GCP (for AWS professionals)
Created: May 03, 2022
GCP Organizations
Organization
- The node at the top of the hierarchy.
Projects
- The equivalent to an AWS account.
- Resources are encapsulated inside a project.
- Have a globally unique ID, globally unique number, and a name.
Folders
- The equivalent to an Organization Unit.
- Can contain other folders or projects.
Policies
- Inherited downwards.
- Can be applied at the folder or account level.
- Policies further down the hierarchy (weirdly) have more precedence.
Notable roles
- Organizational Admin.
- Organizational Policy Administrator.
- Project Creator.
Organization creation
-
If account is created with a GSuite domain, then association with an organization is automatic.
-
Otherwise, Google Cloud Identity can be used to create an Organization.
-
By default anyone can create projects and billing accounts.
GCP Resource Hierarchy
- Billing by project and a flexible billing model.
- Billing can be applied at the folder and organization levels.
IAM
Primitive roles
-
Apply across all GCP services in a project.
-
Viewer: read-only access.
-
Editor: Viewer permissions plus deploy applications, modify services, and configure services.
-
Owner: Editor permissions plus invite members, remove members, and delete projects.
-
Billing administrator: manage billing.
Pre-defined roles
-
Can control permissions on a specific service at the project, folder, or org level.
-
Like AWS managed roles.
-
Can be applied on Google Groups.
Custom roles
- Like AWS custom roles.
- Can be used at the project or organization level.
Service Accounts
- Accounts assumed by services.
- Have identities that look like:
PROJECT_NUMBER-computer@developer.gserviceaccount.com PROJECT_ID@appspot.gserviceaccount.com - Service accounts are also roles and can have pre-defined or custom IAM roles attached.
CLI
gcloud,gsutil(Cloud Storage), andbq(BigQuery).