[judge2020]

For enterprises it seems this is already baked-in, ie. when you're a Google Workspace (previously GSuite) user, your project selector has an inherent hierarchy stemming from the domain, ie. example.com -> project1, project2, etc. and, in my limited experience, switching between accounts on the command line is pretty good. But this article still makes a good point about keeping different environments in different siloed projects.

[benatkin]

It seems that with isolation between projects on gcloud the number of separate accounts needed is less, which is good because it's also harder and more expensive to create multiple accounts. If gsuite is used very carefully, 1 is enough, but I think 2 would be better for most.

[judge2020]

I think you're misunderstanding AWS accounts; they're not talking about AWS "logins", they're talking about actual "accounts" which are the entities that house resources like GCP projects. You can have an "organization" that has many accounts under it with sensible IAM, although it's less clean than GCP.

[cjcampbell]

I'm assuming you're saying a dedicated account for Google Workspace (GSuite) and a separate account for anything GCP?

[benatkin]

Yeah, that's what I'm saying. There's a lot of overlap with people who are using GSuite for things like email and people who are using GCP for production systems. It isn't great that the login/2FA for email automatically give access to GCP. Email is used so often, it's hard to be as cautious with it all the time as one can be with a something used less often.

[cjcampbell]

Thanks for confirming. Great advice, and I agree 100%.