Set up your Organization for Google Cloud
In this post I want to go through the separate steps to set up your organization for the Google Cloud.
First I want to distinguish between the term Google Cloud and Google Cloud Platform (GCP), in the web they are often used interchangeably and when you heard about Google Cloud, mostly GCP is actually meant.
Google Cloud is an umbrella term and suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, Google Drive and YouTube.
Google Cloud includes the Google Cloud Platform (GCP) as well as Google Workspace (formerly Google Apps for Business or G Suite), enterprise versions of Android and Chrome OS, and application programming interfaces (APIs) for machine learning and enterprise mapping services.
What is an organization?
An organization is the root node in the Google Cloud resource hierarchy, which means it sits at the top above all your folders, projects, and resources. Existing policies or restrictions made at the organization level are inherited by the folders, projects, and resources below it. Organizations are available for Google Workspace or through Cloud Identity for Google Cloud customers, and you can create an organization today if you don’t have one.
The organization resource represents an organization (for example, a company) and is the root node in the Google Cloud resource hierarchy when present. The organization resource is the hierarchical ancestor of folder and project resources. The IAM access control policies applied on the organization resource apply throughout the hierarchy on all resources in the organization.
Google Cloud users are not required to have an organization resource, but some features of Resource Manager will not be usable without one.
Resource Manger Features
The organization resource is closely associated with a Google Workspace or Cloud Identity account. When a user with a Google Workspace or Cloud Identity account creates a Google Cloud project resource, an organization resource is automatically provisioned for them.
A Google Workspace or Cloud Identity account can have exactly one organization resource provisioned with it. Once an organization resource is created for a domain, all new Google Cloud project resources created by members of the account domain will by default belong to the organization resource. When a managed user creates a project resource, the requirement is that it must be in some organization resource.
If a user specifies an organization resource and they have the right permissions, the project is assigned to that organization. Otherwise, it will default to the organization resource the user is associated with.
It is impossible for accounts associated with an organization resource to create project resources that aren’t associated with an organization resource.
The diagram below represents an example Google Cloud resource hierarchy in its complete form:
Google Cloud resources are organized hierarchically. This hierarchy allows you to map your organization’s operational structure to Google Cloud, and to manage access control and permissions for groups of related resources. The following diagram shows an example resource hierarchy illustrating the core account-level resources involved in administering your Google Cloud account.
- The public domain is the mechanism to manage the users in your organization and is directly related to the organization resource.
- The domain organization resource represents an entire organization (for example, a company) and is the top-level node of the hierarchy. The organization resource provides central visibility and control over all Google Cloud resources further down in the hierarchy.
- Next in the hierarchy are folder folders. You can use folders to isolate requirements for different departments and teams in the parent organization. You can similarly use folders to separate production resources from development resources.
- At the bottom of the hierarchy are projects. Projects contain the service-level resources (such as computing, storage, and networking resources) that process your workloads and constitute your apps.
- Resources can be further categorized using label labels. You can label the service-level resources (for example, VMs and DBs), as well as your account-level resources (for example, projects).
- monetization_on Cloud Billing accounts are linked to and pay for projects.
- Cloud Billing accounts are connected to a payment Google Payments Profile. The payments profile is a Google-level resource and you pay for Google services (such as AdWords and Google Cloud) using the payment methods that are attached to that profile.
You can enforce granular permissions at different levels in the resource hierarchy to ensure that the right individuals have the correct access and permissions within your organization.
The structure you define is flexible and allows you to adapt to evolving requirements. If you are just beginning your Google Cloud journey, adopt the simplest structure that satisfies your initial requirements. See the Resource Manager overview for full details.
Benefits of the organization resource
With an organization resource, project resources belong to your organization instead of the employee who created the project. This means that the project resources are no longer deleted when an employee leaves the company; instead they will follow the organization resource’s lifecycle on Google Cloud.
Furthermore, Organization Administrators have central control of all resources. They can view and manage all of your company’s project resources. This enforcement means that there can no longer be shadow projects or rogue admins.
Also, you can grant roles at the organization level, which are inherited by all project and folder resource under the organization resource. For example, you can grant the Network Admin role to your networking team at the organization level, allowing them to manage all the networks in all project resources in your company, instead of granting them the role for all individual project resources.
An organization resource exposed by the Resource Manager API consists of the following:
- An organization resource ID, which is a unique identifier for an organization.
- A display name, which is generated from the primary domain name in Google Workspace or Cloud Identity.
- The creation time of the organization resource.
- The last modified time of the organization resource.
- The owner of the organization resource. The owner is specified when creating the organization resource. It cannot be changed once it is set.
Create a new Organization
In order to create an organization, you need to have first either a Google Workspace or Google Cloud Identity account.
Both Cloud Identity and Workspace provide authentication credentials allowing others to access your cloud resources. Workspace offers additional consumer services like Gmail, Google Drive, and other services.
Because Workspace offers more features than Cloud Identity, it is also more costly per license. For this reason, you may use Cloud Identity selectively, only for those users who do not need access to the more expensive Workspace features.
After establishing the Google identity service, you will use it to verify your domain. Verifying your domain automatically creates an organization resource, which is the root node of your Google Cloud resource hierarchy.
Once you have created your Google Workspace or Cloud Identity account and associated it with a domain, your organization resource will be automatically created for you. The resource will be provisioned at different times depending on your account status:
- If you are new to Google Cloud and have not created a project yet, the organization resource will be created for you when you log in to the Google Cloud console and accept the terms and conditions.
- If you are an existing Google Cloud user, the organization resource will be created for you when you create a new project or billing account. Any projects you created previously will be listed under “No organization”, and this is normal. The organization resource will appear and the new project you created will be linked to it automatically.
A Cloud Identity or Google Workspace account is the top-level container for users, groups, configuration, and data. A Cloud Identity or Google Workspace account is created when a company signs up for Cloud Identity or Google Workspace and corresponds to the notion of a tenant.
Cloud Identity and Google Workspace share a common technical platform. Both products use the same set of APIs and administrative tools and share the notion of an account as a container for users and groups; that container is identified by a domain name. For the purpose of managing users, groups, and authentication, the two products can largely be considered equivalent.
An account contains groups and one or more organizational units.
Cloud Identity is an Identity as a Service (IDaaS) and enterprise mobility management (EMM) product. It offers the identity services and endpoint administration that are available in Google Workspace as a stand-alone product. As an administrator, you can use Cloud Identity to manage your users, apps, and devices from a central location—the Google Admin console.
I will Sign up for Cloud Identity here to create finally an organization resource.
Enter your domain you want to use for the organization.
Google will now check if you click above on Next if the domain is still purchased and registered at a domain registrar. Below looks good.
Provide a username and password you will use for the organization administrator account.
After that you will get forwarded to the Admin Console to set up Cloud Identity.
The Admin console allows an administrator to add users, create groups, manage devices, configure billing, and manage security settings. All these Google Cloud administration tasks can be done from a single location.
To be sure no one else is using your domain in Google Cloud, you can protect it by adding a verification code at your DNS registrar.
So click on Protect your <domain>
Below you will get detailed information about how to add this registration code at your domain registrar.
Next I can set up the GCP Cloud Console.
Therefore I will sign in to with my previously created organization administrator account.
Below you will get an information that your organization has been created and the user account you created previously is granted the organization admin role.
For new accounts you can activate the free trial but then you need to add a payment method.
Finally when I will login to the GCP Cloud Console at https://console.cloud.google.com/
I can see that so far I set up Cloud Identity, my domain and that I created an organization.
Below when clicking in the GCP menu on Identity & Organization, you will find an onboarding checklist with tasks to set up the Google Cloud foundation.
Here you can go through the separate steps to create the Google Cloud foundation.
You will find how to set up the remaining tasks to set up the organization and Google Cloud foundation in my following post.
Google’s Cloud Console vs Admin Console