and remove access for any user accounts that are not within your company's domain, including your @gmail.com account.
  2. Remove access to projects.
    1. Navigate to the IAM & Admin page, and click Manage Resources.
    2. From the Manage Resources page, select No organization from the dropdown next to the filter control.
    3. The projects from your old account are displayed with a yellow warning icon. Select these projects and use the IAM panel to remove access for any accounts that are not within your company's domain, including your @gmail.com account.

Migrate projects

  1. Navigate to the IAM & Admin section, and click Manage Resources.
  2. From the Manage Resources page, click No organization from the dropdown list next to the filter control. The projects from your old account are displayed with a yellow warning icon.
  3. Select these projects from your old account, and click Migrate from the top bar, or click the icon for each project.

After the migration is finished, your projects will be moved to your company's organization. You must switch the No organization drop-down to your company's organization to view the projects.

Set permissions

  1. Navigate to the IAM & Admin section, and select your organization from the top bar dropdown. This will allow you to set IAM permissions that will affect all projects under your organization.
  2. From the IAM page, add your Admin users and grant them the appropriate roles.

For more details, see also Configuring permissions on Google Cloud.
 

啟用 Cloud Billing 帳戶

免費試用使用者:設定 Cloud Identity 後,請查看帳單狀態,確認您還有免費試用抵免額。免費試用優惠結束後,您可以啟用功能完整的付費 Cloud Billing 帳戶,繼續使用需要 Cloud Billing 帳戶的資源。 Google Cloud 如要進一步瞭解免費試用方案,請參閱「免付費的 Google Cloud 功能和試用優惠」。

後續步驟