GCP service account permissions

Give Netography's GCP service account permission to be added as a principal to the Pub/Sub subscription


📘

The following steps are a prerequisite for adding Netography as a principal to the Pub/Sub subscription.

Before you can add Netography as a principal, you must first grant Netography's GCP identifier the initial permission GCP requires to certify Netography is an entity that can be granted access to any of your resources.

These steps do NOT grant Netography any permissions or access to any resources in your organization.

The following steps only enable you to grant Netography select and specific access to individual resources in the future after these steps have been completed.

🚧

Organization Policy Administrator is needed to complete these steps.

Updating an organization policy requires the Organization Policy Administrator role roles/orgpolicy.policyAdmin

📘

Organizational policy requirement needed to complete these steps

iam.disableServiceAccountKeyCreationneeds to be set to Not enforced at the organization or project level

  1. Go to the project picker, click the All tab, and select your Organization, instead of your project.

  1. Go to the Organization Policies page
  1. Click Filter above the policies table, type Domain restricted sharing.
  1. You should see 1 policy with ID constraints/iam.allowedPolicyMemberDomains. Click on for the actions menu then Edit Policy.
  1. Choose Override parent's policy and select Replace for Policy enforcement.

  1. Add a new rule (or add a value to an existing rule) for the policy with Policy values set to Custom and Policy type set to Allow.
  2. Add value C04ddcbu8for Netography.

You're done!