GCP Projects Billing & Accounts
GCP Resource Hierarchy
GCP resource hierarchy is used to group the resources and manage them as a single unit. GCP hierarchy consists of three levels:
Let’s understand it one by one.
It is the root of resource hierarchy, and points to company or Organization. A Single cloud identity is associated to at most one organization. Cloud identity have super admins, who assigns the role of organization Administrator IAM role to users who manages the organizations. Whereas GCP will automatically grant project creator and billing Account Creator IAM roles to all users in the domain.
Below figure shows to set up Organization of your business account.
Users with Organizational Administrator IAM role has following functions.
- To define the structure of resource hierarchy
- To define the IAM policies over resource hierarchy
- To delegate the other management roles to others users.
Folder are the building blocks of multilayer organizational hierarchy. Organizations contains folders and folders contain other folders and projects.
Let’s understand this, an Organization has four department names as Finance, Marketing, Sales, IT. Each department has different roles and responsibilities and functions or we can say environment as shown in figure
Now in order to control access these environment, different policies specific to individual environment is required. So Inorder to achieve that, we can make separate folder for each environment as show in above figure.
Now once organization has been defined and folders has been setup, corresponds to our departments now we can proceed to create projects.
Projects are place, where we create the GCP resources, use GCP services and manage permissions, manage billing options. Any user with resourcemanager.projects.createIAM permission can create a projects. By default, when an organization is created, every user in the domain is provides that permission.
There is limit or quota to create projects for each organization.
Organization policy control access to an organizational resource. These policies are used to specify limits on resources access
GCP has certain limitation and Boolean constraints on resources. Below are some constraints
- To allow a specific set of values
- To deny a specific set of values.
- Deny a value and all its child values
- Allow all allowed values.
- Deny all values.
How to Manage Projects
Using a google console ( https://console.cloud.google.com ) , you can create a projects.
From navigation menu, Select IAM and then select Manage resources.
Now from there, click Create projects, provide all details as shown in below figure
Now once project is created, your remaining quota of projects will be displayed.
Roles and Identities
A role is collections of permissions. It is grated to user by binding role to user. An identity is used to represent a human user or service account in GCP.
Example : Liza is a network engg , in cloud ( human user) and has identity with name such as firstname.lastname@example.org. Roles are assigned to Liza@dclessons.com with in GCP , so that Liza can create , modify , delete and use resources in GCP.
There are three types of role in GCP.
- Primitive Role
- Predefined Role
- Custom Role
Primitive roles include Owner, Editor and Viewer. These are the basic privilege and are applied to most resources. This role grants wide range of permission, that may always not have required by user. By using predefined roles Enterprise can grant permission to operate certain function required by user.
Pre-defined role provides granular access to resources in GCP and are very specific to GCP products and resources.
Below is the sample role in GCP.
Whereas Custom roles allow cloud admin to create and administrator their own roles. These roles are assembled using permission defined in IAM.