Google Cloud Setup Guide
This setup guide will give step-by-step instructions to complete the process and get you up and running with Google Cloud and Kion.
1. Create a Google Cloud project for the service account.
In the following sections, you create a service account and upload its information to Kion. Before you do that, you must create a dedicated Google Cloud project to house the service account. If you've already created a Google Cloud project for the Kion deployment, you can add the service account to that project and skip to the "Create a Service Account and Service Account Key (SAK)" section below.
If you wish to build out your resource hierarchy before creating this project, you can follow steps 5 and 6 in Google's onboarding checklist before you create the project, but this is not required.
The service account must be located in its own Google Cloud project.
Google Cloud projects are different from Kion projects. Google Cloud projects are equivalent to Kion accounts.
To create a project for the service account:
- Log into your G Suite account and navigate to console.cloud.google.com.
- On the top blue ribbon, a dropdown menu will say Select a project. Click this menu to open the project selection screen.
- On the project selection screen, click New Project on the top right.
- Enter a Project name.
- Select the Organization and Location (parent organization or folder) from the dropdown menu.
- Set and take note of the Project ID that is shown below the Project Name field. You will need this ID later.
- Click Create.
2. Enable the APIs for the resource manager and cloud billing
- Log into your G Suite account and navigate to console.cloud.google.com.
- Select the project you created for your service account from the dropdown menu on the top blue ribbon.
- In the left navigation menu, click APIs & Services.
- Click Enable APIs and Services at the top of the screen.
- Search for and select Cloud Resource Manager API.
- Click Enable.
- Click the back arrow until you have reached the APIs & Services page.
- Search for and select Cloud Billing API.
- Select Enable APIs and Services.
- Click the back arrow to return to the API Library.
- Search for and select Identity and Access Management (IAM) API.
- Click Enable.
3. Create a service account and service account key within Google Cloud.
Next, create a service account within Google Cloud that represents your Google Cloud organization. A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. You can read more about service accounts in Google's service account documentation.
To create the service account:
- Log into your G Suite account and navigate to console.cloud.google.com.
- Select the project you just created in the previous section from the dropdown menu on the top blue ribbon.
- In the left navigation menu, click IAM & Admin > Service Accounts.
- If prompted, select the card for the project you created.
- Click Create Service Account below the top ribbon.
- Enter a Service Account Name and an optional Description.
- Click Create and Continue.
- Skip the Grant the service account access to project section by clicking Continue.
- Optional: You can grant other users access to this service account. You can add a user's Google email address, Google Groups email address, Service account address, or G Suite domain to either text entry field. Users added to the Service Account Users Role field will become users. Users added to the Service Account Admins Role field will become administrators. For more information, see the Google documentation on Managing Service Account Impersonation.
- Click Done.
- If you already have your billing account(s) set up, you should be prompted to choose one to link to the project during this process. If you only have one billing account set up, it will be selected automatically. If you haven't set up a billing account yet or need to change it later, we go over the process in the Create a billing account within Google Cloud and attach it to the service account section below.
- Copy the email of the service account you just created. You will need it in the next section when assigning org-wide permissions.
To create a service account key:
- In the list of service accounts for your project, click the ellipsis menu icon under Actions on the right of the service account, and select Manage Keys.
- Select Add Key > Create New Key.
- Set the Key Type to JSON.
- Click Create. The SAK JSON file downloads to your computer. Save this file to a safe location.
4. Assign org-wide permissions to your service account.
In addition to the roles you just assigned to the project housing the service account, you need to assign the service account permissions at the organization level.
There are two approaches you can take when granting permissions. You can grant the service account high-level permissions, which ensures the necessary permissions are in place for all current and future Kion features, or you can grant minimal permissions, which may require permission modifications when new features are released.
Follow one of the following guides to grant permissions to your service account.
To grant the service account standard Permissions (Recommended):
- Log into your G Suite account and navigate to console.cloud.google.com.
- Select your organization from the dropdown menu on the top blue ribbon (NOT your project).
- In the left navigation menu, click IAM & Admin > IAM.
- Click Add.
- Type in the email of the service account.
- To grant the service account access to all current and future Kion features, we recommend adding the following roles:
- Billing > Billing Account Viewer. This permission gives Kion access to read the billing account information. This must be done at the organization level.
- Basic > Owner. If you use Google Cloud folders, you can alternatively set this role on the folders you want Kion to manage.
- Click Save.
To grant the service account minimal permissions:
- Log into your G Suite account and navigate to console.cloud.google.com.
- Select your organization from the dropdown menu on the top blue ribbon (NOT your project).
- In the left navigation menu, click IAM & Admin > IAM.
- Click Add.
- Type in the email of the service account.
- To grant the minimal permissions (which will require modifying permission when Kion adds Google Cloud capabilities), add the following roles:
- Billing > Billing Account Viewer. This permission gives Kion access to read the billing account information. This must be done at the organization level.
- Resource Manager > Project IAM Admin. This permission gives Kion access to manage permissions on Google Cloud projects. If you use Google Cloud folders, you can alternatively set this role on the folders you want Kion to manage.
- Roles > Organization Role Administrator. This permission gives Kion access to manage Google Cloud IAM roles for an organization. If you use Google Cloud folders, you can alternatively set this role on the folders you want Kion to manage along with the role Resource Manager > Folder IAM Admin.
- Resource Manager > Folder Viewer. This permission gives Kion access to view Google folders. If you use Google Cloud folders, you can alternatively set this role on the folders you want Kion to manage instead.
- Click Save.
5. Assign BigQuery Permissions
If the BigQuery financial export is not present in one of the Google Cloud projects under the organization or folders you specified above, assign the service account permissions at the project level where BigQuery is located.
To assign BigQuery permissions:
- Log into your G Suite account and navigate to console.cloud.google.com.
- Select your project containing BigQuery from the dropdown menu on the top blue ribbon.
- In the left navigation menu, click IAM & Admin > IAM.
- Click Add.
- Enter the email of the service account.
- Add the following roles:
- BigQuery > BigQuery User
- BigQuery > BigQuery Data Viewer
- Click Save.
6. Create a billing account within Google Cloud and attach it to the service account.
If you have an existing billing account, you can link that account instead of creating a new one. After step 3, select Link a Billing Account and follow the prompts.
An account with the Billing Account Creator role for your organization is required to complete this step.
To add a billing account and attach it to the service account:
- Log into your G Suite account and navigate to console.cloud.google.com. For this process, you must log in as a user with the Billing Account Creator role.
- Select the project you created for your service account from the dropdown menu on the top blue ribbon.
- In the left navigation menu, click Billing.
- Click Manage Billing Accounts.
- Click Add Billing Account.
- Select your organization from the dropdown menu.
- Enter an account name.
- Select your country.
- Click Continue.
- Enter your account information. Please note that your selections here may be used for tax and identity verification. For more information, see Google's Create, Modify, or Close Your Billing Account article.
- Click Submit and Enable Billing. By default, the person who creates the billing account is made a Billing Account Administrator for the billing account.
- From the home screen, in the left navigation menu, click Billing.
- Select your organization from the dropdown menu and click the My Projects tab.
- Click the ellipsis menu icon under Actions on the right of the service account and select Change Billing.
- Choose the new billing account from the list.
- Click Set Account.
7. Set up billing data export to BigQuery.
Create a BigQuery dataset and enable the export of data to BigQuery to send Google Cloud information to Kion.
To set up billing data export to BigQuery:
- Log into your G Suite account and navigate to console.cloud.google.com.
- Select the project you created for your service account from the dropdown menu on the top blue ribbon.
- In the left navigation menu, scroll to the Big Data section and click BigQuery.
- In the Explorer menu, select your project.
- Click the ellipses menu next to the project ID, and select Create Dataset.
- Enter a Dataset ID. For example, kionbillingdata.
- Select a multiple region location identifier as the Data location. Do not select an individual region.
- Click Create dataset.
- In the left navigation menu, click Billing.
- Click Go to Linked Billing Account.
- In the billing navigation menu on the left, select Billing export.
- Under the Standard usage cost section, click Edit settings.
- Select your project.
- Select the dataset you created.
The BigQuery API is required to export data to BigQuery. If the project you selected doesn't have the BigQuery API enabled, you will be prompted to enable it. Click Enable BigQuery API to enable the API. - Click Save.
- Under the Detailed usage cost section, click Edit settings.
- Select your project.
- Select the dataset you created.
- Click Save.
8. Enable the APIs for the services required for Kion management.
To enable OAuth to support GCP federation for users:
- Log into your G Suite account and navigate to console.cloud.google.com.
- Select the project you created for your service account from the dropdown menu on the top blue ribbon.
- In the left navigation menu, click APIs & Services.
- Click OAuth consent screen.
- Select Internal and click Create.
- On the app registration screen, enter the app name, user support email, and developer contact information email.
- Click Save and Continue.
To generate OAuth access keys to support GCP federation for users:
- Log into your G Suite account and navigate to console.cloud.google.com.
- Select the project you created for your service account from the dropdown menu on the top blue ribbon.
- In the left navigation menu, click APIs & Services.
- Select Credentials.
- Select Create Credentials > OAuth client ID.
- From the Application type dropdown, select Web application.
- Enter an application name.
- In the Authorized Redirect URIs section, click Add URI and enter: https://Kion.example.com/api/v3/account/link-google-callback.
- Change "kion.example.com" to the URL of your Kion instance.
- Click Create.
- Store the client ID and client secret for use in the Kion application.
9. Add the service account to Kion.
- Log in to Kion.
- In the left navigation menu, click Accounts > Google Cloud Service Accounts.
- Click Add New on the top right.
- Enter a Name and Description for the service account.
- Select Enable IAM Federation.
- Enter the OAuth Client ID and OAuth Client Secret you created above. This allows federation into GCP subscriptions for users.
- Upload the Google Cloud service access key by clicking Upload and selecting the JSON file you saved in section 3.
- Click Create Google Cloud Service Account.
10. Add the billing account to Kion as a billing source.
- Log in to Kion.
- In the left navigation menu, click Accounts > Billing Sources.
- Click Add New on the top right.
- For Account Type, select Google Cloud.
- Enter a Billing Source Name.
- Choose a Billing Start Date. This is the earliest month Kion will try to fetch financial data for the billing source.
- Select the Service Account that will be used to access the billing data.
- Leave the Input Type dropdown set to Auto-fill. This allows the form to query information from the Google API as you fill in the remainder of the form.
- In the Google Cloud Billing Account dropdown, select the Google Cloud billing account that this billing source will represent.
- If you are using the manual input method, enter the Google Cloud Billing Account ID for the Google Cloud billing account you want to add. You can find it in the Google Cloud console by selecting the project name from the dropdown in the blue ribbon, clicking Billing in the left navigation menu, clicking Go to Linked Billing Account, and looking in the box that says Billing Account on the right. The billing account ID is the ID listed after the billing account name.
- In the Big Data Billing Export Project ID dropdown, select the Google Cloud project where the billing account selected above is exporting financial data to BigQuery.
- If using the manual input method, enter the Big Data Billing Export Project ID. You can find it in the Google Cloud console by clicking the dropdown in the blue ribbon. The project ID is displayed in the ID column next to the name of the project housing your service account. This may be a variation of your project name with a unique identifier on it.
- In the Big Query Billing Export Dataset ID dropdown, select the BigQuery dataset ID where the billing account selected above is exporting its financial data.
- If the table where the billing account is exporting data is unusually named (usually gcp_billing_export_v1_{BILLING ACCOUNT NUMBER}), override the default table name by checking the Override the Default Table Name checkbox.
- If using the manual input method, enter the Big Data Billing Export Dataset Name. You can find it in the Google Cloud console by selecting the project name from the dropdown in the blue ribbon, clicking BigQuery in the left navigation menu under Big Data. The name of your project will display in the left navigation menu, and the dataset name will display below.
- Click Test Billing Source. If you receive an error message, verify your credentials and permissions.
- Click Create Billing Source.
11. Add Google Cloud projects to Kion as accounts.
Add your Google Cloud projects to Kion as accounts. Google Cloud projects are different from Kion projects. Google Cloud projects are equivalent to Kion accounts.
Your service account is already connected, so there's no need to add the project that houses the service account.
To add your Google Cloud projects to Kion as accounts, see Add an Account.