How to Add Superuser Account in Google Cloud Platform

google-cloud-platform

We need a backup superuser account. Docs say how to add an organizational admin, but that has less permissions and I am already running into permission issues. How to add a super user account? I have been on with google support for 3 hours and they have their heads…well..somewhere.

Best Answer

In my opinion, you can achieve your goal by granting Super Admin role to at least one extra account. This role is pre-built and keep in mind that:

After you assign the Super Admin role to a user, it can take up to 24 hours for the calendar privileges to be available.

If you use G Suite you can follow this guide to grant a Super Admin role.

In addition, have a look at the Creating and Managing Organizations:

Each G Suite or Cloud Identity account is associated with exactly one Organization. An Organization is associated with exactly one domain, which is set when the Organization resource is created.

When the Organization resource is created, we communicate its availability to the G Suite or Cloud Identity super admins. These super admin accounts should be used carefully because they have a lot of control over your organization and all the resources underneath it. For this reason, we do not recommend using G Suite or Cloud Identity super admin accounts for the day-to-day management of your organization. For more information about using G Suite or Cloud Identity super admin accounts in Google Cloud, see Super Administrator Account Best Practices.

EDIT Please update your question with details about your permission issues with Organizational admin, but check the documentation first:

The Organization admin, once assigned, can assign IAM roles to other users. The responsibilities of the Organization admin role are:

Defining IAM policies

Determining the structure of the Resource Hierarchy

Delegating responsibility over critical components such as Networking, Billing, Resource Hierarchy through IAM roles

Following the principle of least privilege, this role does not include the permission to perform other actions, such as creating folders.

Check Cloud Identity and Access Management (IAM) documentation and IAM best practice guides to find more details.

Related Solutions

Sql-server – Google Cloud with SQL Server Express – add database permissions

Using Developers Console, you can check the sa username's password in two different places :

under Compute Engine > VM instances, click on your deployed ASP.NET instance and look for c2d-property-saPassword value under Custom metadata.
under Deployment Manager > Deployments , click on your deployment. In right pane look for SQL Server Express Administrator and Initial SQL Express Administrator password values.

Using PowerShell command line from inside of your deployed ASP.NET Windows instance, you can run this one-line command to get the sa initial password:

Invoke-RestMethod http://metadata.google.internal/computeMetadata/v1/instance/attributes/c2d-property-saPassword -Headers @{"Metadata-Flavor"="Google"}

How to modify the existing access scope of a Google Cloud Platform service account

I believe eventually you will be able to do this using IAM permissions. At the moment I do not see the options to add Cloud DNS roles in the IAM Console. In order to authorize requests to Cloud DNS you must use one of the scopes describe in this article.

i.e.

https://www.googleapis.com/auth/ndev.clouddns.readwrite
https://cloud.google.com/dns/api/authorization

If you are using the default service account, the scope has to be defined during the VM creation in the scope flag.

i.e.

gcloud compute --project "Myproject" instances create "instance-8" --zone "us-central1-f" --machine-type "n1-standard-1" --network "default" --maintenance-policy "MIGRATE" --scopes default="https://www.googleapis.com/auth/devstorage.full_control","https://www.googleapis.com/auth/ndev.clouddns.readwrite" --image "/debian-cloud/debian-8-jessie-v20161020" --boot-disk-size "10" --boot-disk-type "pd-standard" --boot-disk-device-name "instance-8"

If you associated the VM to a non-default service account during its creation, you can add Editor or Owner permissions to that account in the IAM Console. Nevertheless this might provide a wider scope that the one you are looking for.

Best Answer

Related Solutions

Sql-server – Google Cloud with SQL Server Express – add database permissions

How to modify the existing access scope of a Google Cloud Platform service account

Related Topic