I’m new to GCP and going through the GCP ACE course. I’m really enjoying it. I have a query about Google Accounts and projects. What would be best practice is a real software development company scenario, would you create an Google account for each application (or customer) and then have different projects under these (e.g. app1-live app1-test app1-dev). Or would you just have one account and have all the different applications in there?
Hey there. Glad you’re enjoying, so far!
This is a good question, and I’m glad you’re thinking about these real-world aspects to using GCP effectively. Google answers your question in their super-valuable "Best practices for enterprise organizations" page. In particular, in the "Project Structure" section, they write:
A general recommendation is to have one project per application per environment. For example, if you have two applications, "app1" and "app2", each with a development and production environment, you would have four projects: app1-dev, app1-prod, app2-dev, app2-prod. This isolates the environments from each other, so changes to the development project do not accidentally impact production, and gives you better access control, since you can (for example) grant all developers access to development projects but restrict production access to your CI/CD pipeline.
The ideal project structure depends on your individual requirements, and might evolve over time. When designing project structure, determine whether resources need to be billed separately, what degree of isolation is required, and how the teams that manage the resources and apps are organized. An example structure can be found at Policy design for enterprise customers.
I hope this helps!
(Follow-up from comments, above.)
Ah, yes… ok. In general, every human being should have one single organization-controlled Google account to identify them: firstname.lastname@example.org . And then that single account is granted access to all the different resources, as appropriate–and grouping resources into projects helps with that. (So one human account may have access to resources in multiple projects.) But then also, each project will have its own Service Accounts for the applications that are running within it–and then each of those service accounts is also given access to various resources, as appropriate (sometimes cross-project or to external services, but often also within the project). You don’t need to make your own email-address-based accounts for service accounts; Google manages the corresponding email addresses for those, on your behalf.
One last thing to clarify: There should NEVER be any shared accounts. Resources can be shared by authorizing multiple accounts to use them, but the accounts themselves are for identifying individuals, not ever for sharing access.
I hope this helps.