You are currently viewing GCP Resource Hierarchy

GCP Resource Hierarchy

GCP Resource Hierarchy

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

In the last blog post, we have learned how to create your account in GCP.

Before we start with GCP services, we need to have a clear understanding of GCP core concepts. Google Cloud resources are organized hierarchically, where the organization node is the root node in the hierarchy, the projects are the children of the organization, and the other resources are descendants of projects. You can set Cloud Identity and Access Management (Cloud IAM) policies at different levels of the resource hierarchy. Resources inherit the policies of the parent resource. The effective policy for a resource is the union of the policy set at that resource and the policy inherited from its parent.

Metaphorically speaking, the Google Cloud resource hierarchy resembles the file system found in traditional operating systems as a way of organizing and managing entities hierarchically. Each resource has exactly one parent. This hierarchical organization of resources enables you to set access control policies and configuration settings on a parent resource, and the policies and Cloud Identity and Access Management (Cloud IAM) settings are inherited by the child resources.

GCP Resource Hierarchy:


Your company Domain is the primary identity of your organization and establishes your company’s identity with Google services, including Google Cloud. You use the domain to manage the users in your organization. At the domain level, you define which users should be associated with your organization when using Google Cloud. The domain is also where you can universally administer policy for your users and devices (for example, enable 2-factor authentication, reset passwords for any users in your organization). The Domain is linked to either a G Suite or Cloud Identity account. The G Suite or Cloud Identity account is associated with exactly one Organization. You manage the domain-level functionality using the Google Admin Console (


The Organization resource represents an organization (for example, a company) and is the root node in the Google Cloud resource hierarchy. The Organization resource is the hierarchical ancestor of project resources and Folders. The Cloud IAM access control policies applied to the Organization resource apply throughout the hierarchy on all resources in the organization. Google Cloud users are not required to have an Organization resource, but some features of the Resource Manager will not be usable without one. The Organization resource is closely associated with a G Suite or Cloud Identity account. When a user with a G Suite or Cloud Identity account creates a Google Cloud Project, an Organization resource is automatically provisioned for them. A G Suite or Cloud Identity account may have exactly one Organization provisioned with it. Once an Organization resource is created for a domain, all Google Cloud projects created by members of the account domain will by default belong to the Organization resource.


Folder resources provide an additional grouping mechanism and isolation boundaries between projects. They can be seen as sub-organizations within the Organization. Folders can be used to model different legal entities, departments, and teams within a company. For example, the first level of folders could be used to represent the main departments in your organization. Since folders can contain projects and other folders, each folder could then include other sub-folders, to represent different teams. Each team folder could contain additional sub-folders to represent different applications. Folders allow delegation of administration rights, so for example, each head of a department can be granted full ownership of all Google Cloud resources that belong to their departments. Similarly, access to resources can be limited by folder, so users in one department can only access and create Cloud resources within that folder.


The project resource is the base-level organizing entity. Organizations and folders may contain multiple projects. A project is required to use Google Cloud and forms the basis for creating, enabling, and using all Google Cloud services, managing APIs, enabling billing, adding and removing collaborators, and managing permissions. In order to interact with most Google Cloud resources, you must provide the identifying project information for every request. You can identify a project in either of two ways: a project ID, or a project number. A project ID is a customized name you chose when you created the project. If you activate an API that requires a project, you will be directed to create a project or select a project using its project ID. A project number is automatically generated by Google Cloud. Both the project ID and project number can be found on the dashboard of the project in the Google Cloud Console.


Google Cloud service-level resources are the fundamental components that make up all Google Cloud services, such as Compute Engine virtual machines (VMs), Pub/Sub topics, Cloud Storage buckets, and so on. For billing and access control purposes, resources exist at the lowest level of a hierarchy that also includes projects and an organization.


Labels help you categorize your Google Cloud resources (such as Compute Engine instances). A label is a key-value pair. You can attach labels to each resource, then filter the resources based on their labels. Labels great for cost tracking at a granular level. Information about labels is forwarded to the billing system, so you can analyze your charges by the label.

Billing Account:

A billing account is set up in Google Cloud and is used to define who pays for a given set of Google Cloud resources. Access control to a billing account is established by Cloud Identity and Access Management (IAM) roles. A billing account is connected to a Google payment profile that includes a payment instrument to which costs are charged.

Payments Profile:

Payments Profile Is a Google-level resource managed at It connects to ALL of your Google services (such as Google Ads, Google Cloud, and Fi phone service), Processes payments for ALL Google services (not just Google Cloud), Stores information like name, address, and tax ID (when required legally) of who is responsible for the profile. Payment Profile also stores your various payment instruments (credit cards, debit cards, bank accounts, and other payment methods you’ve used to buy through Google in the past.). Payments Profile Controls who can view and receive invoices for your various billing accounts and products.

Note: In a free tier account, domain, organization, and folders are not available.

Hope you have enjoyed this blog post.

To get more details on the GCP resource hierarchy, you can follow below GCP documentation.


Leave a Reply