Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GCP organizations explained

Lee Boonstra
October 25, 2018

GCP organizations explained

Lee Boonstra

October 25, 2018
Tweet

More Decks by Lee Boonstra

Other Decks in Business

Transcript

  1. Your organization wants to get
    started with Google Cloud? But
    where do you start?
    Lee Boonstra, Customer Engineer Google Cloud
    Twitter: @ladysign
    https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#organizations
    1

    View full-size slide

  2. Create a GCP account
    Account

    View full-size slide

  3. IT’s BOUND TO AN
    ORGANIZATION Account Org
    Also known as:
    org node
    or root node.
    With an Organization resource, projects belong to your organization instead of the employee who created the
    project. This means that the projects are no longer deleted when an employee leaves the company; instead they
    will follow the organization’s lifecycle on Google Cloud Platform.
    https://cloud.google.com/resource-manager/docs/creating-managing-organization
    https://cloud.google.com/resource-manager/docs/quickstart-organizations#create_a_billing_account

    View full-size slide

  4. AN ORGANIZATION CAN
    HAVE FOLDERS
    AN ADDITIONAL GROUPING MECHANISM
    Account Org
    Org Org Org
    Org
    TEAM X TEAM Y TEAM Z
    PRODUCT A
    An organization can have an hierarchical structure. We call
    this folders. For example In organization MyBank.com,
    there is a Know Your Customer Team, a team Fraude and a
    team Data Science. The Data Science team can have
    various sub folders, or projects for each product they
    analyze.
    https://cloud.google.com/resource-manager/docs/creating-
    managing-folders

    View full-size slide

  5. AN ORGANIZATION CAN
    HAVE FOLDERS
    AN ADDITIONAL GROUPING MECHANISM
    Account Org
    Org Org Org
    Org
    KYC FRAUDE DaTA ANALYTICS
    FRAUDE DETECTION PLATFORM

    View full-size slide

  6. CREATE A BILLING ACCOUNT
    Account
    Billing
    An organization can have an hierarchical structure. We call
    this folders. For example In organization MyBank.com,
    there is a Know Your Customer Team, a team Fraude and a
    team Data Science. The Data Science team can have various
    sub folders, or projects for each product they analyze.
    https://cloud.google.com/resource-manager/docs/creating-
    managing-folders

    View full-size slide

  7. OR MULTIPLE
    Account
    Billing Billing Billing
    Billing done by X Billing done by Y Billing done by Z
    You can have multiple billing accounts.
    For example you could create billing accounts for different
    teams. For example, the finance team pays the bills for
    project Know Your Customer, and Fraude. But since the data
    science team are external / freelancers, we create a
    separate billing account for them.

    View full-size slide

  8. PROJECTS ARE BOUND
    TO BILLING
    ACCOUNTS
    Account
    Billing Billing Billing
    Project Project Project Project
    PROJECT-1 PROJECT-2 PROJECT-TEST PROJECT-PROD
    Projects are bound to billing accounts
    And billing accounts can link multiple
    projects.
    Projects are -not- based on geography or
    zones. - But resources are.
    You can create projects for team
    members, for test and production
    environments. Or event multiple
    “projects”.
    Like:
    STOCKCALCULATOR-BANKA
    STOCKCALUCLATOR-BANKB
    Or maybe even, to create a DEV, TEST
    AND PROD project.

    View full-size slide

  9. CROSS PROJECT ACCESS
    IS POSSIBLE Account
    Billing Billing Billing
    Project Project Project Project
    StocksHistory DataScience
    Cross project access is possible. But you
    have to explicitly set it.
    For example, you have a Project
    StockHistory - the DataScience Project
    makes use of those resources.

    View full-size slide

  10. PROJECTS MANAGE
    RESOURCES Account
    Billing Billing Billing
    Project Project Project Project
    All resources belong to a project.
    Like DataProc, BigQuery,
    AppEngine,SpeechAPI...

    View full-size slide

  11. POWERFUL IAM
    Billing Billing Billing
    Project Project Project Project
    IAM
    IAM
    Org
    GCP has a powerful Identity and Access
    Management.
    This means, you can set rules on the
    organisation. On projects. And on resources.
    You can can assign permissions to an
    account, organizations, folders, and projects
    in a hierarchy.

    View full-size slide

  12. POWERFUL IAM
    Project Project Project Project
    IAM
    Org
    Org Org Org
    IAM
    IAM
    IAM
    Lower level settings take precedence over
    higher level settings. This gives you simple
    control to allow or deny access to anyone at
    any level.
    But note, a parent rule will always win. For
    example, when you give Owner rights to a
    project, and you set a restriction on a lower
    level, such as Storage Bucket Read Only
    access. The Project Owner rights will win,
    and you will have Read Write access in the
    storage bucket.

    View full-size slide

  13. POWERFUL IAM
    Project Project Project Project
    IAM
    Org
    Org Org Org
    IAM
    IAM
    IAM
    Owner
    Project
    Owner
    Instance
    Creator
    The Org Owner is the
    administrator of the
    organization, and can
    create projects and edit all
    project and change roles.
    A Project Owner has all
    rights on the project, and
    create instances.
    Where a person/service
    account with specific
    resource rights, can only
    maintain that particular
    resource.

    View full-size slide

  14. https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations
    For more information
    On how to setup GCP for your
    enterprise, check out these best
    practices:

    View full-size slide