The GCP resource hierarchy
- Org Node
- Projects
- Folders [optional]
- other Folders [optional]
- Resources (VMs, Storage, etc.)
- Folders [optional]
- Projects
Important: policies are inherited downwards in the hierarchy
Any GCP resource belongs to a project.
Projects are the basis for enabling and using GCP services.
Each project is a separate compartment, and each resource belongs to exactly one.
Projects can have different owners and users. They're billed separately, and they're managed separately.
Each project has a name and a project ID.
Project ID vs. Project name vs. Project number:
| Project Id | Project name | Project Number |
|---|---|---|
| Globally unique | Need not be unique | Globally unique |
| Chosen by you | Chosen by you | Assigned by GCP |
| Immutable | Mutable | Immutable |
In general, project IDs are made to be human-readable strings, and you'll use them frequently to refer to projects.
You can use folders to help you to manage your organization's projects.
- Folders group projects under an organization
- Folders can contain projects, other folders, or both
- Use folders to assign policies
Caution!
To use folders, you need an organization node at the top of the hierarchy.
Important rule to keep in mind
Policies implemented at a higher level can NOT take away access that's granted at a lower level.
"The most generous policy, is the one that takes effect." - doubt: an "allow" in the top of the hierarchy has precedence over a "deny" in the specific resource?