What Is a GCP Project? IDs, Billing, IAM, and Project Structure
What is a GCP project?
A GCP project is the fundamental container for every resource you create in Google Cloud. It controls which billing account pays for your usage, which APIs are enabled, who has access, and what quotas apply. Every VM, storage bucket, and database belongs to exactly one project. You cannot create anything in Google Cloud without one.
Get your project structure right at the start and the rest of your GCP setup follows naturally. Get it wrong and rebuilding is a painful exercise. This page explains what a project is, how its three identifiers work, what it controls, and how to structure projects properly from day one.
Simple explanation
Think of a GCP project like a workspace in an office building. Each workspace has its own budget (billing), its own set of tools unlocked for use (APIs), its own list of who is allowed in (IAM), and its own limits on how much it can consume (quotas). Nobody from one workspace automatically gets into another, and the finance team gets a separate invoice per workspace.
When you log in to the Cloud Console or run a gcloud command, you are always working inside a specific project. Everything you do (creating a VM, uploading a file, enabling a database) lands in that project and only that project.
Projects as company departments
Think of a GCP organisation as a company building. Each project is a department: marketing has its own budget, its own software licences, its own staff list, and its own filing system. Engineering has the same, completely separate. Nobody from marketing automatically walks into engineering’s systems. GCP projects work the same way: separate billing, separate permissions, separate APIs, separate quotas.
What a GCP project is
A GCP project is the fundamental resource boundary in Google Cloud. All resources exist inside a project. When you create a Compute Engine VM, it belongs to one specific project. When you set up a Cloud SQL database, it belongs to one project. When a service account sends an API request, it is authenticated under a project.
A project controls four things that matter enormously for how GCP works:
- Billing: every charge from resources in the project goes to one linked billing account
- APIs: each service must be explicitly enabled per project before you can use it
- IAM: access permissions are scoped to the project; roles granted here apply to everything inside
- Quotas: usage limits (CPU cores, API calls, storage) are enforced per project
The project is not a virtual machine, a network, or a storage container. It is a logical boundary: a set of rules that determine what can be built, who can access it, and who pays for it. Resources live inside projects, but the project itself is the organisational structure around them.
Three identifiers, one project
Every GCP project has three ways to identify it. You will encounter all three in different situations, and confusing them is one of the most common beginner mistakes.
Project name
A human-readable label you set and can change later. It does not have to be globally unique. Use it as a display name so humans can read it in the Console. Never use it in API calls, CLI commands, or automation. It is not a stable identifier.
Example: Payments Service (Production)
Project ID
A string you choose when creating the project. It must be globally unique across all of GCP, not just within your organisation but across every GCP customer in the world. It cannot be changed after creation. GCP uses this in API calls, CLI commands, service account email addresses, Cloud Storage bucket URLs, and audit logs.
Example: acme-payments-prod
Choose your project ID carefully. It is permanent. When a project is deleted, that project ID is retired forever. Nobody can reuse it. It will appear in every API call, log line, and service account email for the life of the project. Treat it like a domain name: short, lowercase, consistent with a naming convention, and meaningful to anyone reading a log file six months from now.
Project number
A numeric identifier assigned automatically by Google. You do not choose it and
cannot change it. You will see it in IAM policy exports (e.g.,
serviceAccount:123456789012@cloudservices.gserviceaccount.com),
audit logs, and some API responses.
It identifies the same project as the project ID. You rarely need to use it directly,
but you need to recognise it when you see it.
Example: 123456789012
Side by side
Project name — you set it, you can change it, not globally unique. Use for display only.
Project ID — you set it at creation, globally unique, permanent. Use in CLI commands and API calls.
Project number — Google assigns it, numeric, permanent. Appears in IAM exports and audit logs.
# A consistent project ID naming convention scales well.
# Pattern: {company}-{service}-{environment}
acme-payments-prod # production payments service
acme-payments-staging # staging payments service
acme-auth-prod # production authentication service
acme-data-platform-dev # development data platform
acme-shared-networking # shared VPC host projectShort, lowercase, hyphen-separated, environment suffix at the end. If you open a
log file and see acme-payments-prod in the project field, you know
exactly what you are looking at. That clarity is worth the thirty seconds it takes
to think about a naming convention before you create your first project.
How GCP projects work
A project has a simple lifecycle. Understanding the sequence helps you avoid wasted time on “why isn’t this working?” errors that are actually just missing steps.
- Create the project: give it a name and choose your project ID
- Link a billing account: without this, most paid services will refuse to run
- Enable the APIs you need: each service must be turned on per project
- Create resources inside the project: VMs, databases, storage buckets, and so on
- Assign IAM roles: grant people and service accounts access to those resources
- Delete the project when you are done: it enters a 30-day pending-deletion state
# Create a new project
gcloud projects create acme-payments-prod \
--name="Payments Service (Production)"
# Link a billing account to the project
gcloud billing projects link acme-payments-prod \
--billing-account=BILLING_ACCOUNT_ID
# Set this as the active project for subsequent commands
gcloud config set project acme-payments-prod
# Enable an API (e.g., Compute Engine)
gcloud services enable compute.googleapis.com
# List all projects your account has access to
gcloud projects listDeleting a project does not immediately destroy it. GCP moves it into a pending-deletion state for 30 days. During that window the project is inaccessible but can be fully restored. After 30 days it is permanently gone, along with every resource inside it.
Resources in a pending-deletion project continue to accrue charges during the 30-day window. Stop or delete individual resources before scheduling project deletion if you need billing to stop immediately. Deleting the project alone is not enough.
What a project scopes
Billing
Each project links to exactly one billing account. All resource charges in that project appear on that account’s invoice. One billing account can pay for many projects simultaneously, which makes it easy to see total spend across a company while still breaking costs down per project. Understanding the billing model before you start adding resources is worth the ten minutes it takes.
APIs
Most GCP services are disabled by default in a new project. Enabling an API in one project does not enable it in another. This is intentional: a project that only runs Cloud Run has no business with the Kubernetes Engine API enabled. API enablement is per-project and leaves a clear audit trail showing when each service was turned on and by whom. For the exact steps, see Enabling APIs in a Project.
IAM permissions
When you grant someone the Storage Object Viewer role on a project,
they can read from every Cloud Storage bucket in that project. Permissions granted
at the project level apply to everything inside it. Granting access at a higher
level (a folder or organisation) reaches further down and cannot be blocked at
the project level. See the
Resource Hierarchy guide
for how this inheritance works, and
IAM in GCP for how roles and bindings work.
Quotas
Usage limits in GCP (maximum CPU cores, API calls per minute, storage capacity) are enforced per project and often per region. New projects start with conservative defaults that are fine for learning but may need increasing before a real deployment. If you need more than the default, you request an increase through the Console. See Quotas and Limits for what to check before a large deployment.
When to use separate projects
Projects are cheap to create and fast to delete. The right instinct is to use more of them, not fewer. Here are the situations that clearly call for a separate project.
Dev, staging, and production environments. This is the minimum viable separation. A mistake in development cannot affect production data. Billing for each environment appears separately. You can grant developers full access to dev without giving them any access to prod.
Team or department separation. If two teams run completely different services and should not share billing or permissions, give them separate projects. IAM policy is simpler when it does not need to distinguish between team A and team B inside the same project.
Shared infrastructure. Networking resources used by multiple teams (a Shared VPC, a centralised logging project, a CI/CD toolchain) often live best in their own project with separate ownership and billing visibility.
Security boundaries. Projects are a hard isolation boundary. If two services must be completely isolated for compliance or regulatory reasons, separate projects are the right tool. Service account permissions, API enablement, and audit logs are all scoped per project.
Cost visibility. Billing reports in GCP aggregate by project. If you want to know exactly what your payments service costs versus your analytics pipeline, they need to be in separate projects. You can add labels and tags for finer cost attribution within a project, but project-level separation is cleaner.
GCP project vs folder vs organisation vs billing account
These four concepts are related but distinct. Confusing them, especially the billing account and the project, causes real setup problems.
Organisation
The root node of your GCP environment, tied to a Google Workspace or Cloud Identity domain. Policies set here apply to every folder, project, and resource your company owns. This is where company-wide rules live, enforced by Organisation Policies. Without an organisation, you cannot set company-wide constraints across projects.
Folder
An optional grouping layer between the organisation and projects. Use folders to separate business units, environments, or product areas. IAM roles granted on a folder apply to every project inside it. The most common structure is two top-level folders: Production and Non-Production. Folders do not hold resources directly. They hold projects.
Project
The place where resources actually live. Every resource must belong to exactly one project. Projects have their own billing link, their own IAM policies, their own enabled APIs, and their own quotas. This is the level you will work with every day.
Billing account
A billing account is not part of the resource hierarchy. It is a separate GCP object that stores your payment method and pays for projects linked to it. One billing account can pay for many projects. Each project links to exactly one billing account at a time. The billing account does not contain resources. It only receives charges.
The most common confusion: people assume that a billing account and a project are the same thing, or that a billing account scopes IAM. They are separate objects with separate purposes. Your billing account pays the bill. Your project is where the work happens.
The full picture from top to bottom: Organisation → Folders → Projects → Resources, with a Billing Account sitting alongside, linked to one or more projects but not part of the hierarchy chain. For a full walkthrough of how IAM flows through this structure, see the Resource Hierarchy guide.
Common mistakes
One project for everything. Mixing production and development in a single project means a mistake in dev can affect live data, billing is unreadable, and you cannot grant safe access without risking production. Split by environment at minimum.
Choosing a throwaway project ID.
test-123sounds fine when you are just exploring. When that project becomes your production system, that ID appears in every API call, log entry, and service account email forever. Think ahead before you type anything into the project ID field.Forgetting to link a billing account. A project without a billing account cannot create most paid resources. New users waste time debugging mysterious errors that are actually just a missing billing link, not a configuration problem.
Enabling too many APIs without tracking. Every enabled API is an attack surface and a potential unexpected cost. Enable only what you need. Disable APIs you are no longer using.
Not separating environments. Using one project for dev and prod is the single most common project structure mistake. The cleanup when something goes wrong is painful and sometimes impossible without data loss.
Assuming resources are easy to move later. They are not. Most GCP resources cannot be transferred between projects. Decide your structure first, then build. Fixing a bad project structure after resources exist is a significant migration project, not a five-minute fix.
Not deleting idle projects. Old projects accumulate orphaned resources, unused service account keys, and enabled APIs. They also represent an attack surface. Delete any project you no longer actively need.
Can you move resources between projects?
This is one of the most common beginner pain points, so the direct answer: for most resource types, no. Not in the way you would expect.
Cloud Storage objects can be copied to a bucket in another project. Databases can often be exported and reimported. But the resource identifiers change in the process, any IAM bindings on the original resource do not transfer automatically, and some configuration must be rebuilt. A handful of services (like some BigQuery datasets) have dedicated transfer or migration paths, but these are the exception.
The practical consequence: plan your project structure before you build anything that matters. Moving two VMs and a Cloud SQL database from one project to another is a multi-day migration exercise with real risk of downtime, not a drag-and-drop operation. Decide how many projects you need and what their IDs will be before you create any resources. That ten-minute decision saves days of migration work later.
Real examples
Single app with three environments
A small startup building one product creates three projects:
startup-app-dev, startup-app-staging, and
startup-app-prod. Developers have Editor access to dev,
Viewer access to staging, and no access to prod. Deployments to
production go through CI/CD with a dedicated
service account. Billing
shows the cost of each environment separately.
Startup with shared networking
A slightly larger team adds a fourth project: startup-shared-networking.
This project hosts the Shared VPC that all other projects attach to. The networking
team owns this project. Application teams create their VMs and Cloud Run services
in their own projects and connect to the shared network without touching its
configuration. This keeps network ownership clean and separate from application ownership.
Agency serving multiple clients
A digital agency manages infrastructure for five different clients. Each client gets its own project (or set of projects), keeping billing, data, and permissions completely isolated. The agency links each client’s project to the client’s own billing account, so the client sees their costs directly. No client can ever see another client’s resources.
Summary
- A project is the top-level container for all GCP resources. You cannot create anything without one
- Every project has a display name (changeable), a project ID (permanent, globally unique), and a project number (auto-assigned by Google)
- Billing, APIs, IAM permissions, and quotas are all scoped per project
- A billing account is not part of the resource hierarchy. It sits alongside, paying for one or more projects
- Use separate projects for production, staging, and development from the start
- Most resources cannot be moved between projects. Plan the structure before you build
- Deleting a project enters a 30-day pending state. Charges still accrue until resources are stopped
Frequently asked questions
What is a GCP project?
A GCP project is the basic container for everything you create in Google Cloud. Every VM, storage bucket, database, and API call belongs to exactly one project. The project controls which billing account pays for your resources, which APIs are enabled, who has permission to do anything, and what quotas apply. You cannot create a single resource without a project. It is not optional.
Do I need a project before creating resources in Google Cloud?
Yes. Every GCP resource must belong to a project. There is no way to create a VM, a Cloud Storage bucket, or any other resource outside of a project. Creating a project takes about ten seconds from the Console or one CLI command.
What is the difference between a project ID and a project number?
A project ID is a string you choose when creating the project (for example, acme-payments-prod). It must be globally unique across all of GCP, cannot be changed after creation, and appears in API calls, CLI commands, service account emails, and logs. A project number is a numeric identifier assigned automatically by Google. You do not choose it. Both point to the same project. You will mostly use the project ID day to day, and encounter the project number in IAM policy exports and audit logs.
Can I move resources between GCP projects?
Most GCP resources cannot be simply moved between projects. Cloud Storage objects can be copied, databases can be exported and imported, but resource IDs change in the process and some configuration must be rebuilt. A few services offer dedicated migration paths, but these are the exception. Plan your project structure before creating resources. Reorganising later is expensive and error-prone.
How many GCP projects should a company have?
At minimum, one project per environment per application: development, staging, and production. Most teams end up with five to twenty projects, and large organisations often have hundreds. Projects are cheap to create and quick to delete. It is far better to have too many than to mix environments in a single project.