GCP Resource Manager
Google Cloud Platform – Resource manager help manage resource containers such as organizations, folders, and projects that allow you to group and hierarchically organize other GCP resources
- Organization resource is the root node in the Google Cloud resource hierarchy and is the hierarchical super node and ancestor of project resources and folders.
- Organization is the top of the hierarchy and does not have a parent.
- Organization provides central visibility and control over every resource that belongs to an organization
- With an Organization resource, projects belong to the organization instead of the employee who created the project, which means that the projects are no longer deleted when an employee leaves the company; instead they will follow the organization’s lifecycle on Google Cloud.
- Organization administrators have central control of all resources. They can view and manage all of the company’s projects
- IAM access control policies applied on the Organization resource apply throughout the hierarchy on all resources in the organization.
- Roles granted at the organization level are inherited by all projects and folders under the Organization resource
- Organization is not application for personal (e.g. Gmail) accounts
- Google Workspace or Cloud Identity account represents a company and is a prerequisite to have access to the Organization resource. It provides identity management, recovery mechanism, ownership and lifecycle management
- Google Workspace super admin is the individual responsible for domain ownership verification and the contact in cases of recovery.
- Folders are an additional grouping mechanism on top of projects and provide isolation boundaries between projects
- Organization resource is a prerequisite to use folders.
- Folders can be used to model different legal entities, departments, and teams within a company
- Folders allow delegation of administration rights as well as control or limit access to resources within the folder
- Project resource is the base-level organizing entity
- Organizations and folders may contain multiple projects
- Projects are core organizational component of GCP
- A project is required to use Google Cloud, and forms the basis for creating, enabling, and using all Google Cloud services, managing APIs, enabling billing, adding and removing collaborators, and managing permissions.
IAM Policy Inheritance
- IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies on the resources.
- Resources inherit the policies of the parent node i.e. policy set at the Organization level is inherited by all its child folders and projects, and if a policy set at the project level, it is inherited by all its child resources.
- Most permissive parent policy always overrules more restrictive child policy i.e. There is no way to explicitly remove a permission for a lower-level resource that is granted at a higher level in the resource hierarchy.
- The effective policy for a resource is the union of the policy set on the resource and the policy inherited from its ancestors.
- Permission inheritance is transitive i.e. resources inherit policies from the project, which inherit policies from the organization.
- IAM policy hierarchy follows the same path as the Google Cloud resource hierarchy i.e. if the resource hierarchy is changed for e.g. moving a project from one folder to the other, the policy hierarchy changes as well.
Organization Policy Service
- Organization Policy Service gives a centralized and programmatic control over the organization’s cloud resources
- Organization Policy Service benefits
- Centralize control to configure restrictions on how the organization’s resources can be used.
- Define and establish guardrails for the development teams to stay within compliance boundaries.
- Help project owners and their teams move quickly without worry of breaking compliance.
- When an organization policy is set on a resource hierarchy node, all descendants of that node inherit the organization policy by default. i.e. organization policy set at the root organization node, will pass down the defined restriction through all descendant folders, projects, and service resources.
Restricting Identities by Domain
- Resource Manager provides a domain restriction constraint that can be used in organization policies to limit resource sharing based on domain.
- This constraint allows restricting the set of identities allowed to be used in Identity and Access Management policies
- Organization policies can use this constraint to limit resource sharing to a specified set of one or more Google Workspace domains, and exceptions can be granted on a per-folder or per-project basis.
- Domain restriction constraint is not retroactive. Once a domain restriction is set, this limitation will apply to IAM policy changes made from that point forward, and not to any previous changes.