Integrating your Google identity provider

substrate create-admin-account -quality <quality> will ask for several inputs, which this page will help you provide from your Google identity provider.
These steps must be completed by a Google Super Admin. Be mindful, too, of which Google account you're using if you're signed into more than one in the same browser profile. Google has a habit of switching accounts when you least expect it.

Create a custom schema for assigning IAM roles to Google users

  1. 1.
    Visit in a browser (or visit, click Users, click More, and click Manage custom attributes)
  2. 2.
  3. 3.
    Enter “AWS” for Category
  4. 4.
    Under Custom fields, enter “RoleName” for Name, select “Text” for Info type, select “Visible to user and admin” for Visibility, select “Single Value” for No. of values
  5. 5.
    Click ADD

Create and configure an OAuth OIDC client

  1. 2.
  2. 3.
    Name the project and, optionally, put it in an organization (but don't worry if you can't put it in an organization, because everything still works without one)
  3. 4.
    Click CREATE
  4. 5.
    Click OAuth consent screen
  5. 6.
    Select “Internal”
  6. 7.
    Click CREATE
  7. 8.
    Enter an Application name
  8. 9.
    Enter your Intranet DNS domain name in Authorized domains
  9. 10.
  10. 11.
    Click Credentials in the left column
  11. 12.
    Click CREATE CREDENTIALS and then OAuth client ID in the expanded menu
  12. 13.
    Select “Web application” for Application type
  13. 14.
    Enter a Name, if desired
  14. 15.
    Click ADD URI in the Authorized redirect URIs section
  15. 16.
    Enter “https://intranet-dns-domain-name/login” (substituting your just-purchased or just-transferred Intranet DNS domain name)
  16. 17.
    Click CREATE
  17. 18.
    Use the credentials to respond to substrate create-admin-account's prompts
  18. 20.
    Confirm the project you created a moment ago is selected (its name will be listed next to “Google Cloud Platform” in the header)
  19. 21.
    Click ENABLE

Authorize users to use AWS

  1. 1.
    Visit in a browser (or visit and click Users)
  2. 2.
    For every user authorized to use AWS:
    1. 1.
      Click the user's name
    2. 2.
      Click User information
    3. 3.
      In the AWS section, click Add RoleName and enter the name (not the ARN) of the IAM role they should assume in your admin account (“Administrator” for yourself as you're getting started; if for others it's not “Administrator” or “Auditor”, ensure you've followed adding non-Administrator roles for humans first)
    4. 4.
      Click SAVE
With your identity provider integrated, jump to deleting unnecessary root access keys.