Getting Started With Your GCP Project

Your project is ready when you receive the provisioning confirmation from the Cloud Team. Follow the steps below to get set up.

Step 1 — Sign In

  1. Go to console.cloud.google.com.
  2. Sign in with your UCSB email address (yournetid@ucsb.edu).
    • UCSB uses Google Workspace managed through Microsoft Entra ID — your UCSB NetID and password work here.
    • Complete Duo MFA if prompted.
  3. After signing in, click the project selector at the top of the page (next to the Google Cloud logo) and find your project by name or ID.

Step 2 — Verify Your Access

  1. Navigate to IAM & Admin → IAM in the left menu.
  2. Confirm your @ucsb.edu account is listed with the appropriate role:
    • Owner — full access including IAM and billing (default for the project requester)
    • Editor — create and manage most resources
    • Viewer — read-only
    • Project IAM Admin — manage IAM for the project (if needed)

If you are not listed or your role is incorrect, contact the Cloud Team.

Adding and Removing Users

Every project comes with four Google Groups that carry the project’s access. Manage access by adding and removing people in these groups — do not grant roles to individuals directly under IAM & Admin → IAM.

Group Access it grants
prj-<id>-owners@gcp.cloud.ucsb.edu Full project access (Owner), view billing data, and use of the campus Shared VPC
prj-<id>-editors@gcp.cloud.ucsb.edu Create and manage most resources (Editor), and use of the campus Shared VPC
prj-<id>-viewers@gcp.cloud.ucsb.edu Read-only access (Viewer)
prj-<id>-billing@gcp.cloud.ucsb.edu View billing data and read-only project access

(<id> is your project ID. Find the exact group addresses under IAM & Admin → IAM, where the groups are listed as members.)

To add or remove members, go to groups.google.com and open the group. Project owners are Managers of all four groups, so they can manage membership for every access level. Only @ucsb.edu accounts can be added — personal Gmail accounts are not permitted.

See Identity & Access for the cross-provider picture.

Step 3 — Review Project Contacts

GCP uses Essential Contacts to route operational notifications to your team. These are configured automatically when your project is created — they point at your project’s access groups, so there is nothing to set up:

Group Notifications it receives
prj-<id>-owners All categories — Billing, Legal, Security, Suspension, Technical, and Technical Incidents
prj-<id>-billing Billing only

Because contacts are tied to the groups, you change who receives these notifications by managing group membership — the same way you manage access. There is no need to add or verify contacts manually.

If you also want notifications sent to an address that isn’t a group member (for example, a shared ticketing alias), you can add it under Essential Contacts with your project selected. See Account Contacts for general best practices.

Step 4 — Review Org Policy Constraints

Organization policies are applied at the folder level and inherited by your project. Before creating resources, review the key constraints on the Guardrails page to understand what is allowed and what will be blocked.

Key constraints to know:

  • No external IP addresses — VMs cannot have public IPs by default
  • Custom-mode VPCs only — Auto-mode VPC networks are blocked
  • Allowed regions: us-central1 and us-west1 (other regions may be blocked)

Step 5 — Networking

Your project is automatically attached to the campus Shared VPC at provisioning. Outbound internet access via Cloud NAT is included — no ticket needed.

Org policy blocks you from creating VPCs yourself — only the Cloud Team’s automation account can provision network resources.

  • Internet egress is available immediately via Cloud NAT.
  • Access to UCSB campus resources — not currently available for GCP. There is no VPN or Interconnect between GCP and the UCSB campus network at this time. Contact the Cloud Team to discuss options.

If your workload uses only managed services (Cloud Storage, BigQuery, Pub/Sub, Cloud Functions, Cloud Run), you may not need to think about networking at all.

See GCP Networking for full details.

Step 6 — Enable Required APIs

GCP services must be enabled via the API before you can use them. Most common APIs are pre-enabled, but check:

  1. Navigate to APIs & Services → Enabled APIs and Services.
  2. Confirm the APIs you need are enabled.
  3. To enable a new API: + Enable APIs and Services → search and enable.

Note: Some APIs require billing to be enabled. Org policies may block specific APIs — if you get a policy error, see Guardrails.

Step 7 — Verify Required Tags

Your project should already have the required Resource Manager Tags set by the Cloud Team at provisioning. Verify them by navigating to IAM & Admin → Tags.

The owner-settable tags (environment, mission, protection-level, availability-level, recovery-level, dept) can be updated by you if they need to change.

See Tagging & Labels for allowed values and how to update them.

Step 8 — Verify Budget Alert (Funded Projects)

  1. Navigate to Billing → Budgets & alerts.
  2. Confirm a billing budget exists for your project.
  3. The budget notifies you at 50%, 90%, and 100% of the budget by default.
  4. To change thresholds or recipients, edit the budget.

See Costs & Billing for more information.

Getting Help

Issue Where to go
Access problems ServiceNow
Networking issues Networking
Org policy violations Guardrails
Billing questions Costs & Billing
Everything else ServiceNow