Google Cloud Setup Guide

Follow

Overview

First things first: you'll need to install cloudtamer.io in your Google Cloud environment before you can complete the steps in this setup guide. We also assume you've completed at least steps 1, 2, and 3 in Google's onboarding checklist.

Once you have successfully completed the installation, you'll need to complete a few more steps to pull your Google Cloud information into cloudtamer.io.

The steps in the post-installation setup process are:

  1. Create a Google Cloud project for the service account. (You'll want the service account to be located in its own Google Cloud project.) Note: Google Cloud projects are different from cloudtamer.io projects, and are equivalent to cloudtamer.io accounts.
  2. Create a service account and service account key within Google Cloud.
  3. Assign org-wide permissions.
  4. Create a billing account within Google Cloud and attach it to the service account.
  5. Set up billing data export to BigQuery.
  6. Enable the APIs for the services required for cloudtamer.io management.
  7. Add the service account to cloudtamer.io.
  8. Add the billing account to cloudtamer.io as a billing source.
  9. Add Google Cloud projects to cloudtamer.io as accounts.

This setup guide will give step-by-step instructions to complete the process and get you up and running with Google Cloud and cloudtamer.io.

Create a Project for the Service Account

In the next few sections, you will create a service account and upload its information to cloudtamer.io. Before you do that, you must create a dedicated Google Cloud project to house the service account. If you've already created a Google Cloud project for the cloudtamer.io deployment, you can add the service account to that project and skip to the "Create a Service Account and Service Account Key (SAK)" section below.

If you wish to build out your resource hierarchy before creating this project, you can follow steps 5 and 6 in Google's onboarding checklist before you create the project, but this is not required.

  1. Log into your G Suite account and navigate to console.cloud.google.com.
  2. On the top blue ribbon, a drop-down menu will say Select a project. Click this menu to open the project selection screen.
  3. On the project selection screen, click New Project on the top right.
  4. Enter a Project name and select the Organization and Location (parent organization or folder) from the drop-down menu. Set and take note of the Project ID that is shown below the Project Name field as you'll need the ID later.
  5. Click Create.

Enable the APIs for the Resource Manager and Cloud Billing

  1. Log into your G Suite account and navigate to console.cloud.google.com.
  2. Select the project you created for your service account from the drop-down menu on the top blue ribbon.
  3. In the left navigation menu, click APIs & Services.
  4. Click Enable APIs and Services at the top of the screen.
  5. Search for Cloud Resource Manager API. Click on this value in the result set.
  6. Click Enable.
  7. Click the back arrow to return to the API library.
  8. Search for Cloud Billing API. Click on this value in the result set.
  9. Click Enable.
  10. Click the back arrow to return to the API library.
  11. Search for Identity and Access Management (IAM) API. Click on this value in the result set.
  12. Click Enable.

Create a Service Account and Service Account Key (SAK)

Next, you will create a service account within Google Cloud that represents your Google Cloud organization. A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. You can read more about service accounts in Google's service account documentation.

To create the service account:

  1. Log into your G Suite account and navigate to console.cloud.google.com.
  2. Select the project you just created in the previous section from the drop-down menu on the top blue ribbon.
  3. In the left navigation menu, click IAM & Admin > Service Accounts.
  4. Click on the card for the project you created.
  5. Click Create Service Account below the top ribbon.
  6. Enter a Service Account Name, an optional Description, and click Create.
  7. Skip the Grant the service account access to project section by clicking Continue.
  8. Optional: grant other users access to this service account if you'd like other users to access the account. You can add a user's Google email address, Google Groups email address, Service account address, or G Suite domain to either text entry field. Users added to the Service Account Users Role field will be users, and users added to the Service Account Admins Role field will be administrators. For more information, see the Google documentation on Managing Service Account Impersonation.
  9. Click Done. If you already have your billing account(s) set up, you should be prompted to choose one to link to the project during this process. If you only have one billing account set up, it will be selected automatically. If you haven't set up a billing account yet or need to change it later, we'll show you how to do that below.
  10. Copy the email of the service account you just created because you'll need it in the next section when assigning org-wide permissions.
  11. From this page, create a SAK JSON file for this service account by doing the following:
    • Click the ellipsis menu icon under Actions on the right of the service account, and select Create Key.
    • With the Key Type set to JSON, click Create. This will download the SAK JSON file to your computer.

Assign Org-Wide Permissions

In addition to the roles you just assigned to the project housing the service account, you'll need to assign the service account permissions at the organization level. Here's how to do that:

  1. Log into your G Suite account and navigate to console.cloud.google.com.
  2. Select your organization from the drop-down menu on the top blue ribbon (NOT your project).
  3. In the left navigation menu, click IAM & Admin > IAM.
  4. Click Add.
  5. Type in the email of the service account.
  6. To grant the service account access to all current and future cloudtamer.io features, we recommend:
    • In the next Role drop-down menu, select Billing > Billing Account Viewer.
      • This permission gives cloudtamer.io access to read the billing account information. This must be done at the organization level.
    • Click Add Another Role.
    • In the Role drop-down menu, select Basic > Owner.
      • If you use Google Cloud folders, you can alternatively set this role on the folders you want cloudtamer.io to manage instead.
  7. To grant the minimal permissions (which will require modifying permission when cloudtamer.io adds Google Cloud capabilities), you can do the following:
    • In the Role drop-down menu, select Billing > Billing Account Viewer.
      • This permission gives cloudtamer.io access to read the billing account information. This must be done at the organization level.
    • Click Add Another Role.
    • In the next Role drop-down menu, select Resource Manager > Project IAM Admin.
      • This permission gives cloudtamer.io access to manage permissions on Google Cloud projects. If you use Google Cloud folders, you can alternatively set this role on the folders you want cloudtamer.io to manage instead.
    • Click Add Another Role.
    • In the next Role drop-down menu, select Roles > Organization Role Administrator.
      • This permission gives cloudtamer.io access to manage Google Cloud IAM roles for an organization. If you use Google Cloud folders, you can alternatively set this role on the folders you want cloudtamer.io to manage instead with the role Resource Manager > Folder IAM Admin.
    • Click Add Another Role.
    • In the next Role drop-down menu, select Resource Manager > Folder Viewer.
      • This permission gives cloudtamer.io access to view Google folders. If you use Google Cloud folders, you can alternatively set this role on the folders you want cloudtamer.io to manage instead.
  8. Click Save.

Assign BigQuery Permissions (Only Special Cases)

If the BigQuery financial export is not present in one of the Google Cloud projects under the organization or folders you specified above, you'll need to assign the service account permissions at the project level where BigQuery is located. Here's how to do that:

  1. Log into your G Suite account and navigate to console.cloud.google.com.
  2. Select your project containing BigQuery from the drop-down menu on the top blue ribbon.
  3. In the left navigation menu, click IAM & Admin > IAM.
  4. Click Add.
  5. Type in the email of the service account.
  6. To grant the service account access to all current and future cloudtamer.io features, we recommend:
    • In the next Role drop-down menu, select BigQuery > BigQuery User.
    • Click Add Another Role.
    • In the next Role drop-down menu, select BigQuery > BigQuery Data Viewer.
  7. Click Save.

Create a Billing Account and Attach it to the Service Account

Now, you will create a billing account in Google Cloud. You'll need to have the Billing Account Creator role for your organization in order to create it.

If you already had your billing account(s) set up when you created your project, you should have been prompted to choose one to link to the project when you created it. If you only had one billing account set up, that account should have been automatically linked to your project. In either case, if you don't need to set up a new billing account, you can proceed to the "Set Up Billing Data Export to BigQuery" section below.

To add a new billing account or change the linked billing account:

  1. Log into your G Suite account and navigate to console.cloud.google.com.
  2. Select the project you created for your service account from the drop-down menu on the top blue ribbon.
  3. In the left navigation menu, click Billing.
    • If the project is not linked to a billing account and a billing account already exists, click Link a Billing Account, select the new billing account, and click Set Account. You can skip the remainder of the steps.
    • If the project is already linked to a billing account or you want to create a new one, proceed to the next step.
  4. Click Manage Billing Accounts.
  5. Click Add Billing Account.
  6. Select your organization from the drop-down menu, enter an account name, and select your country. Click Continue.
  7. Enter your account information. Please note that your selections here may be used for tax and identity verification. For more information, see Google's Create, Modify, or Close Your Billing Account article.
  8. Click Submit and Enable Billing. By default, the person who creates the billing account is a Billing Account Administrator for the billing account.
  9. From the home screen, in the left navigation menu, click Billing.
  10. Select your organization from the drop-down menu and click the My Projects tab.
  11. Click the ellipsis menu icon under Actions on the right of the service account and select Change Billing. Choose the new billing account from the list.
  12. Click Set Account.

Set Up Billing Data Export to BigQuery

You'll need to create a BigQuery dataset and enable the export of data to BigQuery to send Google Cloud information to cloudtamer.io. To do this, follow the steps below:

  1. Log into your G Suite account and navigate to console.cloud.google.com.
  2. Select the project you created for your service account from the drop-down menu on the top blue ribbon.
  3. In the left navigation menu, scroll to the Big Data section and click BigQuery.
  4. Click the name of your project in the left navigation menu. (This may be a variation of your project name with a unique identifier on it.)
  5. On the right side of the screen, click Create Dataset.
  6. Enter a Dataset ID.
  7. Select a Data location, which specifies the region where your data is stored.
  8. Set the Default table expiration to Never.
  9. Set the Encryption option to Google-managed key.
  10. Click Create dataset.
  11. In the left navigation menu, click Billing.
  12. Click Go To Linked Billing Account.
  13. In the billing navigation menu on the left, select Billing export.
  14. On the BigQuery export tab, click Edit settings.
  15. From the Project list, select your project.
  16. From the Billing export dataset list, select the dataset you created in steps 1-10 above. Note: the BigQuery API is required to export data to BigQuery. If the project you selected doesn't have the BigQuery API enabled, you will be prompted to enable it. Click Enable BigQuery API and the API will be enabled for you.
  17. Click Save.

Enable OAuth to Support GCP Federation for Users

  1. Log into your G Suite account and navigate to console.cloud.google.com.
  2. Select the project you created for your service account from the drop-down menu on the top blue ribbon.
  3. In the left navigation menu, click APIs & Services.
  4. Click OAuth consent screen.
  5. Select Internal and click Create.
  6. On the app registration screen, add the following required fields:
    1. App name
    2. User support email
    3. Developer contact information email
  7. Click Save and Continue until you are done with the form.

Generate OAuth Access Keys to Support GCP Federation for Users

  1. Log into your G Suite account and navigate to console.cloud.google.com.
  2. Select the project you created for your service account from the drop-down menu on the top blue ribbon.
  3. In the left navigation menu, click APIs & Services.
  4. Click Credentials.
  5. Click OAuth client ID.
  6. From the Application type drop-down, select: Web application.
  7. Add an application name.
  8. In the Authorized Redirect URIs section, click Add URI and enter: https://cloudtamer.example.com/api/v3/account/link-google-callback. Change "cloudtamer.example.com" to the URL of your cloudtamer.io instance.
  9. Click Create.
  10. Store the client ID and client secret for use in the cloudtamer.io application.

Add the Service Account to cloudtamer.io

  1. Log in to cloudtamer.io.
  2. In the left navigation menu, click Accounts > Google Cloud Service Accounts.
  3. Click Add New on the top right.
  4. Enter a Name and Description for the service account.
  5. Enter an OAuth Client ID and OAuth Client Secret (from the last section) to allow federation into a GCP subscription for users.
  6. Upload the Google Cloud SAK by clicking Upload and selecting the JSON file you saved in an earlier step.
  7. Click Create Google Cloud Service Account.

mceclip0.png

Add the Billing Account to cloudtamer.io as a Billing Source

  1. Log in to cloudtamer.io.
  2. In the left navigation menu, click Accounts > Billing Sources.
  3. Click Add New on the top right.
  4. For Account Type, select Google Cloud.
  5. Enter a Billing Source Name.
  6. Choose a Billing Start Date. This is the earliest month cloudtamer.io will try to fetch financial data for the billing source.
  7. Select the Service Account from the drop-down menu that will be used to access the billing data.
  8. Leave the Input Type drop-down set to Auto-fill so the form will query information from the Google API as you fill in the remainder of the form.
  9. In the Google Cloud Billing Account drop-down, select the Google Cloud billing account that this billing source will represent.
    • If using the manual input method, enter the Google Cloud Billing Account ID for the Google Cloud billing account you want to add. You can find it in the Google Cloud console by selecting the project name from the drop-down in the blue ribbon, clicking Billing in the left navigation menu, clicking Go to Linked Billing Account, and looking in the box that says Billing Account on the right. The billing account ID is the ID listed after the billing account name.
  10. In the Big Data Billing Export Project ID drop-down, select the Google Cloud Project where the Billing Account selected above is exporting financial data to BigQuery.
    • If using the manual input method, enter the Big Data Billing Export Project ID. You can find it in the Google Cloud console by clicking the drop-down in the blue ribbon. The project ID is displayed in the ID column next to the name of the project housing your service account. (This may be a variation of your project name with a unique identifier on it.)
  11. In the Big Query Billing Export Dataset ID drop-down, select the BigQuery dataset ID where the Billing Account selected above is exporting its financial data.
    • If the table where the Billing Account is exporting data is unusually named (usually gcp_billing_export_v1_{BILLING ACCOUNT NUMBER}), you should override the default table name by checking the Override the Default Table Name checkbox.
    • If using the manual input method, enter the Big Data Billing Export Dataset Name. You can find it in the Google Cloud console by selecting the project name from the drop-down in the blue ribbon, clicking BigQuery in the left navigation menu under Big Data. The name of your project will display in the left navigation menu (this may be a variation of your project name with a unique identifier on it), and the dataset name will display below.
  12. Click Create Billing Source.

Create-Billing-Source-cloudtamer-io.png

Add Other Google Cloud Projects to cloudtamer.io as Accounts

Finally, you can start adding your Google Cloud projects to cloudtamer.io as accounts. Your service account is already connected, so there's no need to add the project that houses the service account.

To add your Google Cloud projects to cloudtamer.io as accounts, follow the steps in the "Add Your Google Cloud Project/Account(s) to a cloudtamer.io Project" section of the Add an Account article.

Was this article helpful?
0 out of 0 found this helpful