Is Multiple User Account Forbidden in GCP

[Ayanniyi]

We would like to know if the use of multiple account is forbidden in Google Cloud Platform. We are NOT really planning to use multiple account, but we intend to use it TEMPORARILY to simulate our application use case. We have reviewed the GCP Terms of Service and Acceptable Use Policy and the clause that we find relevant to this question in the Terms of Service is section 3.3(d) which states:

Customers will NOT ... (d) create multiple Applications, Accounts, or Projects to simulate or act as a single Application, Account, or Project (respectively) or otherwise access the Services in a manner intended to avoid incurring Fees;

We will now explain in details what we are trying to do and why we initially need multiple account to simulate our use case.

We have an application currently in development that is targeted at charitable organization. As a charitable organization, these entities are on low funding, so we intend to help them adopt our cloud application without having to spend so much money. So, our cloud application will be deployed for them at NO COST, however, the platform on which this application runs, ofcourse, cannot come for free - we're talking about Google Cloud Platform. So, they will have to pay for the cost incurred in using GCP. The number of charitable organizations that we are targetting is high - at the early phase of launch, we are anticipating around a hundred(100) organizations, and as time goes on, we envision the number of organizations to scale to thousands to tens of thousands. Hence, our proposition is that each organization using our cloud application should have it deployed in her own independent project, under her own independent billing-account.  This proposition was reached majorly based on the need to separate the cost accrued by each individual organization, i.e, each organization will create her own independent billing account that the project cost will be accrued to. Hence, the process-flow of how an organization sign-up to use our cloud application is outlined below.

• We have our own personal GCP account, which will henceforth be referred to as MANAGER-ACCOUNT. There is a project under this MANAGER-ACCOUNT that will be used to manage all other projects under which our cloud application is running - this project henceforth will be referred to as MANAGER-PROJECT. This MANAGER-PROJECT has a service account that will be used to call Google APIs. This service account will henceforth be referred to as MANAGER-SERVICE-ACCOUNT.
  
• When a user(charitable organizations) applies to use our cloud application, they will fill a registration form. After the registration, the user will be required to perform the following steps, in order to allow us setup the cloud application.
• User creates a Google Cloud Platform account if they don't already have one, which will be referred to henceforth as USER-ACCOUNT.
• User agrees to the Term of Service of GCP.
• User creates a new GCP project under her USER-ACCOUNT. This newly created project will be referred to henceforth as USER-PROJECT.
• User enables billing on the USER-PROJECT by creating and attaching  a billing account which willl be referred to henceforth as USER-BILLING-ACCOUNT.
• User will then grant IAM ownership role to MANAGER-SERVICE-ACCOUNT for the USER-PROJECT, while simultaneously revoking IAM ownership role from USER-ACCOUNT, consequently leaving MANAGER-SERVICE-ACCOUNT as the only IAM-Owner. Note that USER-ACCOUNT will still remain the billing-administrator for the USER-PROJECT, so that the cost accrued to the project can be paid for by the user(USER-BILLING-ACCOUNT).
• As at this point, the setup on the side of the user is complete. We will then take over.
  
• Note that MANAGER-SERVICE-ACCOUNT is now the IAM-Owner of USER-PROJECT, hence, we now have full control of USER-PROJECT. We can then go ahead and deploy the source code of our cloud application unto USER-PROJECT, with the peace of mind  that user does NOT have access to our source-code and that the cost accrued on USER-PROJECT will be paid for by the user.
  

The process-flow stated above is our proposition on how we intend to use GCP to deploy our cloud application for users. Additionally, we need you to be aware of some important points taken into consideration in designing the process-flow to follow this pattern.

Though our cloud application will be made available to the charitable organizations at NO COST, but we still intend to keep our source-code and intellectual properties private, hence, the reason why  IAM-Ownership role was given to MANAGER-SERVICE-ACCOUNT and revoked  from USER-ACCOUNT. So, users MUST NOT have access to our source-code or engineering-process. In the context of Freeware versus Open-Source software - our cloud application is a freeware not open-source software. Of course, since we have ownership role, we will in turn assign IAM roles to USER-ACCOUNT to allow access to necessary resources like viewing Cloud Storage Buckets.

We need to separate the cost accrued by each individual user, hence the need to separate applications into independent projects, and also, we need users to pay google  independently for the cost of running the cloud application on Google Cloud Platform, hence the need for independent USER-BILLING-ACCOUNT.

Now, back to the initial reason that necessitated this whole explanation, i.e, the question on whether we can use multiple GCP account. It should be clear now, why we may need to TEMPORARILY use multiple GCP account. This is because we need to simulate how the process-flow will play out. The section 3.3(d) of the terms of service quoted above made it clear that the reason for prohibiting using multiple account is mainly for entities trying to circumvent acrruing cost. In our own case, the second GCP account that will be created will be used only for a DEMO project, and billing will even be enabled on this DEMO project because our cloud application requires billing-enabled APIs.

Please note that we are still open to suggestions on a better process-flow that we can adopt to attain our objective, because we are still in the development phase, so we can still change the process-flow.

So, what do you think?

[George (Cloud Platform Support)]

We are not in a position to expressly allow the infringement of the Terms of Service. For legal matters, you should contact Google's Legal Department; contact details can be easily found on the "Contact us" page, under the "Legal inquiries, trademarks and permissions" sub-title.