Ever set up what you thought was a bulletproof Google Cloud Organization, only to discover mysterious projects appearing like uninvited guests at a dinner party? You're not alone. Our recent NET+ GCP strategy call with Google's Jeff Nessen dove into the messy reality of how Google's various services can wreak havoc on your carefully managed cloud organization.
The Hierarchy That Rules Them All
Jeff started with a crucial reminder: Google Workspace sits at the top of the entire Google ecosystem hierarchy. Your Workspace super admin can essentially override anything happening in your GCP environment. While this gives them ultimate control, it also means that when that super admin retires (as Jeff has seen countless times), you're potentially locked out of critical billing and administrative functions. The solution involves opening support cases and getting letters from C-level executives – not exactly the streamlined process anyone wants.
The Usual Suspects
The conversation revealed the sources of several common expected surprises for GCP administrators:
Apps Script turned out to be particularly sneaky. As one participant discovered, a computer science class assignment using Apps Script automatically created dozens of GCP projects, completely bypassing the project creation restrictions they thought they had in place.
Google Analytics and Google Ads can suddenly start appearing in your GCP billing when users enable BigQuery integration features. The challenge? Figuring out which department in marketing set this up and should be paying for it.
Terra.bio and NIH's All of Us create projects that bill back to your organization, often requiring detective work to trace costs back to the right researcher or grant.
The Billing Maze
One of the most practical insights was about billing account management. Jeff emphasized that being a GCP org admin doesn't automatically make you a billing administrator – these are separate permission sets. For NET+ subscribers using resellers like Burwood, this actually works in your favor, at least for the billing IDs on contract. Your reseller can help clean up orphaned billing accounts when people leave, since through them the distributor Carahsoft ultimately holds the billing super admin rights.
Real-World Solutions
Craig from Yale shared a practical approach: they work one-on-one with users to grant temporary access for linking billing accounts, then remove those permissions to prevent unauthorized project creation. Jon from University of Washington praised Burwood's help in tracking down "surprising" services that appear on bills.
The Organizational Reality
An interesting sidebar emerged: at most institutions, Google Workspace (collaboration/productivity) and GCP (cloud) are managed by completely separate teams. In Google’s worldview, all you would use is Google, and so there is no conflict. In reality, at most institutions, the cloud team is trying to support and develop strategies around multiple cloud platforms and the collaboration team is doing the same in their space. We are organized by function, not by vendor. If there is good communication and collaboration, this is a non-issue operationally, but this can create its own compliance challenges, considering that the Workspace team has ultimate override capabilities over the Cloud team's carefully constructed security policies.
The bottom line? Managing a Google Cloud organization isn't just about GCP policies and permissions. It's about understanding the interconnected web of Google services and planning for the inevitable exceptions that will test your governance model.
What unexpected Google services have surprised you in your GCP environment? The community would love to hear your war stories.