How to Set Up Google Cloud Platform (GCP) Without G Suite for Non-Gmail User Management


3 views

When managing GCP resources without G Suite/Google Workspace, administrators frequently encounter two critical limitations:

1. Error: "Email addresses must be associated with an active Google Account"
2. Projects appearing as "No organization" in the GCP console

Google Cloud requires each user to have either:

  • A @gmail.com account
  • A Google account associated with their email (via Cloud Identity Free)
  • A Google Workspace account

1. Create Cloud Identity Free Tier

Navigate to Google Admin console and select "Start with Cloud Identity Free":

# Sample gcloud command to verify domain ownership
gcloud domains verify example.com \
  --method DNS \
  --project YOUR_PROJECT_ID

2. Verify Your Domain

Add these DNS records (example for Cloudflare):

# TXT record for domain verification
google-site-verification=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

# MX records for user management
1 ASPMX.L.GOOGLE.COM
5 ALT1.ASPMX.L.GOOGLE.COM
5 ALT2.ASPMX.L.GOOGLE.COM
10 ALT3.ASPMX.L.GOOGLE.COM
10 ALT4.ASPMX.L.GOOGLE.COM

3. Create Organizational Structure

After verification, set up your organization in GCP:

# Using gcloud to create organization
gcloud organizations add-iam-policy-binding \
  ORGANIZATION_ID \
  --member=user:admin@example.com \
  --role=roles/resourcemanager.organizationAdmin

For each team member requiring access:

  1. Have them create a Google account with their work email
  2. Add them via IAM with appropriate roles:
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=user:teammember@example.com \
  --role=roles/viewer

Error: "Domain not eligible"

This typically means someone previously attempted to register the domain. Contact Google Support with:

  • Domain registrar records
  • Proof of ownership
  • Business verification documents

Project Appears as "No Organization"

Migrate existing projects to your organization:

gcloud beta projects move PROJECT_ID \
  --organization=ORGANIZATION_ID

For programmatic access without individual users:

# Create service account
gcloud iam service-accounts create my-sa \
  --display-name="My Service Account"

# Generate key
gcloud iam service-accounts keys create key.json \
  --iam-account=my-sa@PROJECT_ID.iam.gserviceaccount.com

# Grant permissions
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=serviceAccount:my-sa@PROJECT_ID.iam.gserviceaccount.com \
  --role=roles/editor

Remember to regularly audit service account permissions using:

gcloud asset analyze-iam-policy --organization=ORGANIZATION_ID

When working with Google Cloud Platform (GCP) without G Suite (now Google Workspace), you'll encounter two major roadblocks:

  • Unable to invite non-Gmail/non-G Suite users to your projects
  • Projects appearing as "No organization" in the GCP console

Google requires all GCP users to have either:

  1. A standard Google Account (Gmail)
  2. A Cloud Identity account (free alternative to G Suite)
  3. A Google Workspace account (formerly G Suite)

For enterprise scenarios, Cloud Identity is the recommended solution when you don't need email services.

Here's how to properly set up GCP for a non-G Suite organization:

1. Create a Cloud Identity Account

Navigate to Cloud Identity setup and follow these steps:

# Using gcloud CLI (after initial setup)
gcloud organizations list
gcloud organizations add-iam-policy-binding [ORGANIZATION_ID] \
  --member=user:admin@yourdomain.com \
  --role=roles/resourcemanager.organizationAdmin

2. Verify Your Domain

Google requires domain verification before you can create an organization:

  • Add TXT records to your DNS
  • Wait for propagation (typically 24-48 hours)

3. Set Up Organization Structure

Once verified, create your organizational hierarchy:

# Create folders under your organization
gcloud resource-manager folders create \
  --display-name="Engineering" \
  --organization=[ORGANIZATION_ID]
  
gcloud resource-manager folders create \
  --display-name="Finance" \
  --organization=[ORGANIZATION_ID]

After setting up Cloud Identity, you can invite users with their corporate emails:

Using Cloud Console

  1. Navigate to IAM & Admin → IAM
  2. Click "Add"
  3. Enter user emails (must be from your verified domain)
  4. Assign appropriate roles (e.g., roles/viewer, roles/editor)

Using gcloud CLI

# Add IAM policy binding for new users
gcloud projects add-iam-policy-binding [PROJECT_ID] \
  --member=user:newuser@yourdomain.com \
  --role=roles/container.admin

Error: "Email addresses must be associated with a Google Account"

Solution: The user must first create a Google Account with their corporate email:

  1. Visit Google Account creation
  2. Select "Use my current email address instead"
  3. Complete verification
  • Always use Cloud Identity Free edition unless you need email services
  • Establish proper IAM roles and permissions early
  • Implement organization policies for security constraints
  • Use groups for easier permission management
# Example: Creating and managing groups
gcloud identity groups create \
  --group-email=developers@yourdomain.com \
  --organization=[ORGANIZATION_ID] \
  --labels=team=dev
  
gcloud identity groups memberships add \
  --group-email=developers@yourdomain.com \
  --member-email=user1@yourdomain.com