Change the default name of gcp project and Oauth consent screen app name at creation.

[chromestrong]

Today, the "GAM Project Creation" app will create a GCP project generically named "GAM Project" and set the app name in the Oauth consent screen to "GAM".

For easy identification and sanity reasons it is requested that this be changed so that the name of the GCP project be updated to the actual Project ID of the GCP Project directly after its creation (since it needs to be created first) and the app name in the Oauth consent screen be updated from "GAM" to the actual Project ID.

This will help administrators and users quickly identify these authorizations and projects when looking at their authorized apps, API Controls, and DWD authorizations.

Please do the needful.

[taers232c]

See: https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#create-a-new-project-for-gam-authorization

Under Advanced, use the appname and projectname arguments.

Ross

On Tue, May 24, 2022 at 4:20 PM ChromeStrong @.***> wrote:

Today, the "GAM Project Creation" app will create a GCP project generically named "GAM Project" and set the app name in the Oauth consent screen to "GAM".

For easy identification and sanity reasons it is requested that this be changed so that the name of the GCP project be updated to the actual Project ID of the GCP Project directly after its creation (since it needs to be created first) and the app name in the Oauth consent screen be updated from "GAM" to the actual Project ID.

This will help administrators and users quickly identify these authorizations and projects when looking at their authorized apps, API Controls, and DWD authorizations.

Please do the needful.

— Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/272, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL3LTJEBORFMXLCXHHDVLVP2JANCNFSM5W3GGCEA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Ross Scroggs @.***

[NoSubstitute]

@taers232c - I'm assuming this is something Google changed in the project creation process? Because before (not long ago) one had to fill in two names on the create credentials page. Both the internal name and the external name. Nowadays it only asks for the internal name, which isn't visible to anyone, outside of the actual project page.

[chromestrong]

@taers232c I understand that this can be changed by the admin, but I am requesting that the default behavior be changed since so many admins across hundreds of enterprise projects don't do this by default. It makes the API Controls and DWD Controls in the Admin Console a mess.

[NoSubstitute]

@chromestrong - the Client ID is as searchable in Resource Manager as the Project ID, so it doesn't help anyone, as displaying the Project ID in DwD is just as "anonymous" to the viewer.

For large organisations it is much better to implement a policy that "everyone using GAM in our organisation, must provide a relevant appname on the command line when creating their project", since the option is right there, made for exactly that situation, instead of pushing a global change onto all other users, who do not need it, and aren't helped by it.

Pushing the ProjectID there for everyone doesn't help anyone, anymore than already having the ClientID does.

To make the information in DwD really obvious a real appname, with relevant info, must be set. ProjectID isn't it.

[jay-eleven]

I agree with @NoSubstitute. GAM allows providing custom values to suit specific needs in case defaults don't work so a global change is (very) debatable. 😅

[chromestrong]

The project ID is a better default than just "GAM" or "GAM Project". You guys don't seem to be understanding this from a admin perspective in the API controls and DWD controls on Google Workspace (not GCP) it says whatever you set the Project Name to and the Oauth App Name to. This requires an an Admin to waste time by going down the rabbit hole to determine what belongs to whom, Google Workspace admins may not have full access to GCP, and policy is reactive and requires tooling to be 100%. If you guys update the code so that it changes the default then Google Workspace and Security Admins get 5-10 minutes back for everyone of these they would have to look up.

[taers232c]

Your original request asked that the default values for the project name and app name be the project id. How does that help determine what belongs to whom? You last comment mentioned client ID as the default. How many gam projects do you have, why are the workspace admins needing to look them up?

[chromestrong]

I meant to say project ID. That clearly identifies the GCP project connected to this instead of having to hunt and pick through several GAM projects. This is a security and accountability concern. Internally, and with 3 of the last 4 customers I have worked with have had this issue despite having a written policy to have the gam owners update these fields. 1 has decided not to allow it since manual intervention required to resolve it on either side.

[NoSubstitute]

You are missing the point. Having the ProjectID in DwD isn't giving you any more information than you already have.

The ClientID is unique, and if you really need to act on the ProjectID, in any way, even if only to know who created it, you need to go into Resource Management in GCP, where you need proper access rights to do anything at all. As superadmin you can give yourself proper access, and then it doesn't matter whether you have the ProjectID or the ClientID, because both are searchable.

The randomly created ProjectID tells you absolutely nothing about who created it or what the "app" does, unless it is truly named after who and what, which is exactly what the option appname is for when creating the project.

Global changes should benefit everyone, and this request doesn't, especially not since there are already options to do what you want for those that need it.

[NoSubstitute]

It is also possible to fix after the fact, as Resource Manager, or tell the users themselves to fix their appnames in GCP, Oauth Consent Screen.

[taers232c]

I don't want to change the default behavior but I could do the following. Make gam.cfg variables: project_name_template - Default: GAM Project project_appname_template - Default: GAM project_saname_template - Default: empty project_displaysaname_template - Default: empty

Gam would replace #projectid# in the templates with the project ID. E.g.: project_name_templats = "#projectid#" project_appname_template = "GAM #projectid#"

[taers232c]

Simpler solution use_projectid_as_name = True/False

[chromestrong]

It's a start. I am trying to avoid this from happening going forward (see image)

[taers232c]

I've made the change, will be released later this afternoon.

[taers232c]

See: https://github.com/taers232c/GAMADV-XTD3/wiki/GamUpdates

[taers232c]

Jay,

The project ID will still be gam-project-abc-xyz-123, the project name changed from Gam Project to gam-project-abc-xyz-123 and the app name changed from GAM to gam-project-abc-xyz-123

Ross

@.***

On Jun 1, 2022, at 7:07 AM, Jay @.***> wrote:

I may be wrong, but I think this change will make commands that use gam as a project selector unreliable:

::= current | gam | | (filter ) | (select | | ) gam - Projects accessible by the administrator that were created by Gam i.e, their project ID begins with gam-project- ⬅⬅⬅⬅⬅⬅⬅⬅ Source Maybe a small note can be added to documentation that clarifies that changing the default use_projectid_as_name = False in gam.cfg to use_projectid_as_name = True might provide unreliable results. Ross, let me know if I can help. — Reply to this email directly, view it on GitHub , or unsubscribe . You are receiving this because you were mentioned.

[NoSubstitute]

By blurring the bit that's relevant, you just made my point. The name isn't relevant. The client_id is.

It's also the only true way to identify external apps, and services, by their client_id.

Things can be named anything, but the client_id is the real identity.