Re: GCP Resource hierarchy - Single folder with mu...

dheerajpanyam · 01-23-2025 01:28 AM

I am trying to figure out how to achieve multi tenancy with isolation / controlled IAM access in a GCP Resource hierarchy with a single folder containing multiple customer projects. Goal is to isolate all projects from an IAM perspective. Image a folder with customer projects , project-A, project-B and project-C which are all customer projects. I want to be able to allow only google group say customer1@xyz.com access to project-A only, another google group say customer2@xyz.com access to project-B only and so on.

DamianS

Hello @dheerajpanyam ,Welcome on Google Cloud Community.

1. You can create TAGS with proper values
2. Assign such tags for particular project ( owner = damian , owner = dheeraj, etc).
3. Create IAM rules AT folder lvl with CEL condition

--
cheers,
Damian Sztankowski
LinkedIn medium.com Cloudskillsboost Sessionize Youtube

dheerajpanyam

Thanks @DamianS

dheerajpanyam

@DamianS I realised that since customer's infra is deployed in its own GCP project, the controlled level of access can easily be achieved using google groups.

mokit

Hi, @dheerajpanyam.

I would definitely recommend these two articles, as they best align with your requirements.
- Decide a resource hierarchy for your Google Cloud landing zone
- Multi-Tenant Google Cloud Platform B2B SaaS Applications How-to

Regards,
Mokit

GCP Resource hierarchy - Single folder with multitenant projects, how to isolate them