How to move a Google project to the cam.ac.uk organisation¶

This guide explains how to move a Google Cloud project into the cam.ac.uk organisation. It provides a streamlined summary of the official Google documentation specific to our use-case. Refer to the official guide if you need more detail or are unsure at any step.

Prerequisites¶

The following prerequisites are required to follow the steps in this guide.

You must have a UIS DevOps "super admin" account.
- These accounts are in the admin.g.apps.cam.ac.uk domain and follow the format <CRSid>@admin.g.apps.cam.ac.uk.
Your super admin account must have the following IAM roles:

Note

The necessary permissions on the destination resources should already be granted to your super admin account. However, an existing member of the source project must assign your account the required roles there.
- Project Mover (roles/resourcemanager.projectMover) on the source project and its parent resource.
- Project Creator (roles/resourcemanager.projectCreator) on the destination folder or organization resource.
- Organization Policy Admin (roles/orgpolicy.policyAdmin) on the destination organization.
  - This will also be required on the source organisation if applicable, see Additional steps if the project is already associated with an organisation.
- Project Billing Manager (roles/billing.projectManager) on the source project.
- Billing Account User (roles/billing.user) on the destination billing account.
You must have the gcloud cli tool installed.
You must know the organisation ID for the cam.ac.uk organisation.
- You can get this by running:
```
gcloud organizations list --filter "DISPLAY_NAME=cam.ac.uk" --format "value(ID)"
```

Steps to move a project¶

The following steps will move a project into the cam.ac.uk organisation.

1. Authenticate the gcloud cli¶

Begin by authenticating your local gcloud session with your <CRSid>@admin.g.apps.cam.ac.uk account:

gcloud auth login

2. Determine the parent resource of the project¶

To check whether the project is associated with a parent organisation or folder, run:

gcloud projects describe <project ID>

If you don't have the resourcemanager.organizations.get permission on the parent organisation, it may appear as though the project is not associated with any organisation, even if it is.

How to interpret the output:

If the parent resource is not displayed in the output, it confirms that the project is not associated with an organisation.
If the parent resource (folder or organisation) is displayed in the output, it confirms that the project is associated with an organisation.

2.1 Additional steps if the project is already associated with an organisation¶

If the project is associated with an organisation, you must perform the following additional steps:

Ensure your super admin account has the necessary IAM roles on the source organisation and the project’s parent resource (folder or organisation):
- Organization Policy Admin (roles/orgpolicy.policyAdmin) on the source organisation.
- Project Mover (roles/resourcemanager.projectMover) on the project's parent resource.
Add the destination organisation ID to the allow list in the resourcemanager.allowedExportDestinations organisation policy of the source organisation.

For example:
```
gcloud org-policies allow --organization <source org id> resourcemanager.allowedExportDestinations under:organizations/<destination org id>
```
Add the source organisation ID to the allow list of the resourcemanager.allowedImportSources organisation policy of the destination organisation.

For example:
```
gcloud org-policies allow --organization <destination org id> resourcemanager.allowedImportSources under:organizations/<source org id>
```

3. Determine the destination folder in the cam.ac.uk organisation¶

Typically, the source project will be moved into a specific institution’s folder within the cam.ac.uk organisation. All institution folders reside under the top-level Institutions folder (ID: 686817463855).

To list the available institution folders, run:

gcloud resource-manager folders list --folder 686817463855

4. Perform the move¶

Run the following command to move the project into the desired folder within the cam.ac.uk organisation:

gcloud beta projects move <project ID> --folder <folder ID>

If required, link the project to the central UIS billing account (019079-F1E96F-31B089):

Warning

Changing the billing account to the central UIS billing account may result in the loss of any accrued credits and discounts on the source project. Please ensure you discuss the potential impacts with the project owner before proceeding.

gcloud billing projects link <project ID> --billing-account=019079-F1E96F-31B089

5. Reset the organisation policies (if applicable)¶

If you modified organization policies in step 2.1, remember to reset them to their default state once the move is complete.

Reset the source organisation's resourcemanager.allowedExportDestinations policy:

gcloud org-policies reset --organization <source org id> resourcemanager.allowedExportDestinations

Reset the destination (cam.ac.uk) organisation's resourcemanager.allowedImportSources policy:

gcloud org-policies reset --organization <destination org id> resourcemanager.allowedImportSources

Conclusion¶

In this guide you've learnt how to move a Google cloud project into our cam.ac.uk organisation.