Who uses Google Cloud?
UIS has some high-profile services in the Google Cloud Platform (GCP), including much of Raven and tooling surrounding the Undergraduate Admissions process. We've adopted a cloud-first policy, which requires that those building, planning or deploying services within UIS must consider and fully evaluate potential cloud products first before considering any other option. This approach is mandatory for new services in UIS.
Who is eligible?
This is a service for all members of the University. Although not currently enforced, we strongly recommend that members enable two-step verification on the Google account associated with their @cam.ac.uk address. It's likely that enabling two-step verification will become mandatory in the future.
Invoice-based billing is available for any University institution within one of the Schools or Faculties, any institution directly under the supervision of the General Board or the Council and any cross-institutional research groups that have a separate billing and/or accounting unit in CUFS.
Individuals wishing to use Google Cloud should contact their institutional IT Manager to discuss centralised billing or make use of the unbilled project provision.
What is available?
Google's product catalogue describes its Cloud product offerings.
How much does it cost?
Costs depend on which services you use and your levels of usage. You can use Google's pricing calculator to estimate costs. Many of Google's services have a free tier that may be appropriate for small workloads.
Additionally, some Google services are unbilled. This includes, but is not limited to:
- registration of OAuth2 credentials to use Raven OAuth2
- creation of service accounts and service account credentials for interoperating with Google Drive, Docs, Sheets and so on.
You don't need to obtain a billing account to use unbilled services.
How is billing managed?
UIS supports two billing models.
Invoice-based billing
In this model, your Google Cloud resources are billed directly to your institution via invoice. This is suitable for Cloud resources used at an institutional or research group level. It is generally not suitable for for projects that only need to use unbilled resources, such as those implementing Raven OAuth2 or interacting with the Google Drive API.
Important: while it's technically possible for a single institution to have multiple invoice-based billing accounts we strongly recommend against it. It's expected that each institution will maintain a single billing account and re-charge users internally according to their own processes.
Since institutional finance arrangements vary, you should use your own institution's processes to get agreement from your institution's finance office to set up invoice-based billing. We strongly recommend that you agree a target budget and set up budget alerts to notify you if there is a likelihood of over-spend.
You can request invoice-based billing via a self-service form. You will need:
- contact details for your Institution's finance office including postal address, email address and phone number
- your Institution's VAT number
- a Lookup group containing administrators for the billing account.
Google Cloud (and other Google applications) integrate with Lookup. As such it is preferable to define access by means of a Lookup group that can be modified by institutional editors rather than by listing individuals.
When Google Cloud is provisioned for you, you will get a new billing account that can be associated with Google Cloud Projects.
All billing account admins will have to individually agree to the Google Cloud Terms of Service via the G Suite preferences application.
Google groups cloud resources into Projects and groups Projects into Folders. Any user in your institution can create Projects and Folders (see below) but in order to be able to associate a Project with a billing account you will need at least the following roles:
- Billing Account User on the billing account. If you are a billing account admin, you already have this role. Additional users or Lookup groups may be granted this role under Account Management in the billing account management console.
- Project Billing Manager on the Project. If you are a Project owner, you already have this role. Additional users or Lookup groups may be granted this role via the IAM management page in the Google Cloud Console.
UIS DevOps maintains a description of how it deploys products to Google Cloud that is compatible with this offering and may be of use if you intend to automate deployments.
Unbilled Projects
Google groups Cloud resources into Projects and groups Projects into Folders. We've given each institution a Google Folder. Any member of an eligible institution may register an unbilled Project within that folder or create sub-folders.
Important: newly created projects will not be visible to anyone who has not been explicitly granted permission on them, but sub-folders are visible to any member of the Institution even if the projects within them are not. This is a technical limitation of Google Cloud.
Having visibility of folders mean that users of your institution will be able to see the name of a folder that has been created, but will not be able to see any of the projects within it.
Google provides detailed documentation on creating projects. When signed in to the Google Cloud Console ensure that you are using your CRSid@cam.ac.uk account. You can switch accounts by clicking the avatar circle at the top-right.
You will only be able to create projects within institution folders if you are registered as a member of that Institution in Lookup.
Google Cloud (and other Google applications) integrate with Lookup. As such, it's preferable to define access by means of a Lookup group that can be modified by institutional editors or group members rather than by listing individuals. Note that in some cases it can take up to 24 hours for a change in Lookup group membership to be propagated to Google Cloud.
How do I get it?
Any member of an eligible institution may create an unbilled Google Project within their institution's Folder in Google Cloud – see unbilled projects. These projects cannot make use of Cloud Resources which require billing but can make use of some unbilled resources. Notably unbilled resources include those required to make use of Raven OAuth2 and to interoperate with Google Drive, Docs, Sheets and so on.
To make use of billed resources, your institution will need to set up invoice-based billing.
How do I sign in to the Google Cloud console?
It is likely that many admins will already have a personal Google account. Make sure that you are signed in to the Google Cloud console with the correct account by clicking the avatar at the top-right. If you are not signed in with your CRSid@cam.ac.uk account, click 'Add account' to do so. All CRSid@cam.ac.uk accounts use Raven to sign in. Make sure you have enabled Google Cloud in your Google Workspace preferences and accepted the Google Cloud Terms of Service.
How to I make use of Lookup groups to control access to resources?
Google Cloud uses Cloud IAM to control capabilities to view or modify resources. We recommend that you use Lookup groups rather than listing individuals. Lookup groups appear in Cloud IAM via the special email-like identifier groupid@groups.lookup.cam.ac.uk. See Using Lookup groups with Google.
Important: Changes to Lookup Group membership may take up to 24 hours to propagate to Google Cloud.
What are the Google Cloud policies and terms of service?
Google publishes several policy and terms of service documents governing the use of their products. Prior to using Google Cloud, these should be reviewed by an appropriate team within your institution to ensure that they meet your needs.
Important documents include, but are not limited to:
- General Terms of Service
- Data Processing and Security Terms
- Acceptable User Policy
- List of Subprocessors
- GDPR/DPA 2018 model contract clauses
Every user of Google Cloud must abide by these terms at all times. UIS or Google may restrict or remove services at any time without warning if a user fails to abide by the terms in these documents.
Where can I learn more?
University documentation
- UIS Cloud First policy guidance
- UIS "hands on" guide to Google Cloud
- UIS DevOps' Google Cloud deployment guide
External documentation
- Google Developer Profile: individual learning pathways for Google Cloud products
- Google Cloud Platform YouTube channel
- Google Cloud Platform Essential Training: LinkedIn Learning course
- UK Government Cloud First policy
- University of Oxford Cloud toolkit
- Creating a Cloud Strategy: Deloitte article on Cloud First strategies in larger organisations