Manage identity and access

By default, Google Distributed Cloud Sandbox (GDC Sandbox) comes with a pre-configured, fake OIDC identity provider and a user email to test your workflow lifecycles. For details on identity providers, see Connect to an identity provider.

For all tasks you test in GDC Sandbox, you apply the default user email, fop-platform-admin@example.com. With this user email, you can sign into the GDC console, assign yourself roles and permissions, and manage your projects.

Access the admin cluster

When testing GDC console and gdcloud CLI operations, you apply a Kubernetes cluster to run your workloads, such as deploying a virtual machine or assigning yourself a required role. For details on Google Distributed Cloud air-gapped clusters, see Cluster architecture.

GDC Sandbox provides you an admin cluster called org-1-admin. To begin using the admin cluster, export the kubeconfig file of the cluster and get the credentials:

export KUBECONFIG=org-1-admin-kubeconfig\
./gdcloud clusters get-credentials org-1-admin

While testing a task on a service, replace all instances of ADMIN_KUBECONFIG with your environment variable, KUBECONFIG.

Certain operations require you to employ the user cluster. To create a user cluster, see Deploy user clusters.

Roles and permissions

For each operation you test on a service, you must have the required roles and permissions. For a list of all available required roles, see Role definitions.

You can grant the necessary roles to yourself using the default user email GDC Sandbox provides you. Before granting a yourself role to test a service, you must have the Project IAM Admin (project-iam-admin) role. To grant yourself a role, review the GDC console and gdcloud CLI instructions in Set up role bindings. Replace all instances of USER_EMAIL with fop-platform-admin@example.com.

To see a list of all roles you've assigned to yourself, do the following:

  1. In the Console menu bar, click org-1 > Select project.
  2. Click your preferred project.
  3. In the Projects page, you see a list of all assigned roles by the default user email.