GCP - Adding a System Root User for Terraform Agent Bootstrapping

jaylong255 commented 2 months ago

Adding a user to your Google Cloud Organization involves a few steps, and it's important to ensure you have the necessary permissions to do so. Here's a general guide on how to add a user:

Sign in to Google Cloud Console: Ensure you're logged into the Google Cloud Console with an account that has the appropriate permissions (typically an Organization Administrator or a user with IAM permissions).
Navigate to IAM & Admin:
- Go to the Navigation menu in the top left.
- Select IAM & Admin.
- Click on Manage Resources.
Select Your Organization:
- In the resource picker, choose your organization from the list. If you don't see it, you might need to switch to the correct Google Cloud project or ensure you're in the right domain.
Add a Member:
- Click on the + ADD button.
- In the "New principals" field, enter the email address of the user you want to add. If the user doesn't have a Google account, they'll need to set one up.
Select Role:
- Choose the role you want to assign to this user. Roles can range from basic like roles/viewer, roles/editor, to more specific roles like roles/compute.admin. You can also create custom roles if needed.
Set Conditions (Optional):
- You can set conditions for when this role applies, such as time-based conditions or attribute-based access control.
Review and Add:
- Review the details. Ensure the email is correct and the role fits the user's needs.
- Click SAVE or ADD to finalize adding the user.
Verification:
- The new user should receive an email notification about their access to Google Cloud. They might need to accept terms or verify their account before they can start using services.

Important Considerations:

Permissions: Make sure you understand the implications of the roles you assign. Giving too much access can be a security risk.
Billing: Ensure that billing is set up if you're granting permissions that might incur costs.
User Acceptance: The user might need to accept an invitation or terms of service before they can access resources.

If you encounter any issues or need more specific guidance, you might want to refer to the Google Cloud documentation or contact Google Cloud Support. If this process has changed recently or if there are new features, you might want to check the latest Google Cloud documentation or ask if you need me to look up more current information.

jaylong255 commented 2 months ago

Add a Group

Go to the Google Workspace Admin at admin.google.com.
Under Directory, click on "Groups".
Click "Create Group".
Give your group a na;me and email.
Save

Route Emails for the Group to a Good Mailbox

Apps => Google Workspace => Gmail
Expand the Routing section, click "Add another rule."
Give the rule a description and then map the new email to an existing mailbox.

jaylong255 commented 2 months ago

Add a User

Go to Directory => Users
Click "Add new user"
Enter a name and use the email we just created in the previous step

jaylong255 commented 2 months ago

Authenticate with gcloud as the new user

gcloud auth login

You will probably need to update your password.

jaylong255 commented 2 months ago

Create the System Root Folder

gcloud resource-manager folders create \
    --display-name="MyName System Root" \
    --organization="ORG_ID"

jaylong255 commented 2 months ago

Grant Your User Folder Create Permissions The new user has essentially no permissions. I gave it basic "browser" just because you have to grant principles something. This is intentional since what i'm trying to do here is document all of the necessary permissions for the system root setup instructions for bootstrapping a tf agent that is sandboxed in its own folder.

You will need to be authenticated as a user with the permissions to escalate permissions
gcloud organizations add-iam-policy-binding ORG_ID \
--member=user:GCP_USER_EMAIL \
--role=roles/resourcemanager.folderCreator

jaylong255 commented 2 months ago

As a privileged user, grant the new user project create permissions

gcloud organizations add-iam-policy-binding ORG_ID \
     --member=user:GCP_USER_EMAIL \
     --role=roles/resourcemanager.projectCreator

Create the System Root Project

For a new user, you probably need to log into the GCP console to accept the terms of service.
gcloud projects create myname-system-root \
--name="MyName System Root" \
--organization=ORG_ID \
--set-as-default

jaylong255 commented 2 months ago

Create the System Root Service Account

Now that your user had Project and Folder Creator on the Organization level, you should be able to perform these with no problems.
gcloud iam service-accounts create myname-system-root  \
--display-name="MyName System Root" \
--project=myname-system-root

jaylong255 commented 2 months ago

Generate an IAM key JSON

gcloud iam service-accounts keys create myname-system-root-key.json \
    --iam-account=myname-system-root@myname-system-root.iam.gserviceaccount.com \
    --project=myname-system-root

jaylong255 commented 2 months ago

Enable Cloud Billing API for the System Root Project

gcloud services enable cloudbilling.googleapis.com --project=myname-system-root

jaylong255 commented 2 months ago

Grant the new user the ability to grant organization admin to the system root service account

gcloud organizations add-iam-policy-binding ORG_ID \
     --member=user:GCP_USER_EMAIL \
     --role=roles/resourcemanager.organizationAdmin

Grant Folder Admin to your System Root Service Account

gcloud organizations add-iam-policy-binding ORG_ID \
    --member="serviceAccount:myname-system-root@myname-system-root.iam.gserviceaccount.com" \
    --role="roles/resourcemanager.folderAdmin"

jaylong255 commented 2 months ago

Grant the new user permission to access billing accounts

gcloud beta billing accounts add-iam-policy-binding BILLING_ACCOUNT_ID \
    --member=user:gcp-tnclient-system-root@cyberworldbuilders.com \
    --role=roles/billing.user

Grant the new user permission to set IAM Policy

gcloud beta billing accounts add-iam-policy-binding BILLING_ACCOUNT_ID \
    --member=user:gcp-tnclient-system-root@cyberworldbuilders.com \
    --role=roles/iam.securityAdmin

Grant roles/billing.user to your System Root Service Account

gcloud beta billing accounts add-iam-policy-binding BILLING_ACCOUNT_ID \
    --member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \
    --role="roles/billing.user"

jaylong255 commented 2 months ago

Grant roles/resourcemanager.projectCreator to your System Root Service Account

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.projectCreator"

jaylong255 commented 2 months ago

Create a KMS Key for Storage Folder Encryption

Enable the Cloud KMS API for the System Root Project

gcloud services enable cloudkms.googleapis.com --project my-project-id

Make sure billing is enabled for the System Root Project

gcloud beta billing projects link myname-system-root --billing-account=BILLING_ACCOUNT_ID

Create a KMS Key Ring

gcloud kms keyrings create my-keyring \
  --location us-central1 \
  --project your-project-id

Create a KMS Key

gcloud kms keys create my-key \
  --keyring my-keyring \
  --location us-central1 \
  --project your-project-id \
  --purpose encryption

Cyberworld-builders / gcp-iac