Configuration With Google Cloud Platform

1. Overview

This document provides comprehensive, step-by-step instructions for configuring a new Google Cloud project and enabling the required APIs via the Google Cloud Console. These APIs are essential prerequisites for integrating Google Cloud services into your environment.

The following APIs must be enabled on your project:

API Name

Purpose

Cloud Identity API (IAM API)

Manages identity and access control for Google Cloud resources.

Cloud Resource Manager API

Creates, reads, and updates metadata for Google Cloud Platform resource containers.

Cloud Asset API

Manages the history and inventory of Google Cloud resources.

Service Usage API

Enables and lists services that consumers want to use on Google Cloud Platform.

Recommender API

Provides usage recommendations and insights for Google Cloud resources.

Admin SDK API

Manages Google Workspace account resources and audit usage.

2. Prerequisites

Before proceeding with the configuration steps outlined in this document, ensure that the following prerequisites have been satisfied:

A valid Google account with access to the Google Cloud Console.
Sufficient permissions to create projects and enable APIs within the target Google Cloud organization.
Billing enabled on the target organization or project.

3. Creating a New Google Cloud Project

A dedicated Google Cloud project must be created to host the required APIs and associated resources. Follow the steps below to create a new project within your organization.

Step 3.1: Access the Project Selector

Navigate to the Google Cloud Console at console.cloud.google.com. In the top navigation bar, locate the project selector button — displayed as the name of the currently active project or organization (e.g., labs.forestall.io). Click this button to open the resource selection modal.

Step 3.2: Initiate New Project Creation

In the resource selection modal, click the "New project" button located in the upper-right corner. This action will redirect you to the New Project creation form.

Step 3.3: Configure the New Project

Complete the New Project form as follows:

Field

Value / Instruction

Project name

Enter a descriptive name for the project (e.g., Test Project). Note that the Project ID is automatically generated and cannot be modified after creation.

Organization

Select the appropriate organization from the dropdown menu (e.g., labs.forestall.io). This association cannot be changed after the project is created.

Parent resource

Select the organization or folder under which this project will reside. This defines the hierarchy for access control and billing.

Once all fields have been completed, click the "Create" button to provision the new project.

Step 3.4: Select the Newly Created Project

After the project has been provisioned, return to the project selector in the navigation bar and select the newly created project from the list. Verify that the project name displayed in the top navigation bar reflects your selection before proceeding.

4. Enabling Required APIs

All required APIs must be individually enabled for the newly created project. To access the API Library, perform the following:

Click the hamburger menu icon (☰) in the top-left corner to open the navigation sidebar.
In the sidebar, navigate to APIs & Services and select "Enabled APIs & services".

On the APIs & Services overview page, click "+ Enable APIs and services" in the top toolbar to open the API Library.

4.1 Enable Cloud Identity API (IAM API)

The Cloud Identity API, accessed via the Identity and Access Management (IAM) API, manages identity and access control for Google Cloud resources, including the creation of service accounts and the management of access policies.

Option A — Command Line (Recommended):

Execute the following command in your terminal to enable this API programmatically:

gcloud services enable cloudidentity.googleapis.com

Option B — Google Cloud Console (Manual):

Step

Action

Details

Navigate to API Library

In the APIs & Services section, click "+ Enable APIs and services" to open the API Library.

Search for the API

Enter Cloud Identity in the search box and select the Identity and Access Management (IAM) API result.

Enable the API

On the Product details page, click the "Enable" button to activate the API for your project.

4.2 Enable Cloud Resource Manager API

The Cloud Resource Manager API enables programmatic management of Google Cloud Platform resource containers, including the creation, reading, and updating of project and folder metadata.

Step

Action

Details

Navigate to API Library

In the APIs & Services section, click "+ Enable APIs and services" to open the API Library.

Search for the API

Enter cloudresourcemanager.googleapis.com in the search box and select the Cloud Resource Manager API result.

Enable the API

On the Product details page, click the "Enable" button to activate the API for your project.

4.3 Enable Cloud Asset API

The Cloud Asset API provides functionality for managing the history and inventory of Google Cloud resources, enabling asset export, search, and change tracking across your project.

Step

Action

Details

Navigate to API Library

In the APIs & Services section, click "+ Enable APIs and services" to open the API Library.

Search for the API

Enter cloud asset api in the search box and select the Cloud Asset API result.

Enable the API

On the Product details page, click the "Enable" button to activate the API for your project.

4.4 Enable Service Usage API

The Service Usage API enables and lists services that consumers wish to use on Google Cloud Platform.

Note: This API may already be enabled by default on newly created projects. If the Product details page displays "API Enabled" with a green checkmark alongside a "Manage" button, the API is already active and no further action is required.

Step

Action

Details

Navigate to API Library

In the APIs & Services section, click "+ Enable APIs and services" to open the API Library.

Search for the API

Enter service usage api in the search box and select the Service Usage API result.

Verify or Enable

If the API is not yet enabled, click the "Enable" button. If it already shows "API Enabled", no action is required.

4.5 Enable Recommender API

The Recommender API provides intelligent usage recommendations and insights for Google Cloud resources, helping optimize cost, security, and performance.

Step

Action

Details

Navigate to API Library

In the APIs & Services section, click "+ Enable APIs and services" to open the API Library.

Search for the API

Enter recommender api in the search box and select the Recommender API result (not the GKE Recommender API).

Enable the API

On the Product details page, click the "Enable" button to activate the API for your project.

4.6 Enable Admin SDK API

The Admin SDK API enables programmatic management of Google Workspace account resources and audit usage, facilitating integration with directory services, reporting, and administrative controls.

Step

Action

Details

Navigate to API Library

In the APIs & Services section, click "+ Enable APIs and services" to open the API Library.

Search for the API

Enter Admin api in the search box and select the Admin SDK API result.

Enable the API

On the Product details page, click the "Enable" button to activate the API for your project.

5. Creating a Service Account and Assigning Organization-Level Roles

A service account must be created within the project and subsequently granted the required IAM roles at the organization level. This enables the service account to access and operate on resources across the organization hierarchy.

Step 5.1: Navigate to Service Accounts

In the Google Cloud Console, open the navigation sidebar by clicking the hamburger menu icon (☰) in the top-left corner. Navigate to IAM & Admin and select Service Accounts from the submenu. The Service Accounts page for the current project will be displayed.

Step 5.2: Create a New Service Account

On the Service Accounts page, click "+ Create service account" in the top toolbar. The Create service account panel will open on the right side of the screen.

Complete the form fields as follows:

Field

Value / Instruction

Service account name

Enter a descriptive display name (e.g., Test Service Account).

Service account ID

This field is auto-populated based on the name (e.g., test-service-account). It forms part of the service account's email address and cannot be changed after creation.

Service account description

Optionally, provide a brief description of the service account's intended purpose.

Note: Upon completion of this step, the service account's full email address will be generated in the format: <service-account-id>@<project-id>.iam.gserviceaccount.com This address is used to identify the service account when granting access to resources.

Click "Create and continue" to proceed. The Permissions and Principals with access steps are optional and may be skipped at this stage. Click "Done" to finalize the service account creation.

Step 5.3: Navigate to the Organization Level

The required roles must be assigned at the organization level, not at the project level. To switch context to the organization:

Click the project selector button in the top navigation bar.
In the resource selection modal, locate and select the organization entry (e.g., labs.forestall.io, Type: Organization).

Note: Ensure the organization entry is selected — not the project. Organization-level IAM changes apply to all projects and resources within that organization.

Step 5.4: Grant Access to the Service Account at the Organization Level

With the organization selected, navigate to IAM & Admin > IAM and click "+ Grant access" to open the Grant access panel.

In the "New principals" field, enter the full email address of the service account created in Step 5.2:

test-service-account@<project-id>.iam.gserviceaccount.com

Step 5.5: Assign Organization-Level Roles

The following roles must be assigned to the service account at the organization level. Click "+ Add another role" for each role and use the search box to locate it by name.

Role Name

Role ID

Description

Browser

roles/browser

Provides read access to browse GCP resources.

Cloud Asset Viewer

roles/cloudasset.viewer

Grants read-only access to Cloud Asset metadata.

Folder Viewer

roles/resourcemanager.folderViewer

Grants access to view a folder and all of its child resources.

IAM Recommender Viewer

roles/recommender.iamViewer

Provides viewer access to IAM recommendations.

Organization Role Viewer

roles/iam.organizationRoleViewer

Grants read access to all custom roles in the organization and the projects below it.

Organization Viewer

roles/resourcemanager.organizationViewer

Grants read-only access to view an organization.

Security Reviewer

roles/iam.securityReviewer

Provides permissions to retrieve any IAM policy.

Service Usage Viewer

roles/serviceusage.serviceUsageViewer

Grants the ability to inspect service states and operations for a consumer project.

Once all eight roles have been added, click "Save" to apply the role assignments to the service account.

Note: All roles listed above are read-only in nature. They grant the service account visibility into organizational resources and configurations without permitting any write or administrative operations.

6. Creating a Service Account Key

A private key must be generated for the service account to enable authentication from external systems or applications. Follow the steps below to create and download the key.

Step 6.1 — Access the Service Account Actions Menu

Return to IAM & Admin > Service Accounts and ensure the correct project is selected in the navigation bar. Locate the service account created in Step 5.2 in the list. Click the three-dot menu (⋮) in the Actions column of that row to expand the context menu. Select "Manage keys" from the options presented.

Step 6.2 — Open the Keys Tab

The service account detail page will open on the Keys tab. This tab displays all existing keys associated with the service account, along with their type, status, creation date, and expiration date. If no keys have been created previously, the list will show "No rows to display".

Security Warning: Service account keys can pose a security risk if compromised. Google recommends using Workload Identity Federation where possible as a more secure alternative to downloadable keys. Additionally, Google automatically disables service account keys detected in public repositories.

Step 6.3 — Initiate Key Creation

Click the "Add key" dropdown button and select "Create new key" from the menu.

Step 6.4 — Select Key Type and Create

A modal dialog titled "Create private key for <Service Account Name>" will appear. Select the key type as follows:

Key Type

Description

Recommendation

JSON

Standard key format containing all credentials in a single file.

✅ Recommended

P12

Legacy format for backward compatibility with code using the P12 format.

Use only if required by the target system.

Select JSON and click "Create". The private key file will be automatically downloaded to your computer.

Step 6.5 — Store the Key Securely

Upon successful key creation, a confirmation dialog will appear stating "Private key saved to your computer". The downloaded file will be named in the format:

<project-id>-<key-id>.json

⚠️ Important: This JSON file contains credentials that allow full access to your cloud resources under the service account's permissions. Store this file in a secure location. It cannot be recovered if lost — if the key is lost or compromised, it must be deleted and a new key must be generated.

To complete the security handshake between Google Cloud and Google Workspace, ensure you have completed the Domain-Wide Delegation steps at the link below:

Domain-Wide Delegation

PreviousConfiguration With Google CLI NextDomain-Wide Delegation

Last updated 6 days ago

Was this helpful?