Cloud Identity procedures for 3rd party email integration for the 3 options (Workspace, IdP identity federation or custom MX records) - fix: add email alias forwarding on the domain

[fmichaelobrien]

See also #270 Requirements

• email integration with Cloud Identity to be able to send/receive emails to users with a secondary email
• For example: a billing quota request is sent out for a sub organization - one where all the accounts are Cloud Identity. In this case you can substitute the email for a backed account like another parent org that is using a workspace account to receive replies https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-onboarding.md#quota-increase
• Another example is alert triggers to a free cloud identity account - the emails need to reach a backing email system on a 3rd party provider like Workspace, AAD, Workmail

Workarounds

• select 1+ accounts on the org as workspace accounts and set the default user creation flag to free cloud identity for the rest. If you select workspace as your super admin account - there will be 100 free cloud identity accounts to use (up from the default 50)

Options

• add forwarding email alias from this org to external org - directly on the domain hosting the email system (dual enable workspace api for other emails if enabled)
• secondary email in admin (not an option for all use cases)
• Workspace account for 1 or more cloud identity accounts (in the organization in question or a parent org owning the workspace account)
• Full IdP Identity Federation to Microsoft AAD or AWS Workmail
• custom MX records on the subdomain zone

Discussion for workspace we get 4 MX records on the domain - those match, for non-workspace the emails may match depending on whether the 3rd party AAD or AWS Workmail are on the same domain as the GCP org

Notes

• https://cloud.google.com/architecture/landing-zones/decide-how-to-onboard-identities#option_2_use_federation_with_an_external_identity_provider
• https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-onboarding.md

References

225

182

[obriensystems]

Procedure test: developer account has minimal permissions but has access to a project and gcs bucket\ developer account has no workspace account - just cloud identity set a notification in a new alerting policy in cloud monitoring on any GCS api call above the 0 baseline

use case is identity user without workspace is set as the notification on a bucket alert policy - email is forwarded to an external email system - in this case AWS workspace where the forwarding mail comes from a GCP domain tied to the policy org

Fix 1 - email forwarding directly on the organization domain hosting workspace or another IdP - user is without a real email address without the alias

Set alias - enable dual workspace/forwarding apis

configure notifications

upload

and

event in

3rd party email received for devel@ol.dev (cloud identity user on org) with email forwarding on the domain

Fix 2 - alternate email on a different unrelated domain : essentially put any email into the notifications channel https://console.cloud.google.com/monitoring/alerting/notification Add that channel to the Alerting policy on the bucket

Then enable email forwarding on the domain you will be using to send the email alias (here lz.ca - forwards to ol.cloud)

Don't change your workspace settings on your main domain if enabled (or enable both workspace and forwarding on the domain)

sending to 2 emails - this one is a workspace enabled account

{
  "displayName": "any-gcs-bucket-event",
  "documentation": {
    "content": "event on gcs bucket",
    "mimeType": "text/markdown"
  },
  "userLabels": {},
  "conditions": [
    {
      "displayName": "GCS Bucket - Request count",
      "conditionThreshold": {
        "filter": "resource.type = \"gcs_bucket\" AND metric.type = \"storage.googleapis.com/api/request_count\"",
        "aggregations": [
          {
            "alignmentPeriod": "120s",
            "crossSeriesReducer": "REDUCE_NONE",
            "perSeriesAligner": "ALIGN_MEAN"
          }
        ],
        "comparison": "COMPARISON_GT",
        "duration": "0s",
        "trigger": {
          "count": 1
        },
        "thresholdValue": 0
      }
    }
  ],
  "alertStrategy": {
    "autoClose": "604800s"
  },
  "combiner": "OR",
  "enabled": true,
  "notificationChannels": [
    "projects/anthos-ol/notificationChannels/278200572621676368"
  ]
}