Organization, projects and folders
In Google Cloud the fundamental unit is the project — it is where all resources live and what billing is attached to. Projects arrange themselves into a hierarchy in which policies are inherited from the top down. This is the foundation of governance and the entry point for the ZEUS connector.
The resource hierarchy
GCP has four levels, from the top:
| Level | What it is | Example |
|---|---|---|
| Organization | the root, tied to a Workspace/Cloud Identity domain | professnet.pl |
| Folder | a group of projects (e.g. per department/environment) | prod, dev |
| Project | the boundary of resources, billing and APIs | zeus-prod-4471 |
| Resource | a specific service | VM, bucket, database |
IAM policies set on the organization are inherited by folders, those by projects, and projects by resources. This is a key difference from AWS — in GCP permissions flow downward through the entire hierarchy.
The project — the center of gravity
Every resource belongs to exactly one project. A project has:
- a unique Project ID (e.g.
zeus-prod-4471, immutable), - a Project Number (numeric),
- an associated billing account,
- a set of enabled APIs (services must be activated before use).
# Lista projektów
gcloud projects list
# Hierarchia zasobów organizacji
gcloud organizations list
gcloud resource-manager folders list --organization=<org-id>
Creating and configuring a project
gcloud projects create zeus-demo-4472 \
--folder=<folder-id> --name="ZEUS Demo"
# Włącz potrzebne API
gcloud services enable compute.googleapis.com \
storage.googleapis.com --project=zeus-demo-4472
Tip: organize projects by environment and team, not "everything in one." A
prodfolder with a restrictive IAM policy at the folder level automatically protects all production projects — without duplicating rules.
Organization Policies
Beyond IAM (who can do what), GCP has the Organization Policy Service — constraints that restrict how resources can be used, e.g. forbidding the creation of VMs with a public IP or enforcing specific regions. It is the equivalent of AWS SCPs.
How ZEUS sees it
ZEUS connects to GCP at the organization level and, through Cloud Asset Inventory, reads the entire hierarchy: organization → folders → projects → resources, along with the inherited IAM policies and Organization Policies. This lets it build a complete map of the customer's environment from a single point. We cover the connector details in lesson 06.
In the next lesson: IAM and service accounts.