Projects, IAM, and Resource Hierarchy

Every resource in GCP belongs to a project, and every project exists within a resource hierarchy. Understanding this hierarchy and how Identity and Access Management (IAM) works is fundamental to securing and organising your cloud environment.

The Resource Hierarchy

GCP organises resources in a four-level hierarchy:

Organisation (example.com)
  |
  |-- Folder: Engineering
  |     |-- Project: web-app-prod
  |     |-- Project: web-app-dev
  |
  |-- Folder: Finance
  |     |-- Project: billing-system
  |
  |-- Project: shared-networking

Levels

Level	Description
Organisation	The root node, tied to a Google Workspace or Cloud Identity domain
Folders	Optional grouping mechanism for projects (can be nested)
Projects	The core organisational unit — all resources belong to a project
Resources	The actual GCP resources (VMs, buckets, databases, etc.)

Projects

A project is the fundamental unit in GCP:

Every resource (VM, bucket, database) belongs to exactly one project
Each project has a unique project ID (globally unique, immutable) and project number
Projects are used for billing — all resource costs are charged to the project
Projects provide a security boundary — IAM policies applied at the project level affect all resources within it

Folders

Folders let you group projects for organisational purposes:

Apply policies to all projects within a folder
Nest folders for complex organisational structures
Example: separate folders for departments, teams, or environments

Organisation

The organisation node represents your entire company:

Created automatically when you set up Google Workspace or Cloud Identity
Organisation-level policies apply to everything below
The Organisation Admin role has full control

Identity and Access Management (IAM)

IAM controls who (identity) can do what (role) on which resource (scope).

The IAM Model

An IAM policy binding has three parts:

Part	Description	Example
Principal	Who is requesting access	user:alice@example.com, serviceAccount:my-sa@project.iam.gserviceaccount.com
Role	What permissions are granted	roles/compute.instanceAdmin
Resource	Where the role applies	Project, folder, or specific resource

Types of Principals

Principal Type	Description
Google Account	A personal or Workspace user (user:alice@example.com)
Service Account	An identity for applications and VMs
Google Group	A named group of users (group:devs@example.com)
Google Workspace domain	All users in a domain
allAuthenticatedUsers	Any authenticated Google account (use with caution)
allUsers	Anyone on the internet (use with extreme caution)

Roles

GCP offers three types of roles:

Basic Roles (formerly Primitive)

Role	Permissions
Viewer	Read-only access to all resources
Editor	Read-write access to all resources
Owner	Full control including IAM management and billing

Projects, IAM, and Resource Hierarchy

Projects, IAM, and Resource Hierarchy

The Resource Hierarchy

Levels

Projects

Folders

Organisation

Identity and Access Management (IAM)

The IAM Model

Types of Principals

Roles

Basic Roles (formerly Primitive)

More in Cloud