google-cloud-platform

Google Cloud Resource Hierachy

I have a couple of Resource hierachy Questions relasted to GCP

  1. Can a user with Google workspace account by default associate with orgranisation resource or it is only provisioned for them when they create a project resource?
  2. The initial IAM policy for a newly created organization resource grants the Project Creator and Billing Account Creator roles to the entire Google Workspace domain. This means users will be able to continue creating project resources and billing accounts as they did before the organization resource existed. What benefit does this feature has? is it because if an user creates project resource, autmatically an organisation resource is created along with it, but IAM rules are kept as such which do not interfer with the user's activity? Also does creation of organisation resource encur some additional cost?
  3. If a user is not associated with a domain and they create project resource which by default also creates an organisation resource, then does that organisation resource has any domain and what will the lifecycle of the project resource look like?Does every organisation resouce has a domain?
  4. Is it necessary for Google workspace to be associated with an organisation reesource?

I have these questions

Solution

  • there are a lot of questions, let me try to help you a max.

    To create a Google Cloud organization, you must have a workspace organisation. Then the workspace admin can create the Google Cloud root organisation and this user is also the Google Cloud admin (with billing account admin and project admin roles included).

    Then this super admin can create account in Workspace, simple user, and create resources in Google Cloud (like folder or project). When you create a project you must associate it with a billing account to allow the paid resource usages.

    To grant access to the workspace (or non workspace) users, the super admin can grant permission to them at the org, folder or project level.

    A user that do not belong to the organisation but who has the project creator role inside the organisation, can create a project inside the organisation hierarchy. It's only a matter of permission, not domain related.

    If you activate some organisation policies on Google Cloud, like the Domain Restricted Sharing, you discard the possibility to grant access to your org resources to users who do not belong to the authorized domain (i.e. at least your workspace domain)

    finally, hierachical/structure resource like folder, project account (service account) are free. When you use service with storage, compute and memory, you have to pay for them.