The Organization setup wizard makes it simple for you to establish and delegate administration of your organization. It also allows you to migrate existing projects and billing accounts into your new organization.
To get started with the Organization setup wizard:
Acquire an Organization resource. For detailed instructions, see Getting an Organization resource.
Assign Organization, Billing, and Network Administrators for your GCP organization. For detailed instructions, see granting, changing, and revoking access to resources.
To start the migration process:
Send the project and billing migration request to Project owners.
Wait for Project owners to confirm the migration request.
Approve project and billing account migration.
This guide provides instruction about how to migrate projects and billing accounts using the Google Cloud Platform (GCP) setup wizard. For more information about using Resource Manager, see Migrating Existing Projects into the Organization.
Associating projects or billing accounts with an organization allows central control of all resources in the organization. To learn more, see benefits of the Organization resource.
The sections below provide detailed instructions for the above steps.
Migrate existing projects and billing accounts
After an Organization resource is created for your domain, all projects created under the organization will automatically belong to the organization. You can also migrate already existing projects into the organization.
If you're an owner or an editor of a project and a Project Creator for the organization, you can migrate projects directly.
If you're an Organization Administrator, you can request project owners give you control of a project so you can migrate it into your organization.
Project migration isn't reversible. After a project is associated with an organization, you can't change it back to No organization or move it to another organization on your own. If you need to move a project after it's associated with an organization, you'll need to contact GCP Premium Support.
When a project is migrated to an organization, the Organization Administrator gains administrative control of the project and it inherits Cloud Identity and Access Management (Cloud IAM) and organization policies. Read more about Cloud IAM policy implications.
When you move existing projects into an organization, they're billed like they were before the migration, even if the project's billing account hasn't been migrated yet. Similarly, if you move the billing account into an organization, all projects linked to it will continue to work even if they are still outside of the organization. You can link newly imported projects to a new or existing billing account in your organization at any time, without interruption of project functionality.
Organization setup for super admins
Create an organization
Before you delegate GCP administrators and migrate projects and billing accounts, you must have an Organization resource. To acquire an Organization resource, sign up for G Suite or Cloud Identity, verify your domain, and then create a Project using that account. An Organization resource will be automatically provisioned once the Project is created. For more information about acquiring an Organization resource, see Getting an Organization resource.
Delegate GCP administrators
To delegate GCP administrators:
In the "Welcome to [ORGANIZATION_NAME] at GCP" email, click Go to My Console or go to the Organization Setup page in the GCP Console.
On the Organization Setup page, click Delegate setup.
On the Delegate Organization Administrator Role page that appears, enter the email addresses of individuals or groups you want to add as Organization Administrators.
When you're finished adding Organization Administrators, click Delegate.
The email addresses you entered will receive an email notification that they are now an Organization Administrator for your GCP organization.
To add more administrators later, click Set Permissions on the Identity & Organization page.
Migration for GCP administrators
When a G Suite or Cloud Identity account user delegates the Organization Administrator role to you through the Organization Setup process, you'll receive an email notification. During organization setup, you'll be able to assign permissions to other Organization, Billing, and Network Administrators. Individuals you assign as administrators won't receive an email.
You need the Project Creator role to request project and billing account migration. By default, all users in your domain are granted this role. For more information on changing this default behavior and granting users this role, see Managing Default Organization Roles.
Migrate projects and billing accounts
To migrate projects or billing accounts from other user accounts, first you'll request the owners approve migration. The owners then receive a notification to review your request and approve projects or billing accounts for migration. Project owners can ignore your request and it will expire after 30 days. You can request migration again if the original request expires or is still pending. After an owner approves projects or billing accounts for migration, you'll receive a notification and select what you want to migrate.
Request project or billing account migration
Go to the Google Cloud Platform Console Identity & Organization page.
In the Request projects or billing accounts from box, add the email addresses for the billing account or project owners you want to request projects from, then click Request.
The billing account or project owners will receive an email with your request for migration. After they approve migration, you'll receive an email with a link to complete migration.
Wait for migration request approvals
When you request project or billing account migration, the project or billing account owners receive an email with your request. They will be able to select the projects to set up for migration. Your request remains valid for up to 30 days. After 30 days, the request expires and you'll need to send a new migration request for any outstanding projects or billing accounts.
When a project or billing account owner confirms the migration request, you will receive an email and a notification will appear on your GCP Console. To approve migration, continue to the next step.
Approve project and billing account migration
After an owner approves your migration request, you'll receive an email from Platform Notifications that the project owner has responded to your migration request, and a notification will appear on your GCP Console.
You will need the Project Creator, Billing Account Creator, and Organization Administrator roles on the organization to which you are migrating projects. To complete migration:
Click Migrate in the email, or go to the Migrate projects page in the GCP Console.
On the Select projects and Select billing accounts tabs, select any combination of projects and billing accounts you want to migrate, then click Next.
The Review and approve tab displays a list of all the projects and billing accounts you selected to migrate.
To complete migration, click Approve.
The projects or billing accounts you selected to migrate are now associated with your organization. Any projects or billing accounts you didn't migrate will remain in the No organization list. You'll still have the Project Mover Cloud IAM role for those projects and the Billing Administrator role for those billing accounts. You can revisit the GCP Console Migrate projects page to approve migration for those projects and billing accounts.
When you complete migration for a project, it's billed like it was before the migration, even if its billing account hasn't been migrated yet. Similarly, when you complete migration for a billing account, all projects linked to it will continue to work even if they're still outside of the organization.
Reviewing migrate requests
When an Organization Administrator requests you to migrate a project or billing account to their organization, you'll receive a "Migrate request" email. When you approve migration, you grant the Organization Administrator the following roles:
- The Project Mover role allows a user to import projects and change the Cloud IAM permissions on those projects.
- The Billing Administrator role allows a user to import billing accounts and change the Cloud IAM permissions on those projects.
After the Organization Administrator approves a migration, they can change Cloud IAM roles for the project and the project inherits existing organization policies. Read more about Cloud IAM policy implications.
To review requests, follow the steps below:
Click Review Request in the email to open the Review migrate request page.
On the Select projects and Select billing accounts tabs, select any combination of projects and billing accounts you want to migrate to the organization, then click Next.
The Confirm tab displays the following details about the migration:
The email address of the Organization Administrator that you're granting the Project Mover and Billing Administrator roles.
A confirmation list of all the projects and billing accounts you selected to migrate.
To complete migration, enter the email address of the entity that made the migration request, then click Confirm.
The projects or billing accounts you selected to migrate are now available for the Organization Administrator to migrate into their organization.
If you want to stop the migration process for a project or billing account, you must do so before the Organization Administrator imports it into their organization. To stop migration, go to the GCP Console Cloud IAM page for the project and remove the Project Mover or Billing Administrator role from the Organization Administrator.
Any projects or billing accounts that you didn't select to migrate will remain with No organization. You can click the link in your "Migrate request" email to approve migration for up to 30 days. After 30 days, the migration request expires and the Organization Administrator will have to send a new migration request for you to review.
Cloud IAM policy implications
Cloud Identity and Access Management policies that are already defined for a project are migrated with the project. This means that users who have permissions on the project before a migration will have the same permissions after the project is migrated.
Because Cloud IAM permissions are inherited and additive, roles that are defined at the organization level are inherited by projects when they migrate to the organization. For example, if projectAuthor@myorganization.com has the Project Editor role defined at the organization level, they will also get that role on any project that is migrated into the organization. This won't break anything in existing projects, but more users may gain access due to the inheritance.
Organization policies are also inherited down hierarchy. By default, newly created organizations don't have organization policies. If you define organization policies for your organization, make sure that projects you migrate are consistent with your organization policies.
Key Point: It's your responsibility to make sure that Cloud IAM and organization policies are consistent when you move a project into the organization.