Integrating your Google identity provider
substrate create-admin-account -quality <quality>
will ask for several inputs, which this page will help you provide from your Google identity provider.
These steps must be completed by a Google Super Admin. Be mindful, too, of which Google account you're using if you're signed into more than one in the same browser profile. Google has a habit of switching accounts when you least expect it.
Create a custom schema for assigning IAM roles to Google users
Visit https://admin.google.com/ac/customschema in a browser (or visit https://admin.google.com, click Users, click More, and click Manage custom attributes)
Click ADD CUSTOM ATTRIBUTE
Enter “AWS” for Category
Under Custom fields, enter “RoleName” for Name, select “Text” for Info type, select “Visible to user and admin” for Visibility, select “Single Value” for No. of values
Click ADD
Create and configure an OAuth OIDC client
Visit https://console.developers.google.com/ in a browser
Click CREATE PROJECT
Name the project and, optionally, put it in an organization (but don't worry if you can't put it in an organization, because everything still works without one)
Click CREATE
Click OAuth consent screen
Select “Internal”
Click CREATE
Enter an Application name
Enter your Intranet DNS domain name in Authorized domains
Click SAVE AND CONTINUE
Click Credentials in the left column
Click CREATE CREDENTIALS and then OAuth client ID in the expanded menu
Select “Web application” for Application type
Enter a Name, if desired
Click ADD URI in the Authorized redirect URIs section
Enter “https://intranet-dns-domain-name/login” (substituting your just-purchased or just-transferred Intranet DNS domain name)
Click CREATE
Use the credentials to respond to
substrate create-admin-account
's promptsVisit https://console.cloud.google.com/apis/library/admin.googleapis.com in a browser
Confirm the project you created a moment ago is selected (its name will be listed next to “Google Cloud Platform” in the header)
Click ENABLE
Authorize users to use AWS
Visit https://admin.google.com/ac/users in a browser (or visit https://admin.google.com and click Users)
For every user authorized to use AWS:
Click the user's name
Click User information
In the AWS section, click Add RoleName and enter the name (not the ARN) of the IAM role they should assume in your admin account (“Administrator” for yourself as you're getting started; if for others it's not “Administrator” or “Auditor”, ensure you've followed adding non-Administrator roles for humans first)
Click SAVE
With your identity provider integrated, jump to deleting unnecessary root access keys.
Last updated