Google Search Console access
Google search console access is extremely limited compared to access to other services. This is due to the limitations of the service.
When a user, other than the root user, is created, they have to be individually granted access to each sub-domain and project on a case by case basis. This is done via single permission grants in google search console. As such, access to the search console is restricted to those who need it, and is not given out freely.
There are two potential credentials/ways to access the Google Search console.
- Work for Wikimedia, and be granted access to the google search console admin user/password.
- We don't like doing this, as it then gives whoever has access all the same rights as everyone else, with a single shared user.
- Work for Wikimedia or be a volunteer/contractor/hired to do the work, and get their own user.
- This will be limited to a small sub-set of the hundreds of subdomains.
To gain access to this console in either form, the following steps must be taken.
- File a task in Phabricator under the #SRE-access-requests project.
- User must have a valid NDA on file with WMF legal. Not a phabricator NDA electronically signed, but a full NDA with our legal department.
- WMF staff automatically sign this as part of their hiring process, all non-staff must have the NDA confirmed before access.
- User must have a valid reason for accessing the google search console.
- Please document what you'll be doing, and why.
- User should have an end date in mind, or setup an expiry time to check access, typically within a year of access (or less.)
- All user requests for non staff must have the sponsorship of a WMF staff person.
SRE Notes / HowTo
- Please note the admin password for google search console is in the pwstore.
- There is no scripted check for expiry at this time. Add user to the maint-announce calendar for their expiry until we have a better system.
Adding Users to Domains
This is a tedious process. Once you login to the google search console you will see a list of every single sub-domain for every single language and project in both HTTP and HTTPS.
- Login to google search console using the admin account in pwstore. This might require a verification via email
- Select the domain you wish to manage from the search/drop down in the top left of the page
- Select settings from the menu, then User and Permissions
- Determine if the user will need Restricted or Full access to the Domain.
- Click add user, and then enter the user's email address and click add user. Permission should be 'Restricted'.
- User has now been added to that project/subdomain. Repeat as needed for other projects/subdomains.
IMPORTANT NOTE FOR NON-WMF ADDITIONS: These all have expiration dates. An entry should be added to the maint-announce calendar, set to email out to the root list and the person who approved the access to the search console for the entry to alert them of expiry. Then whoever is on clinic duty for that week needs to login and remove the user from each of the domains.
Removing Users from Domains
- Login to google search console. The Home page is the listing off the hundreds of domains we have in the search console.
- Click on Manage Domain, Add or Manage Users for the single domain you want to edit. This pulls up a sub-page.
- Click the user in question in the list presented on page, this highlights the user.
- Click the delete user button on the highlighted line.