GCP Resource Hierarchy: Organizations, Folders, and Projects
Master the GCP Resource Hierarchy: Organizations, Folders, and Projects.
20+ years shipping production infrastructure and CI/CD at scale. Drawn from code that ran under real load.
- ✓Google Cloud account with billing enabled, gcloud CLI installed and configured, basic understanding of IAM, access to create organization-level resources (Organization Administrator role)
GCP Resource Hierarchy: Organizations, Folders, and Projects is like having a specialized tool that handles organizations hierarchy so you don't have to build and manage it yourself โ it just works out of the box with Google Cloud's infrastructure.
| Chrome | Firefox | Safari | Edge |
|---|---|---|---|
| ✓ | ✓ | ✓ | ✓ |
You just deployed a critical service to production. Two weeks later, a junior engineer accidentally grants roles/editor to all authenticated users on a project containing your customer database. No blast radius. No audit trail. Just a ticking time bomb. This is the reality when you skip the GCP resource hierarchy. Most teams treat projects as flat bucketsโa recipe for chaos at scale. The hierarchy is your first line of defense: it enforces policy inheritance, isolates environments, and gives you granular control without duplicating effort. If you're managing more than a handful of projects, ignoring the hierarchy is a production incident waiting to happen.
The Four Levels of the Hierarchy
The GCP resource hierarchy consists of four levels: Organization, Folders, Projects, and Resources. The Organization node sits at the top and represents your company. Folders group projects under business units or environments. Projects contain the actual resources like Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. Resources are the leaf nodesโindividual services. Policies set at a higher level automatically cascade down, but lower-level policies can override if allowed. This structure mirrors real-world organizational charts, making it intuitive for access control and cost allocation. In production, you'll rarely touch resources directly; you'll manage at the project or folder level.
Organization Node: The Root of All Access
The Organization node is the top-level container. It's automatically created when you verify your domain with G Suite or Cloud Identity. Without it, you can't use folders or organization-level IAM. The Organization node is where you set company-wide policies, like restricting which services can be used or enforcing VPC Service Controls. You assign the Organization Administrator role to a small group of trusted admins. This role can manage all projects and folders, so treat it like the root keys to your kingdom. In production, limit this role to fewer than five people and require break-glass procedures for emergency access.
Folders: Grouping Projects by Environment or Team
Folders are containers for projects. They let you apply common policies to a group of projects, like setting a budget alert for all development projects or enforcing a VPC firewall rule. Folders can be nested up to 10 levels deep, but keep it shallowโthree levels max in production. Common patterns: /BusinessUnit/Environment (e.g., /Engineering/Production) or /Team/ProjectType. Folders inherit policies from the Organization, and projects inherit from their parent folder. This inheritance is powerful but can be confusing when overrides happen. Always use the Policy Analyzer to verify effective permissions.
Projects: The Atomic Unit of Isolation
A project is the base-level container for GCP resources. It isolates resources, billing, and permissions. Each project has a unique ID, name, and number. Resources within a project share a VPC network by default (unless using Shared VPC). Projects are the boundary for most IAM rolesโyou grant access to a project, not to individual resources. In production, use one project per service or microservice to limit blast radius. Avoid the 'all-in-one' project anti-pattern; it leads to permission sprawl and accidental cross-service access.
gcloud resource-manager projects update --no-deletion-protection (or enable it).IAM Policy Inheritance: How Policies Flow Down
IAM policies set at a higher level (Organization, Folder) are inherited by all descendants. For example, granting roles/storage.objectViewer at the Organization level gives read access to all buckets in all projects. This is convenient but dangerous. You can override inherited policies at lower levels, but only if the higher-level policy allows it (using deny rules or conditional bindings). In production, use the principle of least privilege: set broad roles at the Organization level (e.g., Security Reviewer) and specific roles at the project level. Always use the Policy Analyzer to check effective permissions before making changes.
roles/editor at the folder level for convenience. A project owner accidentally created a public bucket. The editor role allowed it. Now we use deny policies to block public access at the organization level.Best Practices for Organizing Projects
Organize projects by environment (prod, staging, dev) and team. Use a consistent naming convention: {environment}-{team}-{service}. For example, prod-platform-auth. Apply labels to projects for cost tracking and automation. Use folders to mirror your organizational structure, but avoid deep nesting. A common pattern: Organization > Environment > Team. Each team gets a folder under their environment folder. This makes IAM management straightforward: grant team-level roles at the team folder, environment-wide roles at the environment folder.
cost-center to automate budget alerts.^(prod|staging|dev)-[a-z]+-[a-z]+$, it gets flagged. This prevents ad-hoc project creation.Common Pitfalls and How to Avoid Them
Pitfall 1: Flat project structure with no folders. This makes IAM management a nightmare as you scale. Solution: Use folders from day one. Pitfall 2: Overly permissive organization-level roles. Solution: Grant only read-only roles at the organization level. Pitfall 3: Ignoring policy inheritance. Solution: Use the Policy Analyzer to simulate changes. Pitfall 4: Not using Shared VPC for multi-project networking. Solution: Set up a host project with Shared VPC and attach service projects. Pitfall 5: Deleting projects without backup. Solution: Enable deletion prevention and take snapshots of critical resources.
Using Organization Policies for Guardrails
Organization policies let you set constraints on all resources under the hierarchy. For example, you can restrict the locations where resources can be created (e.g., only us-central1), or disable service account key creation. These policies are inherited and can be overridden at lower levels if allowed. Use them to enforce compliance and security standards. Common constraints: constraints/compute.restrictLoadBalancerCreationForTypes, constraints/iam.disableServiceAccountKeyCreation, constraints/gcp.resourceLocations. In production, start with a few critical policies and expand gradually.
Auditing and Monitoring the Hierarchy
Audit all IAM changes using Cloud Audit Logs. Enable Data Access logs for sensitive resources. Use the Policy Analyzer to check effective permissions. Set up alerts for changes to organization-level IAM. Use Cloud Asset Inventory to get a snapshot of all resources and their policies. In production, we have a weekly job that exports the hierarchy to BigQuery for analysis. This helps detect drift and unauthorized changes.
Migrating from Flat Projects to a Hierarchy
If you already have projects without a hierarchy, you can move them under folders. Use gcloud projects move to change the parent. However, moving a project can affect IAM policies if the new parent has different policies. Plan carefully: test in a non-production project first. You may need to adjust IAM bindings after the move. Also, update any automation scripts that reference the old parent. In production, we do this migration in phases: first move dev projects, then staging, then production.
Automating Hierarchy Management with Infrastructure as Code
Use Terraform or Deployment Manager to manage the hierarchy as code. This ensures consistency and auditability. Define the organization, folders, and projects in configuration files. Use modules to standardize folder structures. For example, a module that creates a folder with a set of projects, each with predefined IAM bindings. In production, we store the hierarchy config in a Git repo and apply changes via CI/CD. This prevents manual drift and provides a change history.
Resource Manager Tags: Attribute-Based Access Control
Resource Manager Tags let you attach key-value pairs to resources (projects, folders, VMs, etc.) and use them in IAM conditions for fine-grained access control. Unlike labels, Tags are not inheritedโthey must be explicitly attached. But Tags support conditional IAM bindings: you can grant a role only if the resource has a specific Tag. For example, grant roles/compute.instanceAdmin only on VMs tagged with environment=production. Tags can also be used in Organization Policies for scoped constraints. Key difference from labels: Tags are IAM-evaluated and can be used in policy bindings; labels are for metadata and cost tracking only. In production, use Tags for access control and labels for cost allocation. Tags can be inherited from parent resources if you use inherited mode. This is powerful: set a Tag at the folder level and all child resources automatically inherit it, enabling policy-based access at scale.
Deny Policies: Blocking Permissions at Scale
IAM Deny Policies let you explicitly deny permissions at any level of the hierarchy, overriding any allow policies. This is critical for defense-in-depth. For example, you can create a deny rule at the organization level that blocks all users from making resources public, even if they have project-level Owner role. Deny policies are evaluated before allow policies, so they always take precedence. Use them for mandatory controls like: preventing public bucket access, blocking service account key creation, or restricting the use of certain machine types. Deny policies support conditions, so you can deny only in specific contexts (e.g., deny storage.buckets.setIamPolicy when the request comes from outside your corporate network). In production, we use deny policies to enforce compliance requirements that must never be overridden, while using allow policies for day-to-day access control.
gsutil iam ch allUsers:objectViewer gs://my-bucket. The deny policy blocked it instantly because it denied public access at the organization level. The audit log showed the attempt and we addressed the root cause.| File | Command / Code | Purpose |
|---|---|---|
| hierarchy-overview.sh | $ gcloud organizations list | The Four Levels of the Hierarchy |
| organization-iam.sh | ORG_ID=$(gcloud organizations list --format='value(ID)') | Organization Node |
| folder-creation.sh | ORG_ID=123456789012 | Folders |
| project-creation.sh | FOLDER_ID=555555555 | Projects |
| policy-inheritance.sh | FOLDER_ID=555555555 | IAM Policy Inheritance |
| project-labels.sh | gcloud projects update my-production-app \ | Best Practices for Organizing Projects |
| deletion-prevention.sh | gcloud resource-manager projects update my-production-app \ | Common Pitfalls and How to Avoid Them |
| org-policy.sh | ORG_ID=123456789012 | Using Organization Policies for Guardrails |
| audit-log.sh | ORG_ID=123456789012 | Auditing and Monitoring the Hierarchy |
| move-project.sh | PROJECT_ID=my-production-app | Migrating from Flat Projects to a Hierarchy |
| main.tf | provider "google" { | Automating Hierarchy Management with Infrastructure as Code |
| resource-tags.sh | ORG_ID=123456789012 | Resource Manager Tags |
| deny-policy.sh | ORG_ID=123456789012 | Deny Policies |
Key takeaways
Common mistakes to avoid
3 patternsIgnoring gcp organizations hierarchy best practices
Over-provisioning without rightsizing analysis
Skipping IAM least-privilege principles
Interview Questions on This Topic
What is GCP Resource Hierarchy: Organizations, Folders, and Projects and when would you use it in production?
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Drawn from code that ran under real load.
That's Google Cloud. Mark it forged?
5 min read · try the examples if you haven't