Projects

8 GCP Projects. 99 Service Accounts. One Chance to Migrate Without Breaking.

Eight GCP projects. Ninety-nine service accounts. Two organizational tenants. And one requirement - move everything to a secure, policy-compliant environment without breaking a single deployment. The phased migration of a global enterprise platform from a legacy GCP tenant to a governed one - IAM hardening, CI/CD standardization, network dependencies, and cost governance. What we inherited: 99 service accounts most of which had never been audited, many carrying owner-level access from years back that nobody had touched. No naming conventions, no org policies, projects scattered across folders with no clear ownership. The dev team loved the autonomy. Leadership needed governance. The job was to deliver both. The phased approach: dev project first to validate the migration path, then five production workloads with complex cross-domain access requirements, then the analytics and dashboards data layer, and finally onboarding everything into the secure tenant with strict policies, naming standards, and full compliance. The most nerve-wracking piece was surgical IAM hardening - cleaning up 99 service accounts without breaking production. The CI/CD pipeline design had to give…