gao.ninja logogao.ninja

Cloud Identity and Organization

Identity and access control are foundational to every Google Cloud environment. Before deploying workloads, organizations must establish a clear identity model and a well defined organization structure to ensure secure and scalable access management.

Google Cloud access control is built on three core pillars:

  • Authentication
  • Authorization
  • Auditing

Each pillar plays a distinct role in protecting resources and enforcing governance across the platform.

The three pillars of access control

Authentication

Authentication is handled by Cloud Identity. It verifies who the user is and manages how users sign in to Google Cloud services.

Authorization

Authorization is handled by Cloud IAM. It determines what authenticated users are allowed to do by assigning roles and permissions to identities.

Auditing

Auditing is handled by Cloud Operations. It records actions performed across the environment and provides visibility into who did what and when.

Together, these three pillars form the basis of secure access control in Google Cloud.

What is Cloud Identity

Cloud Identity is a centralized identity platform for Google Cloud and Google Workspace. It is used to manage users and groups and to integrate with third party identity providers using standards such as SAML or LDAP.

Cloud Identity allows organizations to separate identity management from resource authorization, which simplifies access control and improves security.

Key Cloud Identity concepts

Primary domain

The primary domain represents the main company domain. This domain becomes the organization name in Google Cloud and acts as the root identity boundary.

Domain aliases

Domain aliases are additional domains used for email only. They are not used for login and do not create separate identity spaces.

Secondary domains

Secondary domains are used for subsidiaries or child companies. Users and groups can be created under these domains and used for login.

Management consoles

Two consoles are used to manage identity and access in Google Cloud.

Cloud Identity Admin Console

The Admin Console at admin.google.com is managed by the Super Admin. It is used to manage users, groups, authentication settings, and domain configuration.

Google Cloud Console

The Google Cloud Console at console.cloud.google.com is managed by Organization Admins. It is used to manage IAM roles, permissions, and resource access.

A Cloud Identity Super Admin automatically has organization level permissions in Google Cloud.

Roles and responsibilities

Super Admins are responsible for identity and authentication. They manage users, groups, domains, and security settings in Cloud Identity.

Organization Admins are responsible for authorization. They manage IAM roles, policies, folders, and projects in Google Cloud.

This separation of duties helps enforce least privilege and reduces the risk of over privileged accounts.

Cloud Identity setup flow

Initial setup

Cloud Identity setup begins by providing business information, contact details, and selecting a primary domain. A Super Admin account is created during this process.

Domain verification

The primary domain must be verified by adding a TXT record to the domain DNS configuration. Once verified, the domain is protected and can be used to create managed users.

User and group creation

After domain verification, administrators can create users and groups from the Admin Console. Groups are later mapped to IAM roles in Google Cloud to manage access at scale.

Managing additional domains

Additional domains can be added from the Admin Console.

  • Secondary domains and domain aliases must be verified using DNS TXT records
  • Each domain must be verified before it becomes active
  • Users and groups can be created under secondary domains

This allows organizations to support complex identity structures while maintaining centralized control.

Why this matters

A well designed Cloud Identity and organization setup provides:

  • Centralized and secure user management
  • Clear separation between identity and authorization
  • Scalable access control using groups
  • Strong foundations for enterprise governance

Establishing identity and organization correctly at the beginning prevents access issues later and enables secure growth on Google Cloud.

Google Cloud Onboarding Series

  1. Technical Onboarding Center
  2. Cloud Identity and Organization (current)
  3. Users and Groups
  4. Administrative Access
  5. Resource Hierarchy
  6. Network Management
  7. Hybrid Connectivity
  8. Logging and Monitoring
  9. Organizational Security
  10. Customer Care Portfolio