feat: add stronger guidance around the use of gcloudadmin accounts

As noted in #244, we had engineers using the gcloudadmin accounts as day-to-day accounts. Add stronger guidance to the guidebook around this topic. Closes #244

feat: add stronger guidance around the use of gcloudadmin accounts
7fa59545 · Dr Rich Wareham · ae935b40 · 7fa59545 · 7fa59545 · 7fa59545
Commit 7fa59545 authored 1 year ago by Dr Rich Wareham
--- a/docs/explanations/gcloudadmin-accounts.md
+++ b/docs/explanations/gcloudadmin-accounts.md
+# Google Cloud admin accounts
+
+As noted in the [checklist for products](../howtos/check-product-configuration.md), development team
+members who need to administer, deploy or examine Google Cloud resources need to be listed in our
+[team data
+file](https://gitlab.developers.cam.ac.uk/uis/devops/infra/terraform/team-data/-/blob/master/team_data.json)
+and given a Google account of the form `{crsid}@gcloudadmin.g.apps.cam.ac.uk`.
+
+This document contains specific guidance for team members about this account. We use the term
+"Google Cloud admin" account in this document to refer to these accounts.
+
+## Expectations on you as a developer
+
+Your Google Cloud admin account is powerful. It is expected that you:
+
+* Ensure that the account is configured with multi-factor authentication.
+* Use a strong password.
+* Limit the number of places you sign in with the account.
+* Do not leave long-lived browser sessions signed in to the account.
+* Only use the account in the browser to access the [Google Cloud
+  console](https://console.cloud.google.com/).
+* Use the account when authenticating to the `gcloud` SDK tool.
+
+## Do's and don'ts
+
+DO NOT:
+
+* Use the Google Cloud admin account as the default Google session.
+* Use the Google Cloud admin account to sign in to Chrome.
+* Enable any additional Google Services for the Google Cloud admin account via the [Google Workspace
+  preferences
+  app](https://preferences.g.apps.cam.ac.uk/) *except* for the Google Cloud service.
+* Use the Google Cloud admin account to configure a Google developer profile.
+* Use the Google Cloud admin account to "sign-in with Google".
+
+DO:
+
+* Use the Google Cloud admin account within a private browsing tab when feasible.
+* Use your `{crsid}@cam.ac.uk` account for day-to-day browsing.
+* Consider using 1password's passkey support or hardware passkeys such as Touch ID to
+  sign in to the account. The use of passkeys is [documented on Google's support
+  site](https://support.google.com/accounts/answer/13548313).
+
+## More information
+
+* [How to create a Google Cloud admin account](../howtos/create-gcloudadmin-account.md).
--- a/docs/howtos/create-gcloudadmin-account.md
+++ b/docs/howtos/create-gcloudadmin-account.md
@@ -11,6 +11,9 @@ non-existent.
 Instead we prefer team members to have a dedicated "gcloudadmin" account used for manipulating
 resources in the Google Cloud console and for deploying services.

+An explanation of the use of these accounts and expectations on developer's who have them is covered
+in a [dedicated explainer guide](../explanations/gcloudadmin-accounts.md).
+
 This page describes the process to create a "gcloudadmin" account.

 ## Create an issue

--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -52,6 +52,7 @@ nav:
          - tutorials/automating-gitlab-releases.md
      - "Explanations":
          - explanations/index.md
+          - explanations/gcloudadmin-accounts.md
          - explanations/service-infrastructure.md
          - explanations/identifiers.md
          - explanations/webapp-boilerplate.md