Can you change organisation ownership of a Google Cloud Project - google-cloud-platform

Is it possible to change the Organisation Ownership of a Google Cloud Account from one organisation to another?
Initially we setup the account under domain.net.au.
Our company was purchased by another company and has setup emails using google under domain.ag.
My boss is now wanting the Google Cloud Account and all its projects to be moved over to domain.ag.
Is this possible without having to re-create them all in the new location?
We have a massive database that is highly important to our company that needs to have almost no downtime.
thanks!

Changing organisational ownership I think you really have to contact support. But if what you meant is moving your resources from the old organisation account to the new one,Yes it is possible to Move resources from one organisation to another. With the right Migration plans and the projectmover roles to the required accounts you can. But note that the resources would not inherit policies from previous organisations hence you have to do accurate setup for your new organisation. Just do an inventory record of what's in the current organisation to know how to prepare the new organisation to avoid issues. If you encounter any error, then you can rollback

To change the organization ownership first you need to contact google support. Also yes, it is possible if you want to move your resources from an old organization account to a new organization account with correct migration plans and roles. Kindly make a note here, the resources would not inherit policies from previous organisations. Hence you need to do the exact setup for your new organization account.
Steps to change Organizational ownership.
Create a list of projects that you’d like to move.
Move all the projects out of any folders in the current organization and into the top level.
Contact Support with a list of projects that you’d like to move from the current organization to another organization.
Support will move the projects out of the current organization so they have no parent (no organization).
Move all the projects into the new organization.

Related

Projects under No Organization that cannot be accessed

In the cloud-resource-manager page, there are 2 projects listed under No organization, one of them curiously has the id you-can-see-this-project, the other looks like an automatically generated project with the prefix My Project xxx.
The issue is that there seems to be no way to access these 2 projects even though I can see them under my account. The IAM page shows that I do not have the permission resourcemanager.projects.getIamPolicy and every other page or action notes some missing permission.
Is there a way to shutdown/delete these projects or a way to remove myself from these projects?
Edit:
Seems like the 2 projects that are showing up in my account are the same with other people that have the same issue.
They are
Update (20221114): Checked recently and both the rogue projects are gone with no action on our part. Probably it was finally cleaned-up?
Root cause
Your Google Cloud Account is subscribed to "google-appengine#googlegroups.com".
Solution
Unsubscribing from this group will remove these projects. See Google Groups Help for reference.
I got this feedback directly from the Google Cloud Support team and confirmed it working on with my account. I did not consciously subscribe to that group, maybe this happens or happened automatically in the past. Also why these ghost projects are added remains a mystery to me, no idea what they should be used for. Here's hoping that Google will fix this in the future...
You will need to identify the Projects' members that have the Owner role; I think that there is not a specific IAM permission that permits Project deletion but that some identities must have the Owner role.
I suspect (!) you can't orphan Projects by removing the last Owner, so there must be at least one.
If you're unable to determine Ownership, Google Cloud Support can determine the Owners for you though I suspect Support won't be able to disclose this information to you but will need to contact the Owners directly about this.
Once you have created your Google Workspace or Cloud Identity account and associated it with a domain, your organization resource will be automatically created for you. The resource will be provisioned at different times depending on your account status:
If you are new to Google Cloud and have not created a project yet,
the organization resource will be created for you when you log in to
the Google Cloud console and accept the terms and conditions.
If you are an existing Google Cloud user, the organization resource
will be created for you when you create a new project or billing
account. Any projects you created previously will be listed under "No
organization", and this is normal. The organization resource will
appear and the new project you created will be linked to it
automatically. You will need to move any projects you created under
"No organization" into your new organization resource. For
instructions on how to move your projects, see Migrating projects
into an organization.
Users can only view and list projects they have access to via IAM roles. The Organization Administrator can view and list all projects in the organization.
The No organization option in the Organization drop-down lists the following projects:
Projects that do not belong to the Organization yet.
Projects for which the user has access to, but are under an
Organization to which the user does not have access.
Refer to this documentation for more information on creating and managing organizations.

Is it possible to add an organization to an existing GCP account?

I am not being able to add an organization to an already exisiting GCP account. The account has two projects running. I created a different account in order to create an organization, because GCP would not let me add an organization in the same account. After creating the account I get the following message:
When you use only your personal account, the projects are attached to a virtual organization named "No Organisation".
If you have a domain name, you can create a Cloud Identity account and an admin user. Remove all licence on your user to pay nothing (even if you need to enroll for a free trial, do this and then remove the licences to pay nothing).
So, now you have a new user (with #domainName), but you don't have your old project. No problem, go to the organisation level, in the IAM page and grand your personal account as Organisation Admin.
Go back in your personal account and you will be able to see your No Organization project and your new organization with the same account. Now, you simply need to migrate project if you want to attach them to the new organization.
Note: it's maybe lot of new stuff and step, but I did it and it worked well. Let me know if you need more guidance!

Add cloud identity to existing Google Cloud Projects

I have 2 Google Cloud projects with GKE and various other services enabled and running.
None of those projects has an organization resource assigned. There are also many Users and serviceaccounts inside the projects that are used in production.
We use (example) adminaccount#example.com for those projects.
I would like to add Google Identity Free, so that I will be able to use Azure AD Users with SSO
So I created a new Google Identity Account with the username identityadmin#example.com which is not member of my existing Gcloud projects.
The domain (example.com) has not been verified so far.
What will I have to do to get this running with my existing projects?
I read that first I would need an organization resource, which would be created after I verify the domain.
Is it safe to do that? Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?
I don't understand how a new organization could be recognized by my existing projects, because there is no link between them.
The goal of course is not to have any downtime.
Sure, I would purchase Google support, but that's only possible If you have an organization, what I don't have.
I'm really confused and troubled.
Looking forward to any suggestions.
Many thanks in advance!
Roland
Firstly, you need to create your new organization. Start by creating a Google Workspace environment (go to https://admin.google.com and create it). You can create the org with a Google Workspace free trial and then cancel your subscription, no worry, I'm paying nothing!
Secondly, with your new Google Workspace account, and your new user, go to https://console.cloud.google.com. Here, select your organization, and go to IAM. Here add as member the user account where your project are created in the "No Organization" organisation, and grant it the role Organization Administrator
Perfect. Now, go back to your user account (freshly granted) and go to ressource manager. I use the project picker window to go there
And eventually, migrate your project. Select one project from "No Organization", click on migrate, select the Organization, and validate. That's all. No downtime
Your Cloud Identity organization is created when you finish your signup and setup steps for your Cloud Identity service
To answer your questions:
What will I have to do to get this running with my existing projects?
The simple answer is Migrate projects and billing accounts and set permissions
This documentation explains how Grant access to billing accounts and Grant access to projects
Will I afterwards be able to link my existing projects to this new organization without downtime and loss of existing permissions?
Once a Google Cloud Organization resource has been created for your domain, you can move your existing projects into the organization.
There should be NO server downtime or impact as a result of migration.
Take into consideration that the link between projects and billing accounts is preserved, irrespective of the hierarchy.
To migrate a project using you will need the following permissions: resourcemanager.projects.create on the destination organization, typically granted by the Project Creator role.
resourcemanager.projects.update and resourcemanager.projects.setIAMPolicy on the project you are migrating, typically granted by the Owner role.
You can get further information in the following link: Migrating projects with no organization
Additionally to contact support you could create a case using this link and it doesn’t matter if you don’t have an organization.

AWS like account linking and consolidated billing on GCP

Say I have a business and multiple DBA (doing business as), on AWS I can create a org hierarchy of the business and DBAs. I can invite the DBA accounts into the business org and link them so the business org is the payer. This keeps the operations of DBA independent and isolated with the convenience of consolidated billing for the business. This can also make it easy to transfer ownership of the DBA if desired without effecting the operations.
I was looking to setup something similar on GCP but it seems like each org is tied to a domain and there is no way to invite one org into another to link and provide billing. Is this correct or are there ways to link and provide billing for one org on behalf of the other?
Say I have a business and multiple DBA (doing business as), on AWS I
can create an org hierarchy of the business and DBAs.
You can create a similar hierarchy on Google Cloud.
I can invite the DBA accounts into the business org and link them so
the business org is the payer.
You can accomplish this with Google Cloud but in a different way. You cannot make one organization a branch/child of another organization, but you can add its members (identities) to another organization. The key to this is the members are not actually part of the organization. Identities are independent and added and removed easily.
This keeps the operations of DBA independent and isolated with the
convenience of consolidated billing for the business.
Google Cloud supports one or more billing accounts. Bill accounts can be assigned to projects independently of organizations. I can make my billing account responsible for any Google project (oversimplification).
This can also make it easy to transfer ownership of the DBA if desired
without affecting the operations.
Google does not have this flexibility without effort. In Google Cloud, I would not merge projects into an organization unless this objective was permanent. Instead, I would add the members required to access that project to IAM.
Projects independent of an organization can still participate in another organization and vice versa. Google Cloud Identity and Access Management (IAM) is very flexible. If I want bob#example.com to have access to Project ABC, I can add his email address to IAM and grant roles. You can also add an entire domain of users *#example.com to Google IAM. There are many more options.
You can move projects around inside the organization, but you cannot move projects to a different organization yourself - this requires opening a support ticket with Google Cloud Support.
I was looking to set up something similar on GCP but it seems like each
org is tied to a domain
Google Cloud is not tied to a domain name, Google G Suite is. If you plan to also use G Suite for multiple DBA, I would have separate Google accounts and not combine G Suite with my resources in Google Cloud. Note: G Suite supports multiple domains; for a single organization linking G Suite and Google Cloud is fine.
I find Google Cloud's method of organizations, folders, projects and IAM more flexible than AWS.
AWS and Google have powerful IAM systems. I know both very well, each has its positives and drawbacks.
While the answer from John tells what all might be possible, it didn't have details on how to do it. After a lot of searching online and experimenting I managed to do what I wanted. Below are the steps using the "business" and "dba" references in my question.
Create a payment profile with primary contact say
billing#businessdomain
Make sure the account type is Business and
not Individual. In my case, I some how ended up with an Individual
account. It is not allowed to change the account type once created.
Don't know why, but this was my first hurdle.
With business account type, it is possible to invite other users.
I wasn't sure
how to create a business account and if I could use the same email
for the business account type. From within GCP, I went ahead and did
the billing setup. Based on my login user which had the individual
payment profile, it defaulted the payment profile but allowed me to
create a new profile. I picked account type as Business but all
other details were same as what I had in the other personal account
that got created. Luckily, it went ahead and created a business
payment profile.
Once I had the business payment profile, I could
go ahead and invite user from my dba by specifying the email, say
billing#dbadomain
That email got an invitation and upon accepting
it, was linked to the same payment profile. This is the key! This
essentially allows payment profile associated with one domain
(organization) can be used for the billing account of another domain
(organization).
At this point, I went ahead and even closed the
payment profile with Individual account type and it seemed to have
worked. I didn't have any transactions so far and so it's like it
never need to exist. I wish it was possible to change the account
type for such profiles.
With this setup, the dba organization and its operations are done isolated and if ever it needs to change ownership, it can add a different billing method and separate out from the business org completely.

Organize multiple projects (AWS)

In our team, we are using AWS as our main cloud provider and currently, we have 3 projects hosted on their platform.
We are about to have 2 more projects in the next weeks, but first, we want to organize our projects, because our current organization is a little bit disordered.
We want our projects to be organized following these rules:
Each project must have a staging and production environment.
Each project is independent of each other so that it is not possible to see the resources of a project from within another project, i.e., VPC and S3 Buckets.
The client is responsible for paying the bills of the project (staging and production environment).
Even though the client is responsible for paying the bills, we must have access to the environments to deploy our code and to do other tasks related to development, testing, and operations.
We can assign a team of developers to each project. It should be possible for a developer to be in one or more projects at the same time. Plus, it should be possible to move our developers between projects and to remove their access from a project.
So, is it possible to organize projects in AWS under the rules previously mentioned?
If so, what are good resources to learn how to do this?
If not, what cloud providers allow to organize projects the way we want?
Thanks for your attention and time. I'm looking forward to your replies.
The fact that you want project-specific charges to go to customers and you want each project to be independent indicates that your best choice would be to use a separate AWS Account for each project (or each client).
By keeping projects in separate AWS accounts:
Each account will only have costs associated with a particular project
Resources in each account will be kept separate
User permissions in each account will be kept separate
You can create staging and production environments within the same account (see below)
You can have multiple accounts joined together by using AWS Organizations:
AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business. As an administrator of an organization, you can create accounts in your organization and invite existing accounts to join the organization.
Some companies go one step further and also keep staging and production in separate AWS accounts. They do this because they wish to keep production resources and users away from non-production resources and users. This reduces the chance of somebody accidentally changing Production when they meant to update Staging. While you can use IAM permissions to reduce such a thing from happening, keeping staging and production in separate accounts guarantees that people with only staging permissions will not be able to impact production.
Your company should maintain ownership of all of the accounts so that you can manage and control them. Each month, you will receive a consolidated bill, but it will show costs broken down by account. Thus, you will know how much to charge your clients.
The developers will need separate logins to each AWS account. So, if they wish to work on Project 1, they will need to login to the AWS account for Project 1. They then have access to the resources in Project 1, but not any of the other projects. When they wish to work on another project, they will need to re-login with credentials for the other project's AWS account. You might think that this adds extra work, but it also adds extra security and ensures that each client's resources are kept totally separate.
A final benefit of using separate accounts is that, in future, if a client wishes to take control of their systems, you can assign the AWS account to them without having to do any work to separate their resources from other clients. It is like handing over the keys of a house — they can move in without anyone having to move out.