この記事では、Google Cloud 管理者として Cloud Identity を設定する方法について説明します。Cloud Identity の設定は、新しい Google Cloud 組織を作成するときに行う最初のステップの 1 つです。
Before you sign up for Cloud Identity as a Google Cloud Platform (GCP) administrator, you'll need the following:
- A GCP project you own and want to migrate to Cloud Identity
- A GCP billing account
- Your company's domain name
Sign up for the free edition of Cloud Identity
To sign up for the free edition of Cloud Identity:
- Sign in to the GCP Console.
- From the Products & services menu, go to IAM & Admin > Identity & Organization.
- In the Identity window, click Sign up.
For details about your next steps, see Create your Cloud Identity account and first admin user.
Sign up for Cloud Identity Premium Edition
To sign up for Cloud Identity Premium:
- Using your administrator account, sign in to the Google Admin console at admin.google.com.
- From the Admin console Home page, go to Billing.
- Under Enable Products, locate Cloud Identity Premium and click Find out more to get started with your sign-up steps.
To create your Cloud Identity account and first admin user using the Setup Wizard:
- In the About you section, enter your first and last name in the Name field.
- In the Current email address you use for work field, enter the email you used to create your prototype project.
This email address will be used as a recovery address. It must be different from the address you create below that you'll use as your admin account for Cloud Identity.
- In the About your business section, enter your company name in the Business or organization name field.
- In the Country/Region field, choose the appropriate country or region from the pulldown list.
- Click Next to set up your domain.
- In the Your Cloud Identity Domain window you'll add the domain you've already purchased for your company. You'll need to verify that you own it by creating a specific CNAME record or uploading an html file.
- In the Create your Cloud Identity account window, enter a username and password. This account is your Cloud Identity administrator account and must be different from the email address you entered in step 2 above. As a best practice, we recommend that you enter a username with the following format: firstname.lastname@example.org.
For more details and instructions about verifying your domain, see Verify your domain for Cloud Identity.
これで、Cloud Identity を有効にして最初のユーザーを作成できました。
After you create your Cloud Identity account and verify your domain, you're returned to the GCP Console. Before you continue, you'll need to accept the Cloud Identity Agreement on behalf of your organization. You're then directed to the Identity page.
You now have a fully functioning Cloud Identity account. But you'll also have the option to complete a few more setup steps in the Cloud Platform Console as described below.
Note: Later, you may want to return to the Google Admin console to add more users and create groups, which will be accessed by Google Cloud Platform through the Cloud Identity service. For instructions, see Manage users.
About your Cloud Identity organization
Your Cloud Identity organization is created when you finish your signup and setup steps for your Cloud Identity service. This maps a Cloud Identity account from the Admin Console to Google Cloud Platform, and is used to group all of your projects for billing and management purposes. For example, using your Cloud Identity organization you can restrict project access only to Cloud Identity users.
As the first super admin to access the Google Cloud Platform Console, you'll be assigned the role of Org Owner, and you'll be able to manage the organization settings and assign policies at the highest level.
Migrate projects and billing accounts and set permissions
- Complete steps 1–3 below from your non-administrator Google Cloud Platform account. This account is typically a personal Gmail account.
- Complete steps 4–6 from your Cloud Identity administrator account.
To migrate content from a previous account, follow these steps:
- Grant access to billing accounts.
- Grant access to projects.
- Log in to your Cloud Identity account, and accept the project invitations.
- Go to GCP, log in with your Cloud Identity account, and remove access.
- Migrate projects.
- Set permissions.
1. Grant access to billing accounts
Use the steps below to migrate projects and billing accounts from accounts outside of your Cloud Identity organization to your new Cloud Identity organization. We recommend opening this page in a separate tab to use as reference while completing the steps.
- Log in to the Google Cloud Platform account that has the existing billing account you want to connect to.
- Grant your organization admin from Cloud Identity access to this billing account.
- Go to the left nav and open Billing.
- Navigate to the billing account you want to connect to.
- Add the Organization Admin of your Cloud Identity as a Billing Administrator.
For example: Add your organization admin's Cloud Identity account here (ex: JoeAdmin@acme.com).
2. Grant access to projects
You can grant access to projects one at a time, or via the bulk permissions UI. Step 1 below walks through the one-at-a-time method, while step 2 walks through the bulk method.
- Grant your organization admin Owner access to projects.
Navigate to the IAM & Admin page for the projects you want to migrate, and add your organization admin's account as Owner.
- Set Bulk permissions (optional).
Navigate to the IAM & Admin section and click Manage Resources or All projects from the left navigation. From the Manage Resources view, select all the projects you want to migrate and use the IAM panel to add your new account as Owner to these projects.
3. Log in to your Cloud Identity account, and accept the project invitations
Log in to your Cloud Identity account and check your email.
For the projects you're migrating, you must accept the project invitation sent via email to your new account. You must click the link in each email for each project that you're migrating.
4. Go to GCP, log in with your Cloud Identity account, and remove access
- Remove access to the billing account.
Navigate to the billing account you connected from your old account, and remove access for any user accounts that are not within your company's domain, including your @gmail.com account.
- Remove access to projects.
- Navigate to the IAM & Admin page, and click Manage Resources.
- From the Manage Resources page, select No organization from the dropdown next to the filter control.
- The projects from your old account are displayed with a yellow warning icon. Select these projects and use the IAM panel to remove access for any accounts that are not within your company's domain, including your @gmail.com account.
5. Migrate projects
- Navigate to the IAM & Admin section, and click Manage Resources.
- From the Manage Resources page, click No organization from the dropdown list next to the filter control. The projects from your old account are displayed with a yellow warning icon.
- Select these projects from your old account, and click Migrate from the top bar, or click the icon for each project.
After the migration is finished, your projects will be moved to your company's organization. You must switch the No organization drop-down to your company's organization to view the projects.
6. Set permissions
- Navigate to the IAM & Admin section, and select your organization from the top bar dropdown. This will allow you to set IAM permissions that will affect all projects under your organization.
- From the IAM page, add your Admin users and grant them the appropriate roles. Examples are Organization Admin, Billing Admin, and App Engine Admin.
For more details, see also Configuring permissions on Google Cloud Platform.