diff --git a/docs/img/access-controls/saml-idp/gcp-workforce/generate-command.png b/docs/img/access-controls/saml-idp/gcp-workforce/generate-command.png new file mode 100644 index 0000000000000..4521de5d16f10 Binary files /dev/null and b/docs/img/access-controls/saml-idp/gcp-workforce/generate-command.png differ diff --git a/docs/img/access-controls/saml-idp/gcp-workforce/generate-script.png b/docs/img/access-controls/saml-idp/gcp-workforce/generate-script.png deleted file mode 100644 index 00ef8baf2a5fe..0000000000000 Binary files a/docs/img/access-controls/saml-idp/gcp-workforce/generate-script.png and /dev/null differ diff --git a/docs/pages/access-controls/idps/saml-gcp-workforce-identity-federation.mdx b/docs/pages/access-controls/idps/saml-gcp-workforce-identity-federation.mdx index d60297bb46d42..c3d7e6d440d82 100644 --- a/docs/pages/access-controls/idps/saml-gcp-workforce-identity-federation.mdx +++ b/docs/pages/access-controls/idps/saml-gcp-workforce-identity-federation.mdx @@ -27,6 +27,8 @@ SAML IdP, so users can sign in into GCP web console by authenticating with Telep Reference](./saml-reference.mdx) before proceeding. - User with permission to create service provider resource. The preset `editor` role has this permission. - Access to GCP IAM API, with permission to create workforce identity pool, pool provider and an IAM policy. +At a minimum, both the "IAM Workforce Pool Admin" and "Organization Viewer" [GCP roles](https://cloud.google.com/iam/docs/configuring-workforce-identity-federation#required-roles) +are required (assigned at the GCP organization level) to configure GCP Workforce Identity Federation. Teleport Web UI offers both the guided and manual configuration flow for GCP Workforce Identity @@ -47,15 +49,15 @@ Now follow the steps listed below. ## Step 1/3. Configure workforce pool As a first step, provide the following information to the script generator. -![Test the IdP](../../../img/access-controls/saml-idp/gcp-workforce/generate-script.png) +![Test the IdP](../../../img/access-controls/saml-idp/gcp-workforce/generate-command.png) - **Organization ID:** Organization ID of GCP account. The ID is required to create a workforce pool. -- **Pool Name:** Name of the workforce pool to be created. Name should follow [GCP resource naming +- **Workforce pool name:** Name of the workforce pool to be created. Name should follow [GCP resource naming convention](https://cloud.google.com/compute/docs/naming-resources#resource-name-format). -- **Pool Provider Name:** Name of the workforce pool provider to be created. Pool provider name -will also be used as SAML service provider name in the next step. Name should follow +- **App name - Workforce pool provider name:** SAML app name. The name +will also be used as a workforce pool provider name in the GCP. Name should follow [GCP resource naming convention](https://cloud.google.com/compute/docs/naming-resources#resource-name-format). -Click on **Generate Script** button. Teleport Web UI will now show you a copyable bash script. +Click on the **Generate Command** button. The Teleport Web UI will now show you a copyable bash script. Open GCP [Cloud Shell](https://shell.cloud.google.com/?show=terminal) and inside the Cloud Shell terminal, paste the bash script you copied above.