Implementing GCP Policies for Customer Use Cases

This tutorial shows how to implement many of the concepts that are discussed in Designing GCP Policies for Customers. It is based on the startup example in Designing GCP Policies for Startup Customers.

This tutorial assumes that no existing identity management system is in place.

Objectives

  • Map your organization to Google Cloud Platform (GCP) services.
  • Configure your organization using Cloud Identity.
  • Set up a billing account and permissions.
  • Configure the Cloud Resource Manager hierarchy.
  • Automate project creation.
  • Grant permissions to users and groups.
  • Configure your development resources.

Costs

This tutorial creates folders, projects, and associated network resources in your organization. Although the resources that you create in this tutorial are not billable, it's a good idea to clean them up at the end of the tutorial.

Use the Pricing Calculator to generate a cost estimate that is based on your projected usage.

Before you begin

Ensure you have an email address that you can use while provisioning Cloud Identity.

Creating a domain

Before starting the tutorial, you must set up a domain that you will use to create your Cloud Identity. You or an administrator of your domain will need to add a TXT verification record to your domain's DNS records as part of the Cloud Identity onboarding flow.

Verifying the domain

  1. Verify that you own the domain by using the Search Console verification process.
  2. In the GCP Console, go to the Domain verification tab on the Credentials page.

    Go to the Credentials page

  3. Click Add domain.
  4. In the Configure webhook notifications dialog, enter the domain to verify.
  5. Click Add domain.

    To troubleshoot domain verification:

    • The domain must be registered in the Search Console with an https:// URL or have been verified with the Domain name provider verification method.
    • Make sure you are either an owner or editor for the GCP Console project (see Project members and permissions) and you are a site owner of the domain that will receive notifications. If you are not a site owner of the domain, contact the domain owner to get added as a verified owner (see Add or remove owners).
    • You can use the Google API Explorer for Webmaster Tools to list sites on the domain, and in particular, see if the domain's siteUrl property starts with https://.

Planning

During the planning stage, you need to map your organization to GCP. A planning checklist can help you track what you need to do. For naming your projects and buckets, you can follow the provided naming convention or substitute your own.

You then need to define users and groups and map IAM roles to a functional group map.

Map your organization to GCP

This tutorial addresses the following requirements, which are outlined in Designing GCP Policies for Startup Customers:

  • Use G Suite to manage identities and provide office productivity tools. (Note: For the purposes of this tutorial, reference Cloud Identity.)
  • Optimize for team autonomy and velocity.
  • Permit developers to choose their own tools, create their own resources and environments, experiment, and so on.
  • Use private repositories and registries.
  • Implement guardrails to help protect security compliance, and so on.
  • Alert for expenditures above a soft limit.
  • Assume good intention, but have some high-level controls and be sure to issue an alert for any violation of newly added security controls.
  • Give developers access to a shared set of resources.
  • Design the GCP environment to grow smoothly.

Planning checklist

Use the requirements to complete a checklist to help design your GCP organization. A completed checklist based on the preceding requirements looks like this:

Identity management Y/N, comments Action to take
Identity system in place? N If no identity system is in place, configure a Cloud Identity.
Existing LDAP and Active Directory federation and sync? N Configure Cloud Identity and Cloud directory sync.
Users identified who need access to GCP? Devteam 1
Devteam 2
Central functions
Create groups that are named to reflect their functions, and place identities in the appropriate groups.
Projects and folders set up
Departments and teams autonomous? Y Arrange your GCP organization so each department has a dedicated folder under which the department's projects are located.
Dedicated folder for each organizational unit (OU)? n/a Arrange your GCP organization so each OU has a dedicated folder under which the OU projects are located.
Default permissions inherited across groups of projects? Y Create folders to organize groups of related projects.
Cross-charging and cost tracking per team or application? Y Create folders and use labels to organize projects for each team or each application.
Multiple services per team? Y Use folder hierarchies to encapsulate projects that belong to each team, and use a folder under each team to encapsulate projects that are related to a single service.
Policy working or shared across teams, such as security, networks, and shared resources? Y Determine which functional roles are organization-wide and which are delegated further down the hierarchy. Use folders to organize where the wider organization permissions should be assigned.
Dev, test, QA, and production separated per application? Unknown, possibly in the future Use projects as the trust boundary; use folders and separate projects for each environment per app under a single folder.
Hierarchical policy assignment
Dedicated teams are separated to enforce network and security policies? Not now Use a shared virtual private cloud (VPC) and set up a group for network and security admins.
Restricted access to multiple production environments (multiple projects)? Unknown Use folders and groups to manage who has permissions to use production resources.
Restricted access to specific services and applications per dev team (how applications are developed in terms of teams working together)? Too small to understand how this will evolve today Use folders and groups to manage who is authorized to access resources with which permissions.

Define a naming convention

Before you create the organizational structure and give permissions to the developers, settle on a naming standard for folders, projects, labels, and service accounts. Naming projects and Cloud Storage buckets in particular requires careful thought.

Projects

A project has a project number and a universally unique project ID, which is a short string of lowercase letters, digits, and dashes. When creating a project, you can specify the project ID. Google assigns the project number automatically. The project ID and project number cannot be changed.

To further identify a project, you can attach a label to it. Just be aware that anyone can modify labels. Read the guidance on using labels.

Buckets

Each Cloud Storage bucket is unique across the platform and must follow the naming guidelines detailed in Bucket name requirements.

Do not include your organization's name as part of any bucket name. Buckets can inadvertently be made publicly accessible, so giving one an easily identifiable name might reveal more about your organization than you intended.

The following naming convention has been defined for this tutorial.

Resource Naming Convention
Top-level folder Development
Team folders team-xx-nn (where xx and nn indicate a unique combination of numbers and characters per folder)
Application folders appname-xx-nn
Projects appname-[test|qa|prod]
Label: team-xx-nn-[test|qa|prod]
Label: App description
Label: userid

team-xx-nn-userid
shared-resources
project-creation
Service accounts function-srv-acc (shared services accounts)
appname-srv-[test|qa|prod]
Buckets appname-input-[test|qa|prod]
appname-output-[test|qa|prod]
appname-resources-[test|qa|prod]

Define users and groups

OurStartup.org is small and their developers will fill a lot of overlapping functional roles. To provide flexibility, you must create separate functional groups for use with GCP.

Group Name Description Users
OrgAdmins@OurStartup.org GCP organization admins joe@OurStartup.org
alice@OurStartup.org
NetworkAdmins@OurStartup.org Users who can make changes to network and security controls alice@OurStartup.org
jens@OurStartup.org
OrgSecurityAdmins@OurStartup.org Users who can set identity and access management (IAM) policies and organization policies joe@OurStartup.org
alice@OurStartup.org
Devteam1@OurStartup.org Members of Dev team 1 dan@OurStartup.org
tom@OurStartup.org
anees@OurStartup.org
jens@OurStartup.org
grace@OurStartup.org
Devteam2@OurStartup.org Members of Dev team 2 mari@OurStartup.org
fereshteh@OurStartup.org
alice@OurStartup.org
rez@OurStartup.org
finance@OurStartup.org Ability to manage payments alice@OurStartup.org
joe@OurStartup.org

Note that some users are members of multiple groups.

Map IAM roles to functional groups

Before you create any users in the GCP organization, create an IAM-to–functional group map.

The following table describes the initial required IAM policies.

Functional Role Resource IAM Role(s) Members
Full control of Dev Team 1 projects Folder: team-01-01 Folder Admin
Project Creator
Network Admin
Folder IAM Admin
Devteam1@OurStartup.org
Full control of Dev Team 2 projects Folder: team-02-02 Folder Admin
Project Creator
Network Admin
Folder IAM Admin
Devteam2@OurStartup.org
Admin for network and security controls for entire organization Organization Network Admin
Security Admin
NetworkAdmins@OurStartup.org
Admin for security controls for entire organization Organization Organization Admin
Policy Admin
OrgAdmins@OurStartup.org
OrgSecurityAdmins@OurStartup.org
Ability to manage payments Organization Billing Admin finance@OurStartup.org
ProjectCreation service account

Configuring the organization

Configuring your organization involves the following tasks:

  • Configuring Cloud Identity
  • Creating users and groups
  • Configuring GCP organization admin users

Configure Cloud Identity

This tutorial uses Cloud Identity to manage users.

  1. Complete the steps in the sign-up wizard. The first user that you need to create is one of the GCP organization administrators. In the sign-up wizard, references to organization administrator are for managing your Cloud Identity accounts.

  2. When prompted for your organization administrator, enter Alice as the username and choose an appropriate password. Make a note of the password because you will need it later.

    The sign-up process takes you to the Create users and groups page, but you cannot create any users or groups until you have accepted the terms and conditions.

  3. Return to your email account and accept the terms and conditions.

Create users and groups

Using the user and group table that you created in the planning section earlier, create users and groups, replacing @OurStartup.org with your domain.

Group Name Description Users
OrgAdmins@OurStartup.org GCP organization admins joe@OurStartup.org
alice@OurStartup.org
NetworkAdmins@OurStartup.org Users who can make changes to network and security controls alice@OurStartup.org
jens@OurStartup.org
OrgSecurityAdmins@OurStartup.org Ability to set IAM policies and organization policies rez@OurStartup.org
grace@OurStartup.org
Devteam1@OurStartup.org Members of Dev team 1 dan@OurStartup.org
tom@OurStartup.org
anees@OurStartup.org
jens@OurStartup.org
grace@OurStartup.org
Devteam2@OurStartup.org Members of Dev team 2 mari@OurStartup.org
fereshteh@OurStartup.org
alice@OurStartup.org
rez@OurStartup.org
finance@OurStartup.org Ability to manage payments alice@OurStartup.org
joe@OurStartup.org

Using the preceding table:

  1. Create users by following these instructions for creating Cloud Identity user accounts.
  2. Create groups and add users by following these instructions for creating groups.

The Organization Administrators group (OrgAdmins) that you created in Cloud Identity is for those users that have been or will be assigned the organization administration role within GCP.

Configure GCP organization admin users

At this stage of the configuration, the users in the Organization Administrators group have no permissions to access the GCP organization.

You need to assign the organization admin role to the users that you added to the Cloud Identity OrgAdmins group. The organization admin role has the ability to grant IAM permissions.

  1. In the GCP Console, sign in using Alice's credentials. If you are using Chrome, you might want to sign in from an incognito tab to ensure you start from a clean state.

    GO TO THE GCP Console

    Alice's Cloud Identity account is designated as the Cloud Identity Super administrator.

  2. At the top of the page, click the Organization drop-down, and select your organization.

  3. In the IAM & admin navigation menu at left, click IAM.

  4. On the IAM page, click Add.

  5. In the Add member pop-up menu, in the Members field, add the group OrgAdmins@OurStartup.org, replacing "OurStartup.org" with your domain suffix.

  6. In the Roles drop-down, select Resource Manager, select Organization Administrator, and then click Add.

By default, everyone in your Cloud Identity domain is granted Billing Account Creator and Project Creator IAM permissions. The organization administrator will probably want to implement more restrictive policies.

To remove those permissions from the domain through the console:

  1. From the IAM menu, make sure you are in your organization view.
  2. In the text box, type Project Creator.
  3. In the View by box, select Roles. A list of members in the Project Creator role appears, as shown in the following image:

    Members in the Project Creator role

  4. In the Role(s) column alongside the domain, click the drop-down arrow next to Multiple.

    multiple roles drop-down

  5. Deselect the selected Billing Account Creator and Project Creator roles, and click Save.

Setting up a billing account and its permissions

  1. If you are not signed in to the console, sign back in as Alice.
  2. Open the console left-side menu and click Billing.
  3. Click New billing account.
  4. Enter the name of the billing account and your billing information. The options that you see depend on the country of your billing address. Note that for accounts in the U.S., you cannot change tax status after you create the account.

  5. Click Submit and enable billing.

  6. Assign the billing administrator role to the finance group that you created earlier.
  7. In the console left-side menu, click Billing.
  8. Ensure you are in your organization, and then click Permissions.
  9. In the Add members box, type finance@OurStartup.org.
  10. Click the Select a role drop-down, select Billing Account Administrator, and then click Add.

    Billing Account Admin

Configuring the Cloud Resource Manager hierarchy

After you have set up organization admins within the Organization node, you can configure the organization so that you can create projects and other resources automatically.

Assign IAM roles at the organization level

  1. If you are not still signed in to the console, sign back in as Alice.

    GO TO THE GCP Console

    At the organization level, you assign the IAM roles Folder Admin and Project Owner to the Organization Admin group, which in this example is OrgAdmins@OurStartup.org. You replace OurStartup.org with your domain name.

  2. At the top of the page, click the Organization drop-down, and select your organization.

  3. Click IAM.
  4. On the IAM page, click Add member to add new members to the organization, and assign the Folder Admin and Project Owner roles to the Organization Admin group.

Create your folders and assign IAM roles

  1. To create an initial folder, in the GCP Console, open the Manage Resources page.

    GO TO THE MANAGE RESOURCES PAGE

    Verify that your organization is selected in the drop-down.

  2. Click the Create Folder icon, and verify that your organization is in the destination box.

  3. Using the Naming convention table that you created earlier, in the Folder Name box, type Development, and then click Create.

    The folder you create will contain each development team's folder along with the project that will hold resources that are shared across teams.

  4. On the Create Folder page, in the Destination text box, verify that the Development folder is listed.

  5. In the Folder Name text box, enter team-01-01 to create Dev team 1's initial team folder under the Development folder, and then click Create.
  6. In the Folder Name text box, enter team-02-01 to create Dev team 2's initial team folder under the Development folder, and then click Create.
  7. At the folder level, assign the Project Creator role to each Development team group for their allotted folder.
  8. Open the IAM console page.

    GO TO THE IAM CONSOLE

  9. In the drop-down, select the folder team-01-01, and then click Add.

  10. In the Add member dialog, in the Members field, add the group Devteam1@[YOUR_DOMAIN], replacing [YOUR_DOMAIN] with your domain name.
  11. In the Roles drop-down, select the Resource Manager and Project Creator roles, and then click Add.
  12. Repeat steps 13 and 14, assigning the Project Creator role to Devteam2@[YOUR_DOMAIN] in the team-02-01 folder.

Creating centralized projects

Create a project called ProjectCreation at the organization level.

  1. In the GCP Console, open the Manage Resources page.

    GO TO THE MANAGE RESOURCES PAGE

  2. In the Organization drop-down at the upper left, select your organization.

  3. Click Create Project, and type ProjectCreation as the project name.
  4. In the Location box, confirm that the organization is selected.
  5. Click Create.

You can use this project to create other projects in an automated, repeatable manner by using Deployment Manager templates.

Create a shared resources project named SharedResources under the top-level Development folder.

  1. In the GCP Console, open the Manage Resources page.

    GO TO THE Google Cloud Platform Console

  2. In the Organization drop-down at upper left, select your organization.

  3. Click Create Project, and type SharedResources as the project name.
  4. In the Location box, click Browse to select the Development folder under which you want to create the project.
  5. Click Create.

Automating project creation

To automate project creation when using Deployment Manager, you need to use the ProjectCreation project and customize the configuration files.

  1. Open a Cloud Shell session that clones the GitHub repository to create the Deployment Manager project creation templates.

    OPEN CLOUD SHELL

    Verify that you are running in the correct project.

  2. Set the working project, replacing [PROJECT_ID] with your project ID:

    gcloud config set project [PROJECT_ID]

  3. Change folders to the Deployment Manager project:

    cd ~/deploymentmanager-samples/examples/v2/project_creation/

  4. Follow the instructions in the Prerequisites section of the README file, starting with step 2. (You can start at step 2 because you did step 1 in the previous section.)

  5. Activate the APIs that are indicated in the preceding README. To do this, ensure that you are in the ProjectCreation project. From the left navigation menu, click APIs and services > Dashboard, and then click Enable APIs and Services. Search for each API that you need, and if it is not enabled, click Enable.

  6. After you configure the ProjectCreation project, follow the steps in the Using the templates section of the README to configure a project called testapp-[ENTER_DATE_STAMP], replacing [ENTER_DATE_STAMP] with the actual date stamp.

Granting permissions

You can now apply the permissions that you defined when mapping IAM roles to functional groups.

Resource IAM Roles Members
Folder: **team-01-01** Folder Admin
Project Creator
Network Admin
Folder IAM Admin
Devteam1@OurStartup.org
Folder: **team-02-02** Folder Admin
Project Creator
Network Admin
Folder IAM Admin
Devteam2@OurStartup.org
Organization Network Admin
Security Admin
NetworkAdmins@OurStartup.org
Organization Organization Admin
Policy Admin
OrgAdmins@OurStartup.org
OrgSecurityAdmins@OurStartup.org
Organization Billing Admin finance@OurStartup.org
ProjectCreation service account
  1. In the GCP Console, open the IAM & admin page:

    GO TO THE IAM & ADMIN PAGE

  2. In the drop-down, click the hierarchy resource level: Organizations, Folder, or Project. Then click Add.

  3. In the Add member dialog, in the Members field, add the members, replacing OurStartup.org with your domain suffix.
  4. In the Roles drop-down, select the IAM roles for each member, and then click Add.
  5. Repeat steps 1–3 for each set of permissions listed in the preceding table.

Configuring development resources

In the SharedResources project, create a repository for the configuration templates and scripts.

  1. In the GCP Console, open the Source Repositories view:

    GO TO THE SOURCE VIEW IN THE CONSOLE

  2. In the left navigation menu, click Repositories.

  3. Click Create Repository.
  4. When prompted, enter the name shared_resources for the repository, and click Create.

  5. In the GCP Console, open the IAM & admin page:

    GO TO THE IAM & ADMIN PAGE

  6. Select the SharedResources project, and click Continue.

  7. Add each group from the groups list, with the exception of finance@OurStartup.org, and assign Editor roles.

Cleaning up

After you've finished the current tutorial, you can clean up the resources you created on Google Cloud Platform so you won't be billed for them in the future. The following sections describe how to delete or turn off these resources.

Remove the deployments

  1. In the GCP Console, open the Deployments page.

    GO TO THE DEPLOYMENTS PAGE

  2. In the list of deployments, select the check boxes for the deployment(s) that you created as part of the tutorial.

  3. On the top of the page, click Delete.

Delete the projects

The easiest way to eliminate billing is to delete the project you created for the tutorial.

To delete the project:

  1. In the GCP Console, go to the Projects page.

    Go to the Projects page

  2. In the project list, select the project you want to delete and click Delete project. After selecting the checkbox next to the project name, click
      Delete project
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next

This tutorial guided you through configuring a base GCP environment as described in Designing GCP Policies for Startup Customers.

  • If you decide to keep this configuration for actual production, at a minimum be sure you:

    • Configure a shared VPC and follow the best practices for managing your user accounts.
    • Configure audit logging for the organization by following the instructions that are outlined in Configuring Data Access Logs.
    • Assign the logging.privatelogviewer role to the group that needs to view audit logs.
  • After you determine your naming strategy, including labels, set up a billing dashboard. The instructions guide you through the required task of setting up the export of your billing data to BigQuery.

  • Set up a continuous integration and continuous deployment (CI/CD) environment so you can incorporate the configuration-as-code approach as part of your usual deployment processes. Decide which approach suits your development and operational processes. GCP has a number of articles that cover various CI/CD solutions.
  • For an optional advanced step, create the shared VPC configuration by extending the project creation templates.
  • For a security scanning and enforcement solution, you can set up Forseti Security.
  • Try out other Google Cloud Platform features for yourself. Have a look at our tutorials.
Was this page helpful? Let us know how we did:

Send feedback about...