As an organization manager you easily apply for your organization to join RosettaHUB by submitting an application here: https://www.rosettahub.com/registration/institution.xhtml . RosettaHub can manage your organization's AWS, Azure and GCP accounts. Putting your root cloud accounts under the management of RosettaHUB allows for mass on-boarding to AWS, Azure and GCP for all members of your organization. The platform creates individual cloud accounts for each member whilst allowing you to control costs and define budgets, permissions and limits on each cloud account. A RosettaHub cloud account maps an AWS sub-account an Azure resource group or a GCP project.

Organization Registration Process:

Pre-requisites for AWS Registration:

• The organization owns an AWS account

Pre-requisites for Azure Registration:

• The organization owns an Azure subscription

Pre-requisites for GCP Registration:

• The organization owns a GCP account

• The organization creates an Organization within GSuite: https://gsuite.google.com/signup/gcpidentity/welcome

• If the GCP account is new, the organization requests a quota increase on the number of GCP projects: https://support.google.com/code/contact/billing_quota_increase 

GCP Gcloud Setup

To give access to RosettaHub to administer a GCP folder, the organization needs to execute the following script and replace folder_id with the rosettahub folder id and rh-email with the email that has been communicated by RosettaHUB.

gcloud  resource-manager folders add-iam-policy-binding folder_id --member="user:rh-email" --role="roles/owner"
gcloud  resource-manager folders add-iam-policy-binding folder_id --member="user:rh-email" --role="roles/resourcemanager.projectCreator"
gcloud  resource-manager folders add-iam-policy-binding folder_id --member="user:rh-email" --role="roles/resourcemanager.projectDeleter"
gcloud  resource-manager folders add-iam-policy-binding folder_id --member="user:rh-email" --role="roles/resourcemanager.folderAdmin"

In order for RH to manage users access to GCP regions, the organization can grant these additional rights and replace project_id with the project id communicated by RosettaHUB and org_id with the organization's organization id under GCP:

gcloud  organizations add-iam-policy-binding org_id --member="serviceAccount:administrator@project_id.iam.gserviceaccount.com" --role="roles/orgpolicy.policyAdmin"
gcloud  organizations add-iam-policy-binding org_id --member="user:rh-email" --role="roles/orgpolicy.policyAdmin"

If the organization wants to restrict all users to one region, the organization can simply enforce an organization policy for regions at the folder level and communicate the selected region to RosettaHUB.