Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GCP organizations explained

Lee Boonstra
October 25, 2018

GCP organizations explained

Lee Boonstra

October 25, 2018
Tweet

More Decks by Lee Boonstra

Other Decks in Business

Transcript

  1. Your organization wants to get started with Google Cloud? But

    where do you start? Lee Boonstra, Customer Engineer Google Cloud Twitter: @ladysign https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#organizations 1
  2. IT’s BOUND TO AN ORGANIZATION Account Org Also known as:

    org node or root node. With an Organization resource, projects belong to your organization instead of the employee who created the project. This means that the projects are no longer deleted when an employee leaves the company; instead they will follow the organization’s lifecycle on Google Cloud Platform. https://cloud.google.com/resource-manager/docs/creating-managing-organization https://cloud.google.com/resource-manager/docs/quickstart-organizations#create_a_billing_account
  3. AN ORGANIZATION CAN HAVE FOLDERS AN ADDITIONAL GROUPING MECHANISM Account

    Org Org Org Org Org TEAM X TEAM Y TEAM Z PRODUCT A An organization can have an hierarchical structure. We call this folders. For example In organization MyBank.com, there is a Know Your Customer Team, a team Fraude and a team Data Science. The Data Science team can have various sub folders, or projects for each product they analyze. https://cloud.google.com/resource-manager/docs/creating- managing-folders
  4. AN ORGANIZATION CAN HAVE FOLDERS AN ADDITIONAL GROUPING MECHANISM Account

    Org Org Org Org Org KYC FRAUDE DaTA ANALYTICS FRAUDE DETECTION PLATFORM
  5. CREATE A BILLING ACCOUNT Account Billing An organization can have

    an hierarchical structure. We call this folders. For example In organization MyBank.com, there is a Know Your Customer Team, a team Fraude and a team Data Science. The Data Science team can have various sub folders, or projects for each product they analyze. https://cloud.google.com/resource-manager/docs/creating- managing-folders
  6. OR MULTIPLE Account Billing Billing Billing Billing done by X

    Billing done by Y Billing done by Z You can have multiple billing accounts. For example you could create billing accounts for different teams. For example, the finance team pays the bills for project Know Your Customer, and Fraude. But since the data science team are external / freelancers, we create a separate billing account for them.
  7. PROJECTS ARE BOUND TO BILLING ACCOUNTS Account Billing Billing Billing

    Project Project Project Project PROJECT-1 PROJECT-2 PROJECT-TEST PROJECT-PROD Projects are bound to billing accounts And billing accounts can link multiple projects. Projects are -not- based on geography or zones. - But resources are. You can create projects for team members, for test and production environments. Or event multiple “projects”. Like: STOCKCALCULATOR-BANKA STOCKCALUCLATOR-BANKB Or maybe even, to create a DEV, TEST AND PROD project.
  8. CROSS PROJECT ACCESS IS POSSIBLE Account Billing Billing Billing Project

    Project Project Project StocksHistory DataScience Cross project access is possible. But you have to explicitly set it. For example, you have a Project StockHistory - the DataScience Project makes use of those resources.
  9. PROJECTS MANAGE RESOURCES Account Billing Billing Billing Project Project Project

    Project All resources belong to a project. Like DataProc, BigQuery, AppEngine,SpeechAPI...
  10. POWERFUL IAM Billing Billing Billing Project Project Project Project IAM

    IAM Org GCP has a powerful Identity and Access Management. This means, you can set rules on the organisation. On projects. And on resources. You can can assign permissions to an account, organizations, folders, and projects in a hierarchy.
  11. POWERFUL IAM Project Project Project Project IAM Org Org Org

    Org IAM IAM IAM Lower level settings take precedence over higher level settings. This gives you simple control to allow or deny access to anyone at any level. But note, a parent rule will always win. For example, when you give Owner rights to a project, and you set a restriction on a lower level, such as Storage Bucket Read Only access. The Project Owner rights will win, and you will have Read Write access in the storage bucket.
  12. POWERFUL IAM Project Project Project Project IAM Org Org Org

    Org IAM IAM IAM Owner Project Owner Instance Creator The Org Owner is the administrator of the organization, and can create projects and edit all project and change roles. A Project Owner has all rights on the project, and create instances. Where a person/service account with specific resource rights, can only maintain that particular resource.