Table of contents
This is the first article of 2 in a series that aims at getting you started for using Google Cloud Platform console (this article) and, if you're interested, deploying and controlling resources via Pulumi infrastructure as code framework (the second article). In the second article you will also configure the Google Cloud SDK and its CLI tools to add another useful interface to your cloud resources.
In other words, in this Google Cloud Platform tutorial we'll start totally from scratch and get to a ready configuration for deploying applications to Google Cloud Platform (GCP) using Pulumi infrastructure as code framework, as well as the GCP console or CLI if you need to (yet I'm sure you'll love using as much Pulumi as you can!).
If you prefer watching than reading, here's the companion YouTube video for this first part of the tutorial.
Step 1: create a GCP account
First of all, let's create a Google Cloud Platform account.
Visit cloud.google.com and click on Get Started for Free, then confirm your phone contact and follow the instructions to create either a personal or business account. Currently Google is offering a free credit of 300$ that can be used in a 3-months time frame. Though it will ask for your credit card to confirm your identity, there is currently no automated billing at the end of the trial, so you won't be charged unless you manually upgrade to a paid plan.
You will also be required to confirm your billing identity, by uploading a photo of your credit card and one of an ID document of the cardholder.
After this, your account will be in "Verification in progress" status, which should last just a few minutes.
Step 2: configure a Cloud Identity Organization
We have just signed up to GCP using our regular, "personal" Gmail account. Now we need to go through a checklist of activities that includes:
- creating an organization profile on Google Cloud (Cloud Identity), which is usually linked to an organization's domain, that you'll need to prove you own;
- creating the main "root" admin account for your new organization;
- linking and confirming ownership of an organization domain
- creating, as a security best practice, a second user account
- elevating this second user to an admin role for all your organization's projects but that is different from the "root" admin account.
We will not go over all the 10-steps of the checklist, as only the first 4 are required for a simple "get started" scenario.
Now head over to console.cloud.google.com, under the "IAM & Admin" section and click on "Identity & Organization". Then click on "Go to the Checklist" and next on "Begin the setup".
Step 2.1: creating a Cloud Identity (i.e. a GCP Organization)
Click on Sign up for Cloud Identity, click on Next and start answering questions about your Organization. It will ask you to associate your organization's domain name, while the verification of ownership will occur later.
Next, you will now be asked for your personal information and Organization email address (with the Organization domain you've just specified) and a secondary email address for account recovery: this way you are creating your first "root" admin account for the Google Identity (i.e. Organization), which you will use for GCP. It is advisable that you don't use your main email address here, such as firstname.lastname@example.org, as you'll be better using this email as the second "non-root" user later on. This is the root admin account, so use an email like "email@example.com" or "firstname.lastname@example.org", or something similar. After finishing this step you will receive a confirmation: "Your Cloud Identity account has been created".
Now click on "Go To Setup" and login with your just created account, accept the T&C and you're now in the Google Admin console (admin console for your Google Identity).
Step 2.2: Confirming domain ownership
Now you need to confirm the ownership of the domain name. Just click on Verify: Google should suggest which is your domain registrar and give you instructions for verification, which basically involves adding a DNS "TXT" record with a certain string provided by Google.
Basically you need to access your domain registrar, go to your domain's DNS settings and add a new record. The subdomain of the host should be left blank and you need to paste the string provided by Google in the "answer" field. Save the record.
Now go back to the Google page and click on "Verify my domain"; if it doesn't work, just try again in a few minutes, as there might be some delay for your DNS record to become effective.
Step 2.3: creating a second user
Now Google will suggest to start creating new users right away but, as suggested in the GCP checklist, for now we'll skip this step by clicking on "Set up GCP Cloud Console now".
You will be led to the "Identity & Organization" page on GCP. Now just check you are logged in as your Organization account (and NOT the Gmail account you had used at the beginning) and click "Go to the checklist".
Now click on Continue to Step 2. Then click on "Go to Google Admin Console", where you have your organization's users list, that includes only your current user, for now.
Click on "Add new user": this will be the user you use on a daily basis to administer your account, so we might assume you will be creating this for yourself. Just insert you email address (always with the organization's domain) and name: you will be provided with a default password, that you should annotate.
Step 2.4: create basic administration groups
Now come back to the GCP checklist page and click on "Continue" to proceed to the substep 2 ("Create Google Groups"). Here GCP suggests to assign existing users to some user groups: each user group is supposed to be assigned some administration privileges, that will be on turn assigned to all the users of such groups. If your organization is 1-person or at least somewhat "small", you don't need to customize the standard user groups, we will just add the second user you've just created in the previous step to each group, assuming this user will be eligible for all the corresponding privileges.
So scroll down to the section "Add users to groups" and, for each group, click on Add members and add the second user by its email address. At the end of the process, each group should have 2 members. Now click on "Mark task as completed" and next on "Continue to administrative access".
Step 2.5: setup basic administrative access policies
In this third step of the checklist you grant the administrator(s) of your organization some basic administrative privileges. As Google now suggests, copy your admin account group (should be like email@example.com), click on "Grant access" and paste this group name to assign admin privileges to it and to all of its (2) members.
Click Next and do the same for the billing user group to assign billing administration privileges.
Click on "Mark task as completed" and "Continue to billing".
Step 2.6: setup a billing account
Here we need to setup a billing account, even if it should not be needed until the trial period is expired. So, unless you already have a Google billing account you can link to your GCP organization, select "Create an online billing account" and click on Create billing account. Now you just need to answer some questions about the organization and insert your billing address and credit card information.
After that, come back to the checklist page and click on "Mark task as completed".
The remaining steps
We won't go over the remaining steps: this can be considered more advanced and shouldn't be needed if you're just either a single person or small or micro-business. By the way feel free to go over them in more detail, as they just involve structuring a GCP resource hierarchy (a sort of folder-link resource structuring system), more advanced privileges for multi-user organizations, a virtual private networking configuration, setup for resource logging and optionally purchase a Google business support plan. If you want to skip these like me, either ignore the steps or mark each of them as completed.
Now you can logout from your "root account" and sign in with your newly created "non-root" user account: you will first use the password provided by Google while creating the user and you'll be then asked to change it once you sign in. If you click on "Select a project" at the top bar you will now see your fully-configured organization with its default project.
Projects are a way for GCP to let you fully isolate resources you use for different... projects!
That's it for this part on getting a ready to use Google Cloud Platform account for deployment via console UI and/or CLI.
Now, if you're interested, give a look at the second part on using Pulumi IaC framework with your brand new GCP account: we will also configure the Google Cloud SDK and CLI tools as an additional way to manage your cloud resources.