Getting Started With Your GCP Project
Your project is ready when you receive the provisioning confirmation from the Cloud Team. Follow the steps below to get set up.
- Step 1 — Sign In
- Step 2 — Verify Your IAM Role
- Step 3 — Set Project Contacts
- Step 4 — Review Org Policy Constraints
- Step 5 — Networking
- Step 6 — Enable Required APIs
- Step 7 — Verify Required Tags
- Step 8 — Verify Budget Alert (Funded Projects)
- Getting Help
Step 1 — Sign In
- Go to console.cloud.google.com.
- Sign in with your UCSB email address (
yournetid@ucsb.edu).- UCSB uses Google Workspace managed through Microsoft Entra ID — your UCSB NetID and password work here.
- Complete Duo MFA if prompted.
- After signing in, click the project selector at the top of the page (next to the Google Cloud logo) and find your project by name or ID.
Use your @ucsb.edu account
Do not sign in with a personal Gmail account. All Campus Cloud resources are in the ucsb.edu Google Workspace domain. Only @ucsb.edu accounts can access Campus Cloud GCP projects.Step 2 — Verify Your IAM Role
- Navigate to IAM & Admin → IAM in the left menu.
- Confirm your
@ucsb.eduaccount is listed with the appropriate role:- Owner — full access including IAM and billing (default for the project requester)
- Editor — create and manage most resources
- Viewer — read-only
- Project IAM Admin — manage IAM for the project (if needed)
If you are not listed or your role is incorrect, contact the Cloud Team.
Adding and Removing Users
Project Owners can grant roles under IAM & Admin → IAM in the GCP Console.
See Grant an IAM role
for step-by-step instructions. Only @ucsb.edu accounts can be added —
personal Gmail accounts are not permitted.
Step 3 — Set Project Contacts
GCP uses Essential Contacts to route notifications to your team. The Cloud Team has configured org-level contacts; you need to add project-level contacts. See Account Contacts for general best practices.
- Navigate to Essential Contacts with your project selected.
- Click + Add contact.
- Enter a functional email address and select:
- Security — Security Command Center findings
- Technical — Maintenance and service disruption notices
- Billing — Budget alerts and billing notifications
- Confirm by clicking the verification link emailed to that address.
- Repeat for each category that needs a different address.
Step 4 — Review Org Policy Constraints
Organization policies are applied at the folder level and inherited by your project. Before creating resources, review the key constraints on the Guardrails page to understand what is allowed and what will be blocked.
Key constraints to know:
- No external IP addresses — VMs cannot have public IPs by default
- Custom-mode VPCs only — Auto-mode VPC networks are blocked
- Allowed regions: us-central1 and us-west1 (other regions may be blocked)
Step 5 — Networking
Your project is automatically attached to the campus Shared VPC at provisioning. Outbound internet access via Cloud NAT is included — no ticket needed.
Org policy blocks you from creating VPCs yourself — only the Cloud Team’s automation account can provision network resources.
- Internet egress is available immediately via Cloud NAT.
- Access to UCSB campus resources — not currently available for GCP. There is no VPN or Interconnect between GCP and the UCSB campus network at this time. Contact the Cloud Team to discuss options.
If your workload uses only managed services (Cloud Storage, BigQuery, Pub/Sub, Cloud Functions, Cloud Run), you may not need to think about networking at all.
See GCP Networking for full details.
Step 6 — Enable Required APIs
GCP services must be enabled via the API before you can use them. Most common APIs are pre-enabled, but check:
- Navigate to APIs & Services → Enabled APIs and Services.
- Confirm the APIs you need are enabled.
- To enable a new API: + Enable APIs and Services → search and enable.
Note: Some APIs require billing to be enabled. Org policies may block specific APIs — if you get a policy error, see Guardrails.
Step 7 — Verify Required Tags
Your project should already have the required Resource Manager Tags set by the Cloud Team at provisioning. Verify them by navigating to IAM & Admin → Tags.
The owner-settable tags (environment, mission, protection-level,
availability-level, recovery-level, dept) can be updated by you if they
need to change.
See Tagging & Labels for allowed values and how to update them.
Step 8 — Verify Budget Alert (Funded Projects)
- Navigate to Billing → Budgets & alerts.
- Confirm a billing budget exists for your project.
- The budget notifies you at 50%, 90%, and 100% of the budget by default.
- To change thresholds or recipients, edit the budget.
See Costs & Billing for more information.
Getting Help
| Issue | Where to go |
|---|---|
| Access problems | ServiceNow |
| Networking issues | Networking |
| Org policy violations | Guardrails |
| Billing questions | Costs & Billing |
| Everything else | ServiceNow |