Add cloud identity to existing Google Cloud Projects

Question

I have 2 Google Cloud projects with GKE and various other services enabled and running. None of those projects has an organization resource assigned. There are also many Users and serviceaccounts inside the projects that are used in production. We use (example) adminaccount@example.com for those projects. I would like to add Google Identity Free, so that I will be able to use Azure AD Users with SSO

So I created a new Google Identity Account with the username identityadmin@example.com which is not member of my existing Gcloud projects. The domain (example.com) has not been verified so far.

What will I have to do to get this running with my existing projects? I read that first I would need an organization resource, which would be created after I verify the domain. Is it safe to do that? Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?

I don't understand how a new organization could be recognized by my existing projects, because there is no link between them.

The goal of course is not to have any downtime.

Sure, I would purchase Google support, but that's only possible If you have an organization, what I don't have. I'm really confused and troubled.

Looking forward to any suggestions. Many thanks in advance! Roland

Answer 1

Your Cloud Identity organization is created when you finish your signup and setup steps for your Cloud Identity service

To answer your questions:

What will I have to do to get this running with my existing projects?

The simple answer is Migrate projects and billing accounts and set permissions This documentation explains how Grant access to billing accounts and Grant access to projects

Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?

Once a Google Cloud Organization resource has been created for your domain, you can move your existing projects into the organization. There should be NO server downtime or impact as a result of migration.

Take into consideration that the link between projects and billing accounts is preserved, irrespective of the hierarchy.

To migrate a project using you will need the following permissions: resourcemanager.projects.create on the destination organization, typically granted by the Project Creator role.

resourcemanager.projects.update and resourcemanager.projects.setIAMPolicy on the project you are migrating, typically granted by the Owner role.

You can get further information in the following link: Migrating projects with no organization

Additionally to contact support you could create a case using this link and it doesn’t matter if you don’t have an organization.

Answer 2

Firstly, you need to create your new organization. Start by creating a Google Workspace environment (go to https://admin.google.com and create it). You can create the org with a Google Workspace free trial and then cancel your subscription, no worry, I'm paying nothing!

Secondly, with your new Google Workspace account, and your new user, go to https://console.cloud.google.com. Here, select your organization, and go to IAM. Here add as member the user account where your project are created in the "No Organization" organisation, and grant it the role Organization Administrator

Perfect. Now, go back to your user account (freshly granted) and go to ressource manager. I use the project picker window to go there

And eventually, migrate your project. Select one project from "No Organization", click on migrate, select the Organization, and validate. That's all. No downtime