Google Cloud ACE Setting Up a Cloud Environment

GCP Resource Hierarchy

A structured way to manage resources across an organization, enabling inheritance of policies, billing, and access control.

Resource

The fundamental building block of Google Cloud, such as a VM instance, a storage bucket, or a BigQuery dataset.

Organization

The root node of the Google Cloud resource hierarchy, representing a company or entity.

Folder

A grouping mechanism between the Organization and Projects used to organize resources by department or environment.

Project

The base-level container for resources; all Google Cloud resources must belong to exactly one project.

Organization Node Requirement

Requires a Google Workspace or Cloud Identity account to be created.

Resource Manager

The tool/API used to programmatically manage the resource hierarchy (Organizations, Folders, and Projects).

Inheritance

The principle where policies (IAM and Org Policies) applied at a parent level automatically apply to all child resources.

Organization Admin

The IAM role that provides full administrative access to all resources in the organization.

Folder Admin

The IAM role that allows a user to create, edit, and delete folders within an organization or parent folder.

Project Creator

The role required to create new projects within an organization or folder.

Project ID

A unique, permanent string used to identify a project; it cannot be changed after creation.

Project Name

A user-defined, non-unique string used to label a project; it can be changed at any time.

Project Number

A unique, system-generated numerical identifier for a project assigned by Google Cloud.

Project Deletion

When a project is deleted, it is "soft-deleted" for 30 days before all resources and data are permanently removed.

IAM (Identity and Access Management)

The framework that defines "who" (identity) can do "what" (role) on "which" resource.

Principle of Least Privilege

The security practice of granting users only the minimum permissions necessary to perform their job functions.

IAM Policy

A collection of statements that define access control for a resource; consists of a list of bindings.

IAM Binding

A mapping of a single role to one or more members (identities).

Primitive Roles

Basic legacy roles (Owner, Editor, Viewer) that offer broad, non-granular permissions.

Predefined Roles

Google-managed roles that provide granular access to specific services (e.g., Compute Instance Admin).

Custom Roles

User-defined roles that combine specific permissions; used when predefined roles are too broad.

Member: Google Account

An individual email address associated with a person (e.g., gmail.com or workspace domain).

Member: Service Account

An identity used by applications or VMs to authenticate and access GCP resources programmatically.

Member: Google Group

A collection of Google Accounts; the best practice for managing permissions at scale.

Member: Cloud Identity Domain

Represents all Google Accounts created within a specific organization's domain.

IAM Policy Inheritance Flow

Organization -> Folder -> Project -> Resource.

Additive Policy

IAM policies are additive; if a user has Viewer at the Folder level and Editor at the Project level, they are an Editor.

Billing Account

A resource that defines who pays for a specific set of Google Cloud projects.

Billing Account Linkage

A project must be linked to a valid billing account to use paid services or exit the Free Trial.

Billing Account Creator

The role required to create new billing accounts for the organization.

Billing Account User

The role that allows a user to link projects to a billing account.

Billing Account Administrator

The role providing full control over billing accounts, including managing users and payment methods.

Cloud Billing Export

A feature that sends detailed billing data to a BigQuery dataset or Cloud Storage bucket for analysis.

Budget Alerts

Notifications triggered when spending reaches a defined percentage of a budget (e.g., 50%, 90%, 100%).

Disabling Billing

The action of unlinking a project from its billing account, which stops all services in that project.

Quota

A limit on the amount of a particular GCP resource that a project can use (e.g., CPU cores in a region).

Rate Quota

A limit on the number of API requests allowed over a specific period.

Allocation Quota

A limit on the total number of resources that can exist (e.g., total number of static IPs).

Organization Policy Service

A service that provides centralized, programmatic control over the organization's resources.

Org Policy Constraint

A specific restriction applied via an Organization Policy (e.g., "Restrict Resource Usage" to specific regions).

IAM vs. Org Policy

IAM defines WHO has access; Org Policy defines WHAT can be done with a resource regardless of the user.

Trust Boundary

The project level serves as the primary trust and isolation boundary for resources.

Flat Hierarchy

A structure where all projects are directly under the Organization node without folders.

Departmental Hierarchy

A structure where folders are used to separate different departments (e.g., Engineering, Marketing).

Environment Hierarchy

A structure where folders separate development stages (e.g., Dev, Staging, Prod).

Project Move Requirement

To move a project, you need 'resourcemanager.projects.update' on the project and 'resourcemanager.projects.create' on the destination.

Global Resource

A resource accessible across all regions (e.g., Cloud DNS, VPC Networks, IAM).

Regional Resource

A resource tied to a specific geographic region (e.g., Static IP, Subnets, App Engine).

Zonal Resource

A resource tied to a specific data center zone (e.g., Compute Engine VM, Local SSD).

Resource ID

The specific identifier for a child resource (e.g., the name of a VM instance).

Best Practice: Groups over Individuals

Assign IAM roles to Google Groups rather than individual email addresses to simplify management.

Service Account User Role

Allows a user to "act as" a service account, often required to deploy VMs that use that service account.

Default Service Account

Automatically created service accounts (e.g., Compute Engine default service account) with broad permissions.

Service Account Key

A JSON file used to authenticate as a service account outside of Google Cloud; should be managed carefully.

Google Cloud Console

The web-based graphical user interface for managing GCP resources.

Cloud Shell

An ephemeral, browser-based terminal with the gcloud CLI pre-installed.

gcloud CLI

The command-line interface for interacting with Google Cloud services.

gsutil

The CLI tool specifically for managing Cloud Storage buckets and objects.

bq

The CLI tool specifically for interacting with BigQuery.

Cloud SDK

The package containing gcloud, gsutil, and bq tools.

Compute Instance Admin (v1)

A predefined role that allows full control over VMs but not the networks they sit on.

Storage Object Admin

Allows full control over objects in a Cloud Storage bucket, but not the bucket itself.

Storage Admin

Allows full control over Cloud Storage buckets and the objects within them.

View-only access for billing

The Billing Account Viewer role.

Best Practice for Multiple Teams

Assign each team their own Project to isolate billing and administrative control.

Labels

Key-value pairs used to categorize and filter resources (e.g., env:prod, dept:finance); used for billing granularity.

Tags

Special labels used primarily for networking and firewall rules to identify groups of VMs.

Quotas: Increasing Limits

Most quotas can be increased by submitting a request via the Google Cloud Console.

Self-Service Quota Increase

A feature for certain resources where small quota increases are granted automatically.

Billing: Sub-accounts

Used by resellers to manage multiple customers under a single master billing account.

Project Suffix

A random string sometimes added to a Project ID to ensure global uniqueness.

Moving Projects between Orgs

A complex process that usually requires support or specific migration tools.

Resource Manager API

Must be enabled to programmatically manage folders and projects.

Organization Policy: skipDefaultNetwork

A constraint that prevents the automatic creation of a "default" VPC in new projects.

Organization Policy: allowedLocations

A constraint that restricts which regions resources can be deployed in.

Cloud Identity

The Identity-as-a-Service (IDaaS) that stores user accounts for Google Cloud.

Super Admin

The highest level of access in Google Workspace/Cloud Identity, distinct from the GCP Org Admin.

Cloud KMS

Key Management Service used to manage encryption keys for resources.

Encryption at Rest

Google Cloud encrypts all customer data at rest by default.

Encryption in Transit

Data is encrypted automatically when moving between Google's controlled facilities.

VPC (Virtual Private Cloud)

A global virtual network that belongs to a Project.

Subnet

A regional resource that defines IP address ranges within a VPC.

Project-level IAM

Assigning a role at the project level gives that user access to all resources inside that project.

Folder-level IAM

Assigning a role at the folder level gives that user access to all projects inside that folder.

Org-level IAM

Assigning a role at the organization level gives that user access to every project in the company.

Service Account Creator

The role required to create service accounts within a project.

Service Account Key Creator

The role required to generate JSON keys for service accounts.

Best Practice: Naming Projects

Use a consistent naming convention that includes the environment and application name.

Billing: Credit Cards vs. Invoicing

Standard accounts use credit cards; large organizations can apply for monthly invoicing.

Budget Alert: Pub/Sub

Budgets can send notifications to Pub/Sub to trigger automated cost-control scripts.

Cloud Console Mobile App

Used to monitor resources and receive alerts on a smartphone.

Shared VPC

Allows an organization to connect resources from multiple projects to a common VPC network.

Host Project

In Shared VPC, the project that contains the shared network resources.

Service Project

In Shared VPC, projects that use the network resources of the Host Project.

IAM Role: Browser

Allows a user to see the project's metadata but not its resources.

IAM Role: Project IAM Admin

Allows a user to manage access control policies for a project.

IAM Policy Troubleshooting

Use the IAM Policy Troubleshooter to see why a user has or doesn't have a permission.

Audit Logs

Records of administrative actions and data access within your GCP hierarchy.

Admin Activity Logs

Logs for API calls that modify resources; always enabled and free.