Integrating your Google identity provider
substrate setup
will ask for several inputs, which this page will help you provide from your Google identity provider.
These steps must be completed by a Google Super Admin. Be mindful, too, of which Google account you’re using if you’re signed into more than one in the same browser profile. Google has a habit of switching accounts when you least expect it.
Create a custom schema for assigning IAM roles to Google users
- Visit https://admin.google.com/ac/customschema in a browser (or visit https://admin.google.com, click Users, click More, and click Manage custom attributes)
- Click ADD CUSTOM ATTRIBUTE
- Enter “AWS” for Category
- Under Custom fields, enter “RoleName” for Name, select “Text” for Info type, select “Visible to user and admin” for Visibility, select “Single Value” for No. of values
- Click ADD
Create and configure an OAuth OIDC client
- Visit https://console.developers.google.com/ in a browser
- Click CREATE PROJECT
- Name the project and, optionally, put it in an organization (but don’t worry if you can’t put it in an organization, because everything still works without one)
- Click CREATE
- Click SELECT PROJECT in the status overlay that appears in the top right corner
- Click OAuth consent screen
- Select “Internal”
- Click CREATE
- Enter an Application name
- Select a User support email
- Enter your Intranet DNS domain name in Authorized domains
- In Developer contact information, enter one or more Email addresses
- Click SAVE AND CONTINUE
- Click ADD OR REMOVE SCOPES
- Select “…/auth/userinfo.email”, “…/auth/userinfo.profile”, and “openid”
- Enter “https://www.googleapis.com/auth/admin.directory.user.readonly” in the text input under Manually add scopes
- Click ADD TO TABLE
- Click UPDATE
- Click SAVE AND CONTINUE
- Click Credentials in the left column
- Click CREATE CREDENTIALS and then OAuth client ID in the expanded menu
- Select “Web application” for Application type
- Enter a Name, if desired
- Click ADD URI in the Authorized redirect URIs section
- Enter “https://intranet-dns-domain-name/login” (substituting your just-purchased or just-transferred Intranet DNS domain name)
- Click CREATE
- Use the credentials to respond to
substrate setup
’s prompts - Click OK
- Visit https://console.cloud.google.com/apis/library/admin.googleapis.com in a browser
- Confirm the project you created a moment ago is selected (its name will be listed next to “Google Cloud Platform” in the header)
- Click ENABLE
Authorize users to use AWS
- Visit https://admin.google.com/ac/users in a browser (or visit https://admin.google.com and click Users)
- For every user authorized to use AWS:
- Click the user’s name
- Click User information
- In the AWS section, click Add RoleName and enter the name (not the ARN) of the IAM role they should assume in your Substrate account (“Administrator” for yourself as you’re getting started; if for others it’s not “Administrator” or “Auditor”, ensure you’ve followed adding non-Administrator roles for humans first)
- Click SAVE
With your identity provider integrated, jump to finishing up in your management account.