Google Cloud Platform (GCP) customers need an easy way to centrally manage and control GCP resources, projects and billing accounts that belong to their organization. As companies grow, it becomes progressively difficult to keep track of an ever-increasing number of projects, created by multiple users, with different access control policies and linked to a variety of billing instruments. Google Cloud Resource Manager allows you to group resource containers under the Organization resource, providing full visibility, centralized ownership and unified management of your company’s assets on GCP.
The Organization resource is now automatically assigned to all GCP users who have G Suite accounts, without any additional steps on their part. All you need to do is create a project within your company’s domain to unlock the Organization resource and all its benefits!
Since it was introduced in October 2016, hundreds of customers have successfully deployed Cloud Resource Manager’s Organization resource, and have provided positive feedback.
“At Qubit, we love the flexibility of GCP resource containers including Organizations and Projects. We use the Organization resource to maintain centralized visibility of our projects and GCP IAM policies to ensure consistent access controls throughout the company. This gives our developers the capabilities they need to put security at the forefront throughout our migration to the cloud.” — Laurie Clark-Michalek, Infrastructure Engineer at Qubit.
Understanding the Cloud Resource Manager Organization resource
The Cloud Resource Manager Organization resource is the root of the GCP resource hierarchy and is a critical component for all enterprise use cases, from social media to financial services, from gaming to e-commerce, to name a few. Here are a few benefits offered by the Organization resource:
Tie ownership of GCP projects to your company, so they remain available when a user leaves the organization.
Allow GCP admins to define IAM policies that apply horizontally across the entire organization.
Provide central visibility and control over billing for effective cost allocation and reporting.
Enable new policies and features for improved security.
The diagram below illustrates the GCP resource hierarchy and its link with the G Suite account.
G Suite, our set of intelligent productivity apps, is currently a prerequisite to access the Cloud Resource Manager Organization resource in GCP. It represents your company by providing ownership, lifecycle control, identities and a recovery mechanism. If you don’t already have a G Suite account, you can sign up to obtain one here. (You can request a GCP account that does not require G Suite to use the Cloud Resource Manager Organization resource. For more information, contact your sales representative.)
Getting started with the Cloud Resource Manager Organization resource
Unlocking the benefits of the Cloud Resource Manager Organization resource is easy; it’s automatically provisioned for your organization the first time a GCP user in your domain creates a GCP project or billing account. The Organization resource display name is automatically synchronized with your G Suite organization name and is visible in the Cloud Console UI picker, as shown in the picture below. The Organization resource is also accessible via gcloud and the Cloud Resource Manager API.
Because of the ownership and lifecycle implications explained above, the G Suite super admin is granted full control over GCP by default. Usually, different departments in an organization manage G Suite and GCP. Thus, the first and most important step for the G Suite super admin overseeing a GCP account is to identify and assign the IAM Organization Admin role to the relevant users in their domain. Once assigned, the Organization Admins can manage IAM policies, project ownership and billing centrally, via Cloud Console, gcloud or the Cloud Resource Manager API.
All new GCP projects and billing accounts will belong to the Cloud Resource Manager Organization resource by default, and it’s easy to migrate existing GCP Projects there too. Existing projects that have not migrated under the Organization resource are visible under the “No Organization” hierarchy.
How to manage your Cloud Resource Manager Organization resource with gcloud
The following script summarizes the steps to start using the Cloud Resource Manager Organization resource.
# Query your Organization ID
> gcloud organizations list
DISPLAY_NAME ID DIRECTORY_CUSTOMER_ID
MyOrganization 123456789 C03ryezon
# Access Organization details
> gcloud organizations describe [ORGANIZATION_ID]
creationTime: ‘2016-11-15T04:42:33.042Z’
displayName: MyOrganization
lifecycleState: ACTIVEname: organizations/123456789
owner: directoryCustomerId: C03ryezon
# How to assign the Organization Admin role
# Must have Organization Admin or Super Admin permissions
> gcloud organizations add-iam-policy-binding [ORGANIZATION_ID]
–member=[MEMBER_ID] –roleroles/resourcemanager.organizationAdmin
# How to migrate an existing project into the Organization
> gcloud alpha projects move [PROJECT_ID] –organization [ORGANIZATION_ID]
# How to list all projects in the Organization
> gcloud projects list –filter ‘parent.id=[ORGANIZATION_ID] AND
parent.type=organization’
What’s next
The Cloud Resource Manager Organization resource is the root of the GCP hierarchy and is key to centralized control, management and improving security. By assigning the CRM Organization resource to all G Suite users, we’re setting the stage for more innovation. Stay tuned for new capabilities that rely on the Cloud Resource Manager Organization resource as they become available in 2017. And for a deep dive into the Cloud Resource Manager and the latest in GCP security, join us at a security bootcamp at Next ’17 in San Francisco this March.
Quelle: Google Cloud Platform
Published by