As an administrator, you manage who in your organization can access Google Cloud services. You can turn on Google Cloud for everyone in your organization, specific organizational units, or specific groups. Users who have it on can use their account to access Google Cloud projects and services that they have been granted access to, and create Cloud Billing accounts for projects and services. Users who have the service off are restricted from accessing Google Cloud projects and services using their organization account.
The Google Cloud service only limits access for users within your organization. The service does not restrict access to service accounts, and does not restrict anonymous use of Google Cloud services and resources that are publicly accessible.
You can control:
- Who can create projects. By default, project creation is on for users in your organization. When Google Cloud is turned off, users can't create new projects and are restricted from managing project ownership invitations.
- Use of the OS Login API. By default, the OS Login API settings are on for your organization. For example, you can prevent users from configuring access to VM instances outside of your organization. When Google Cloud is turned off, users can't access the OS Login API.
- Access to Google Cloud Shell. By default, access is on for your organization. When Google Cloud is turned off, users can't access Google Cloud Shell.
Control who uses Google Cloud in your organization
Before you begin: To turn a service on or off for certain users, put their accounts in an organizational unit (to control access by department) or add them to an access group (to allow access for users across or within departments).
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- From the Admin console Home page, go to AppsAdditional Google servicesGoogle Cloud Platform.
-
(Optional) To turn a service on or off for an organizational unit:
- At the left, select the organizational unit.
- To change the Service status, select On or Off.
- Choose one:
- If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override.
- If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes.
Note: Learn more about organizational structure.
-
(Optional) To turn on a service for a set of users across or within organizational units, select an access group. For details, go to Use groups to customize service access.
Changes can take up to 24 hours but typically happen more quickly. Learn more
Choose user settings for Google Cloud
To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- From the Admin console Home page, go to AppsAdditional Google servicesGoogle Cloud Platform.
- To control access to creating Google Cloud projects, click Cloud Resource Manager API settings.
Note: This control restricts project creation, and restricts users from managing project ownership invitations. Learn about Cloud Resource Manager.- Next to Project Creation Settings, check or uncheck Allow users to create projectsclick Save.
- Next to Cloud Resource Manager API settings, click the Up arrow.
- To control access to the OS Login API, click OS Login API Settings.
Note: Learn about Managing OS Login.- Click POSIX Account Settingscheck or uncheck Generate default POSIX information and Include the domain suffix in usernames generated by the OS Login APIclick Save.
- Click SSH Public Key Settingscheck or uncheck Users can manage their SSH public keysclick Save.
- Click External User Settingscheck or uncheck Access VM instances outside of your organizationclick Save.
- Next to OS Login API settings, click the Up arrow.
- To control access to Google Cloud Shell, click Cloud Shell settings.
- Check or uncheck Allow access to Cloud Shell click Save.
- Next to Cloud Shell settings, click the Up arrow.