Source & Binary

Integrating your Google identity provider

substrate create-admin-account -quality quality will ask for several inputs, which this page will help you provide from your Google identity provider.

These steps must be completed by a Google Super Admin. Be mindful, too, of which Google account you’re using if you’re signed into more than one in the same browser profile. Google has a habit of switching accounts when you least expect it.

Create a custom schema for assigning IAM roles to Google users

  1. Visit in a browser (or visit, click Users, click More, and click Manage custom attributes)
  3. Enter “AWS” for Category
  4. Under Custom fields, enter “RoleName” for Name, select “Text” for Info type, select “Visible to user and admin” for Visibility, select “Single Value” for No. of values
  5. Click ADD

Create and configure an OAuth OIDC client

  1. Visit in a browser
  3. Name the project and, optionally, put it in an organization (but don’t worry if you can’t put it in an organization, because everything still works without one)
  4. Click CREATE
  5. Click OAuth consent screen
  6. Select “Internal”
  7. Click CREATE
  8. Enter “Intranet” for Application name
  9. Enter your Intranet DNS domain name in Authorized domains
  11. Click Credentials in the left column
  12. Click CREATE CREDENTIALS and then OAuth client ID in the expanded menu
  13. Select “Web application” for Application type
  14. Enter a Name, if desired
  15. Click ADD URI in the Authorized redirect URIs section
  16. Enter “” (substituting your Intranet DNS domain name)
  17. Click CREATE
  18. Use the credentials to respond to substrate create-admin-account’s prompts
  19. Visit in a browser
  20. Confirm the project you created a moment ago is selected (its name will be listed next to “Google Cloud Platform” in the header)
  21. Click ENABLE

Authorize users to use AWS

  1. Visit in a browser (or visit and click Users)
  2. For every user authorized to use AWS:
    1. Click the user’s name
    2. Click User information
    3. In the AWS section, click Add RoleName and paste the name (not the ARN) of the IAM role they should assume in your admin account (“Administrator” for yourself as you’re getting started; if for others it’s not “Administrator” or “Auditor”, ensure you’ve followed adding non-Administrator roles for humans first)
    4. Click SAVE


Integrating your identity provider to control access to AWS

Deleting unnecessary root access keys