Pre-Onboarding for GCP Organization Accounts (Read/Read-Write)

Introduction

Before onboarding a GCP billing project with Read or Read-Write permissions into the platform, there are some pre-onboarding steps that need to be followed.

These begin with retrieving the Organization ID and service account email address. After that, users must access the Cloud Shell Terminal in GCP, navigate to the appropriate directory, and run a few scripts – as explained in the steps provided below.

After the successful execution of these scripts, users can proceed with onboarding the GCP Organization account into the platform. 

📘

NOTE:

Before going ahead with the organization onboarding process, ensure to complete the billing account onboarding pre-requisites. Refer to this guide for more details -- https://docs.corestack.io/docs/onboarding-a-gcp-billing-account-with-terraform

Pre-Onboarding Steps

Perform the following pre-onboarding steps:

Retrieve the Organization ID

First, users will need to get the organization ID from the hierarchy.

Refer to the image below for guidance on where to find this in GCP -- under the ID column beside the organization you want to onboard.

After you get the organization ID, we suggest copy/pasting the details into a notepad so it's easier to use it when prompted in the platform.

Retrieve the Service Account Email

Perform the following steps to retrieve the service account email:

  1. Navigate to the billing project.

  2. To get the service account that you had created to onboard the billing project into the platform, navigate to IAM > Principal column.

    Again, we suggest pasting the service account email into a notepad so that you can easily access this information when prompted.

Run Scripts in the GCP Cloud Shell Terminal - Change Directory

On the Cloud Shell Terminal screen in GCP, switch the directory using the below command(s):

For Read-Only Permissions:

  • For Read only permission: cd Onboarding_Templates/GCP/Assesment-module-org/core

For Read-Write Permissions:

  • For Read-Write permission: cd Onboarding_Templates/GCP/Assesment+gov-module-org/core

Run Scripts in the GCP Cloud Shell Terminal - Add IDs and Execute Script

Next, on the Cloud Shell Editor screen, run this command: sh run.sh

A message is displayed asking if you have the Organization-Level Security Admin Role and Service Usage Admin permissions that is required to successfully run the script.

In the command prompt, type yes or no.

  • If you type no, the script will exit without executing it.
  • If you type yes, then you will get prompts to enter the Organization ID and service account email.

Enter the Organization ID and service account email from the notepad where you had pasted these details earlier.

A message is displayed asking if you have assigned predefined role to successfully run the script.

  • In the command prompt, type yes.

Run Scripts in the GCP Cloud Shell Terminal - Final Steps

After the script execution is successful, run the following commands:

cd ..
cd GCP_Proj_Org_API_Enabler/
sh run.sh

Enter the Organization ID when prompted.

After the successful execution of the script, you can proceed with GCP account onboarding in the platform.