If you manage multiple Google Cloud or Firebase projects, you have probably noticed how difficult it gets without an Organization. Projects float around under personal Gmail accounts, IAM policies are scattered, and transferring ownership requires awkward workarounds. Google’s documentation nudges you toward Google Workspace at $6-18 per user per month, but that is overkill when all you need is organizational structure.
The solution is Google Cloud Identity Free Edition — a little-known, zero-cost identity service that gives you a proper GCP Organization, centralized IAM, project folders, and domain-based accounts. This guide walks through every step of setting it up, including the non-obvious gotchas that Google’s documentation glosses over.
Table of Contents
- What Is Cloud Identity Free?
- What You Get vs. What You Don’t
- Prerequisites
- Step-by-Step Setup
- Adding External Users (Gmail Accounts)
- Migrating Existing Projects
- Organizing Projects into Folders
- Setting Up Email (Optional)
- Common Issues and Solutions
- When to Use Cloud Identity Free vs. Workspace
What Is Cloud Identity Free?
Cloud Identity is Google’s identity-as-a-service offering. It exists independently from Google Workspace and provides:
- Domain verification and ownership — prove you own a domain, and Google associates it with your account
- User account management for up to 50 users
- Automatic GCP Organization creation — the moment you verify your domain, Google creates an Organization resource in GCP
- SSO and basic security policies
- No email hosting — your MX records stay pointed at whatever email provider you already use
The critical insight is this: when you verify a domain with Cloud Identity, Google automatically creates a GCP Organization for that domain. This is the same Organization you would get with a paid Workspace subscription. Once it exists, you can group projects under it, create folders, apply centralized IAM policies, and manage billing at the organization level.
Google does not prominently advertise this. The signup page is at a specific URL that you would never find through normal navigation. More on that below.
What You Get vs. What You Don’t
Before committing, it helps to understand exactly where Cloud Identity Free draws the line.
| Feature | Cloud Identity Free | Google Workspace |
|---|---|---|
| GCP Organization | Yes | Yes |
| Centralized IAM | Yes | Yes |
| Folders and resource hierarchy | Yes | Yes |
| Domain-based accounts | Yes | Yes |
| Up to 50 users | Yes | Unlimited |
| Gmail hosting (@yourdomain.com) | No | Yes |
| Google Drive storage | No | Yes |
| Google Docs/Sheets/Slides | No (personal only) | Yes (business) |
| Google Meet (advanced features) | No | Yes |
| Admin security features | Basic | Advanced |
| Price | Free | $6-18/user/month |
The trade-off is email. Cloud Identity Free does not include Gmail hosting for your domain. If you are already using another email provider — MXRoute, Fastmail, Zoho Mail, Proton, or even just forwarding — this is a non-issue. Your MX records stay exactly as they are. The Cloud Identity accounts exist purely for Google Cloud authentication and admin access.
For solo developers or small teams managing Firebase and GCP projects, this is often the perfect fit: you get all the organizational infrastructure without a monthly bill.
Prerequisites
You need three things before starting:
- A domain you own (e.g.,
yourdomain.com). Any registrar works — Porkbun, Cloudflare, GoDaddy, Namecheap, etc. - Access to your domain’s DNS settings. You will need to add a TXT record for verification.
- An existing email address for initial setup. This can be a personal Gmail or any other address.
That is it. No credit card, no billing account, no existing GCP project.
Step-by-Step Setup
Step 1: Find the Signup Page
This is where most people get stuck. The signup page for Cloud Identity Free is not linked from the main Google Cloud homepage or the Google Workspace marketing site. The direct URL is:
https://workspace.google.com/signup/gcpidentity/welcomeDo not go to admin.google.com — that is for existing admins only and will show a “Sign in with an administrator account” error. Do not go to the regular Google Workspace signup either — that will start a paid subscription trial.
The /gcpidentity/ path is the specific entry point for Cloud Identity Free.
Step 2: Enter Business Information
Google asks for basic details:
- Business name: your organization name (e.g., “My Company” or “Acme Corp”)
- Country: select your country
- Number of employees: “Just you” is fine for solo developers
None of this affects your GCP access or pricing. It is used for account categorization.
Step 3: Enter Your Domain
Enter the domain you want to associate with your GCP Organization (e.g., acmecorp.dev).
Google will check if this domain is already linked to a Workspace or Cloud Identity account. If it is, you will need to use a different domain or contact the existing admin.
Step 4: Create Your Admin Account
Create your first user account. This will be something like:
admin@yourdomain.com, oryourname@yourdomain.com
This account will not receive emails at this address unless you separately set up email hosting. It exists for two purposes:
- Signing into the Google Admin Console (
admin.google.com) - Authenticating with Google Cloud Console as an organization member
Choose a username you will remember. You can create additional accounts later (up to 50 total).
Step 5: Verify Domain Ownership
Google needs proof that you own the domain. The easiest method is a DNS TXT record.
Google provides a verification string like:
google-site-verification=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890_exampleAdd this as a TXT record at your domain’s root (the @ record):
| Type | Name | Value | TTL |
|---|---|---|---|
| TXT | @ | google-site-verification=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890_example | 600 |
If you use Porkbun, you can do this via their API:
curl -X POST "https://api.porkbun.com/api/json/v3/dns/create/yourdomain.com" \
-H "Content-Type: application/json" \
-d '{
"apikey": "YOUR_API_KEY",
"secretapikey": "YOUR_SECRET_KEY",
"type": "TXT",
"name": "",
"content": "google-site-verification=YOUR_VERIFICATION_CODE",
"ttl": "600"
}'After adding the record, wait 5-15 minutes for DNS propagation. You can check whether the record has propagated using:
dig TXT yourdomain.com +shortOnce you see your verification string in the output, click “Verify” in Google’s setup wizard.
Step 6: Access Your New Organization
After verification, three things happen automatically:
- Google creates your Cloud Identity account
- A GCP Organization is created for your domain
- You gain access to the Google Admin Console at
admin.google.com
To find your new organization in GCP:
- Go to console.cloud.google.com
- Sign in with your new Cloud Identity account (
yourname@yourdomain.com) - Click the project dropdown at the top of the page
- Your domain should appear as an Organization
If you cannot find it in the project picker (it can be confusing), go directly to the Resource Manager:
https://console.cloud.google.com/cloud-resource-managerThis shows all organizations and projects in a clear hierarchy.
Step 7: Grant Yourself Full Access
This catches people off guard: even though you created the organization and are the only user, you do not automatically have full admin rights in GCP. Your Cloud Identity account has admin rights in the Admin Console but limited permissions in the GCP Console.
To fix this:
- Go to IAM for your organization:
https://console.cloud.google.com/iam-admin/iam?organizationId=YOUR_ORG_ID - Find your email in the list of principals
- Click the pencil icon to edit
- Add the Owner role
- Save
Find your organization ID by running:
gcloud organizations listImportant: only grant yourself the
Ownerrole. Adding multiple roles alongside Owner can cause permission conflicts. The Owner role already encompasses everything.
Adding External Users (Gmail Accounts)
If you want to grant your personal Gmail account (or other external accounts) access to the organization, there are two obstacles to navigate.
Obstacle 1: Domain Restriction Policy
By default, GCP organizations only allow users from the verified domain. To add external accounts:
- Go to Organization Policies:
https://console.cloud.google.com/iam-admin/orgpolicies/list?organizationId=YOUR_ORG_ID - Find “Domain restricted sharing” (
iam.allowedPolicyMemberDomains) - Click to edit
- Either disable the constraint entirely or add specific allowed domains
Obstacle 2: The Two-Step Role Assignment
Even after relaxing the domain policy, there is a quirk in how GCP processes external user grants. You must add external users as Viewer first, then upgrade their role:
- Go to IAM for your organization
- Click “Grant Access”
- Add the external email (e.g.,
yourname@gmail.com) - Assign role: Viewer (not Owner — not yet)
- Save
- Now edit the user again and change the role to Owner
- Save
Why does this work? The domain policy check runs on initial grant. The Viewer role passes the check more reliably. Once the user exists in the IAM binding, you can freely change their role.
This is one of those undocumented behaviors that wastes hours if you do not know about it.
Migrating Existing Projects
If you have existing GCP or Firebase projects under your personal Gmail account, you can move them into your new organization.
Check Current Organization Status
First, verify whether a project is already in an organization:
gcloud projects describe PROJECT_ID --format="value(parent.type,parent.id)"If this returns nothing, the project has no organization (the common case for personal projects). If it returns an organization ID you do not recognize, the project may have been auto-assigned to a consumer organization or a Workspace organization from an employer.
Option A: Via GCP Console
- Go to IAM & Admin > Settings in the project
- Click Migrate (for projects with no organization) or Move (for projects already in an organization)
- Select your organization as the destination
The distinction between “Migrate” and “Move” depends on the project’s current state:
- Migrate: project has no organization, moving into one for the first time
- Move: project is already in an organization, transferring between organizations
To move projects between organizations, you need admin access to both the source and destination organizations.
Option B: Via gcloud CLI
gcloud projects move PROJECT_ID \
--organization=ORGANIZATION_IDThis is faster when migrating multiple projects. Script it with a loop:
ORG_ID=$(gcloud organizations list --format="value(name)" | head -1)
for PROJECT in project-1 project-2 project-3; do
gcloud projects move "$PROJECT" --organization="$ORG_ID"
doneHandling Firebase Projects
Firebase projects are GCP projects under the hood, so the same migration process applies. After moving a Firebase project into your organization:
- Firebase Console access is unaffected — it works the same as before
- App Hosting, Hosting, Firestore, and all other Firebase services continue working
- The project now appears under your organization in the GCP Resource Manager
- You can apply organization-level IAM policies that cascade to the Firebase project
Organizing Projects into Folders
Once you have an organization with multiple projects, folders help you apply policies and manage access at a group level.
A typical folder structure for a development team:
yourdomain.com (Organization)
├── Production
│ ├── my-app-prod
│ ├── my-marketing-site
│ └── my-api-prod
├── Staging
│ └── my-app-staging
└── Development
└── my-app-devCreate folders via the CLI:
gcloud resource-manager folders create \
--display-name="Production" \
--organization=ORGANIZATION_IDThen move projects into folders:
FOLDER_ID=$(gcloud resource-manager folders list \
--organization=ORGANIZATION_ID \
--filter="displayName=Production" \
--format="value(name)")
gcloud projects move PROJECT_ID --folder="$FOLDER_ID"Folders support IAM inheritance: a role granted at the folder level applies to all projects within that folder. This is useful for giving a team member access to all production projects without granting individual permissions on each one.
Setting Up Email (Optional)
Cloud Identity Free does not include email hosting. The accounts you create are for Google Cloud authentication only. If you want yourname@yourdomain.com to actually receive emails, you have several options.
Option 1: Keep Using Your Existing Email Provider
This is the most common approach. If you already use MXRoute, Fastmail, Zoho Mail, or another provider, nothing changes. Your MX records stay pointed at your email provider. The Cloud Identity account and email hosting are completely independent — they share a domain name but do not interact.
Option 2: Add Google Workspace Later
You can upgrade specific Cloud Identity users to Google Workspace if they later need Gmail, Drive, or Docs. Cloud Identity Free and Workspace can coexist on the same domain. You only pay for the users who need Workspace features.
Option 3: Simple Email Forwarding
Set up email forwarding at your domain registrar to forward yourname@yourdomain.com to your personal Gmail. This gives you receive-only capability at your domain address without any hosting cost.
Common Issues and Solutions
”Sign in with an administrator account”
Cause: you went to admin.google.com before setting up Cloud Identity.
Fix: use the signup URL instead:
https://workspace.google.com/signup/gcpidentity/welcomeOrganization Not Appearing in GCP Console
Cause: you are signed into GCP with your personal Gmail, not your Cloud Identity account.
Fix: sign in with yourname@yourdomain.com. The organization is only visible to accounts within the Cloud Identity directory. Once you add your personal Gmail via IAM (as described above), it will also see the organization.
DNS Verification Failing
This is the most common setup issue. Checklist:
- Wait 15-30 minutes after adding the TXT record. DNS propagation is not instant.
- Verify the record exists:
dig TXT yourdomain.com +short - Check for typos in the verification string. Copy-paste, do not retype.
- Confirm you added it to the root domain (
@or blank name), not a subdomain. - Check your registrar’s interface. Some registrars (like GoDaddy) automatically append the domain to the name field, so entering
yourdomain.comcreatesyourdomain.com.yourdomain.com. Leave the name field blank or use@.
”1 User Limit” When Adding Users in Admin Console
Cloud Identity Free supports 50 users, but some accounts are provisioned with only 1 Cloud Identity license initially. This is a Cloud Identity user limit, not a GCP limit.
Workaround: do not add users via Google Admin Console. Instead, grant GCP access directly via IAM — this does not require Cloud Identity licenses. An external Gmail account can have full Owner access to the GCP organization without being a Cloud Identity user.
Cannot Add External Gmail to Admin Roles
The Google Admin Console (admin.google.com) only allows assigning admin roles to users within your Cloud Identity directory. External Gmail accounts cannot be Cloud Identity admins.
Solution: this distinction only matters for the Admin Console. Grant GCP access via IAM instead. An external user can have full Owner access to the GCP organization and all its projects without being a Cloud Identity admin.
Key URLs to Bookmark
These URLs are difficult to find through normal navigation but essential for managing your organization:
| Purpose | URL |
|---|---|
| Cloud Identity Free Signup | workspace.google.com/signup/gcpidentity/welcome |
| Resource Manager (all orgs) | console.cloud.google.com/cloud-resource-manager |
| Organization IAM | console.cloud.google.com/iam-admin/iam?organizationId=YOUR_ORG_ID |
| Organization Policies | console.cloud.google.com/iam-admin/orgpolicies/list?organizationId=YOUR_ORG_ID |
| Domain Restriction Policy | console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains/edit?organizationId=YOUR_ORG_ID |
When to Use Cloud Identity Free vs. Workspace
Cloud Identity Free Is a Good Fit When:
- You are a solo developer or small team (under 50 people)
- You already have email hosting elsewhere and do not need Gmail
- You want GCP Organization features without Workspace overhead
- You need a professional domain-based identity for cloud resources
- You are managing multiple Firebase or GCP projects that need centralized governance
Consider Google Workspace Instead When:
- You need Google’s email hosting (Gmail for business)
- You need advanced admin security features (DLP, advanced mobile management, security investigation tool)
- You have more than 50 users
- Your team heavily uses Google Docs, Drive, and Sheets for collaboration
- You need Google Vault for compliance and archival
The Hybrid Approach
Cloud Identity Free and Workspace can coexist on the same domain. A practical pattern:
- Start with Cloud Identity Free for the GCP Organization
- Keep most users on Cloud Identity Free (costs nothing)
- Upgrade only the users who need Workspace features (email, Drive, Docs)
This way, you pay only for the users who actually need the paid features, while everyone else gets GCP access for free.
Summary
Cloud Identity Free is one of the best-kept secrets in the Google Cloud ecosystem. The setup takes about 15 minutes:
- Sign up at the Cloud Identity Free URL (
/signup/gcpidentity/welcome) - Verify your domain via a DNS TXT record
- Access your new organization in GCP Console
- Grant yourself Owner access
- (Optional) Add external accounts and migrate existing projects
You get centralized IAM, folders, billing management, and professional domain-based identity — all without a monthly bill. For developers and small teams managing multiple cloud projects, it is the obvious choice over paying for Workspace features you do not need.