skip to content

IT Help and Support

University Information Services
 

Who uses Google Cloud?

UIS has some high-profile services in the Google Cloud Platform (GCP), including much of Raven and tooling surrounding the Undergraduate Admissions process. We've adopted a cloud-first policy, which requires that those building, planning or deploying services within UIS must consider and fully evaluate potential cloud products first before considering any other option. This approach is mandatory for new services in UIS.

Who is eligible?

This is a service for all members of the University. Although not currently enforced, we strongly recommend that members enable two-step verification on the Google account associated with their @cam.ac.uk address. It's likely that enabling two-step verification will become mandatory in the future.

Invoice-based billing is available for any University institution within one of the Schools or Faculties, any institution directly under the supervision of the General Board or the Council and any cross-institutional research groups that have a separate billing and/or accounting unit in CUFS.

Individuals wishing to use Google Cloud should contact their institutional IT Manager to discuss centralised billing or make use of the unbilled project provision.

What is available?

Google's product catalogue describes its Cloud product offerings.

How much does it cost?

Costs depend on which services you use and your levels of usage. You can use Google's pricing calculator to estimate costs. Many of Google's services have a free tier that may be appropriate for small workloads.

Additionally, some Google services are unbilled. This includes, but is not limited to:

  • registration of OAuth2 credentials to use Raven OAuth2
  • creation of service accounts and service account credentials for interoperating with Google Drive, Docs, Sheets and so on.

You don't need to obtain a billing account to use unbilled services.

How is billing managed?

UIS supports two billing models.

Invoice-based billing

In this model, your Google Cloud resources are billed directly to your institution via invoice. This is suitable for Cloud resources used at an institutional or research group level. It is generally not suitable for for projects that only need to use unbilled resources, such as those implementing Raven OAuth2 or interacting with the Google Drive API.

Important: while it's technically possible for a single institution to have multiple invoice-based billing accounts we strongly recommend against it. It's expected that each institution will maintain a single billing account and re-charge users internally according to their own processes.

Since institutional finance arrangements vary, you should use your own institution's processes to get agreement from your institution's finance office to set up invoice-based billing. We strongly recommend that you agree a target budget and set up budget alerts to notify you if there is a likelihood of over-spend.

You can request invoice-based billing via a self-service form. You will need:

  • contact details for your Institution's finance office including postal address, email address and phone number
  • your Institution's VAT number
  • a Lookup group containing administrators for the billing account.

Google Cloud (and other Google applications) integrate with Lookup. As such it is preferable to define access by means of a Lookup group that can be modified by institutional editors rather than by listing individuals.

When Google Cloud is provisioned for you, you will get a new billing account that can be associated with Google Cloud Projects.

All billing account admins will have to individually agree to the Google Cloud Terms of Service via the G Suite preferences application.

Google groups cloud resources into Projects and groups Projects into Folders. Any user in your institution can create Projects and Folders (see below) but in order to be able to associate a Project with a billing account you will need at least the following roles:

  • Billing Account User on the billing account. If you are a billing account admin, you already have this role. Additional users or Lookup groups may be granted this role under Account Management in the billing account management console.
  • Project Billing Manager on the Project. If you are a Project owner, you already have this role. Additional users or Lookup groups may be granted this role via the IAM management page in the Google Cloud Console.

UIS DevOps maintains a description of how it deploys products to Google Cloud that is compatible with this offering and may be of use if you intend to automate deployments.

Unbilled Projects

Google groups Cloud resources into Projects and groups Projects into Folders. We've given each institution a Google Folder. Any member of an eligible institution may register an unbilled Project within that folder or create sub-folders.

Important: newly created projects will not be visible to anyone who has not been explicitly granted permission on them, but sub-folders are visible to any member of the Institution even if the projects within them are not. This is a technical limitation of Google Cloud.

Having visibility of folders mean that users of your institution will be able to see the name of a folder that has been created, but will not be able to see any of the projects within it.

Google provides detailed documentation on creating projects. When signed in to the Google Cloud Console ensure that you are using your CRSid@cam.ac.uk account. You can switch accounts by clicking the avatar circle at the top-right.

You will only be able to create projects within institution folders if you are registered as a member of that Institution in Lookup.

Google Cloud (and other Google applications) integrate with Lookup. As such, it's preferable to define access by means of a Lookup group that can be modified by institutional editors or group members rather than by listing individuals. Note that in some cases it can take up to 24 hours for a change in Lookup group membership to be propagated to Google Cloud.

How do I get it?

Any member of an eligible institution may create an unbilled Google Project within their institution's Folder in Google Cloud – see unbilled projects. These projects cannot make use of Cloud Resources which require billing but can make use of some unbilled resources. Notably unbilled resources include those required to make use of Raven OAuth2 and to interoperate with Google Drive, Docs, Sheets and so on.

To make use of billed resources, your institution will need to set up invoice-based billing.

How do I sign in to the Google Cloud console?

It is likely that many admins will already have a personal Google account. Make sure that you are signed in to the Google Cloud console with the correct account by clicking the avatar at the top-right. If you are not signed in with your CRSid@cam.ac.uk account, click 'Add account' to do so. All CRSid@cam.ac.uk accounts use Raven to sign in. Make sure you have enabled Google Cloud in your Google Workspace preferences and accepted the Google Cloud Terms of Service.

How to I make use of Lookup groups to control access to resources?

Google Cloud uses Cloud IAM to control capabilities to view or modify resources. We recommend that you use Lookup groups rather than listing individuals. Lookup groups appear in Cloud IAM via the special email-like identifier groupid@groups.lookup.cam.ac.uk. See Using Lookup groups with Google.

Important: Changes to Lookup Group membership may take up to 24 hours to propagate to Google Cloud.

What are the Google Cloud policies and terms of service?

Google publishes several policy and terms of service documents governing the use of their products. Prior to using Google Cloud, these should be reviewed by an appropriate team within your institution to ensure that they meet your needs.

Important documents include, but are not limited to:

Every user of Google Cloud must abide by these terms at all times. UIS or Google may restrict or remove services at any time without warning if a user fails to abide by the terms in these documents.

Where can I learn more?

University documentation

External documentation

UIS Service Desk

Phone padded  Service status line: (01223 7)67999
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin

A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >

Latest news

MCS Linux service deprecated

17 August 2022

We have deprecated the MCS Linux service because of technical and resource constraints. At its peak, MCS Linux accounted for only 2% of MCS machines deployed, and use of this service has declined steadily in recent years. Unfortunately, we have had to remove the Linux part of the service because of unforeseen technical...

New cloud research platform service from UIS

15 August 2022

Amazon Web Services (AWS) and RONIN available via UIS UIS is pleased to announce that access to Amazon Web Services (AWS) and RONIN are now available through a new University-provided cloud research platform service. If you would like to join the increasing number of Cloud users and to save around 11% on list prices for...

Change in recommended VPN client for Android users

11 August 2022

We have updated our recommendations for Android users of the UIS VPN and managed VPN services. We no longer recommend Android’s built-in VPN client because setting it up is complicated, which can lead to insecure configurations. Instead, we recommend the strongSwan client to Android users. It’s available free of charge...