What is app-enabled folder in Google Cloud

Do not be confused about the following introduction. This post *is* about app-enabled folders. But before explaining what they are and how you can make one, it is important to quickly refresh what the term “folder” means in the context of Google Cloud.

If you have used Google Cloud you know about Google Cloud projects. According to Google Cloud resource hierarchy, any service resource (e.g. a virtual machine, GKE cluster or IP address) has a project as their parent, which represents the first grouping mechanism of the Google Cloud resource hierarchy. When a user accesses Google Cloud using an organizational account ‒ a Google Workspace account issued by an organization’s administrator, they have access to additional levels of grouping: folders and the topmost ‒ organization. Of course all access is pending appropriate IAM permissions. Folders allow to group projects and other folders to abstract company’s organizational or production hierarchies and control access to underlying resources.
Users can also access Google Cloud using personal accounts ‒ free accounts for individuals, created to access Google services like Gmail, Drive, and more. However, these accounts limit access to resource hierarchy to the level of projects and its underlying service resources.

What app-enabled folder is

Building on the application-centric approach first announced in 2024, Google delivered practical support for the full software development lifecycle at Cloud Next 2025. Resource-wise this concept is represented by using specialized folders which are called to represent an application. These folders are referenced as app-enabled folders.

You will be prompted to select an app-enabled folder when you work with App Hub or Application Design Center in the Cloud console. User experience can be confusing especially when a user selects a folder which is not app-enabled. You can confirm whether a folder is app-enabled using the following methods:

• Use the Cloud console to examine the currently selected folder. You can find it in the project picker or by looking at the top left corner of the console’s window, right from the “Google Cloud” image.

  

  If the folder is app-enabled then the icon to the left from the folder’s name will look like while a regular folder’s icon will look like .

• Use the gcloud CLI to check for non-empty output. Substitute FOLDER_ID with your folder ID before executing the following command.

  gcloud resource-manager capabilities describe \
      "folders/FOLDER_ID/capabilities/app-management" \
      --format="value(value)"
  

  This command inspects the folder’s capability of application management. The --format="value(value) flag specifically extracts the enabled status of the capability. The output is True if the capability is enabled (i.e. FOLDER_ID is app-enabled) and False otherwise.

Create an app-enabled folder

If you do not have an app-enabled folder you can enable application management on any other folder that you have and make it app-enabled. Or you can create a new folder and make it app-enabled. Enabling application management is done in the Settings screen of the folder in the Cloud console or using the following gcloud command:

gcloud resource-manager capabilities update \
    "folders/FOLDER_ID/capabilities/app-management" \
    --enable

You will need the following IAM roles to complete the task:

• roles/resourcemanager.folderAdmin ‒ to update the folder’s configuration
• roles/resourcemanager.projectCreator ‒ to create a management project
• roles/serviceusage.serviceUsageAdmin ‒ to enable required APIs
• roles/billing.user ‒ to associate a billing account with a management project so the project can be used for application-centric management tasks

Once you change the folder’s settings to enable application management, you will be prompted to link the created management project to a billing account. You can use an existing account or create a new one. The project is used for application management only. It is not recommended to manually manage resources on this project.

Users who will do application development and management will need one of App Hub IAM roles to be granted on the management project. Additionally, if users plan to use Application Design Center they will need an additional set of IAM roles to be granted as well.

These roles have to be granted on the management project. While granting these roles on the app-enabled folder will work due to IAM policy inheritance, the recommended best practice is to grant them directly on the management project. This adheres to the principle of least privilege by ensuring that these permissions, which are specific to application management, do not unintentionally leak to other projects you might add to the folder later.

See documentation for additional information about managing applications in a folder.

Summing up

An app-enabled folder is a folder having application management enabled. You need it if you want to manage your workload in an application-centric approach and not resource-centric as it has been done. If you work with App Hub or Application Design Center then you will be asked for the app-enabled folder. And you know the steps to make one. There are a few things to remember:

• Do not be surprised by the terms “app-enabled” or “management project”. Now you know what they mean.
• Grant users IAM permissions for application management on the management project and not on the app-enabled folder to minimize potential permission leak due to access inheritance.
• Enabling application management on a folder requires quite a few permissions. Make sure that you have them before starting the process.

Below you can find a few useful links to documentation and explanations about the application-centric approach to workload management.

• Delivering an application-centric cloud for developers and operators
• Manage applications in a folder
• App Hub overview
• AI-powered application-centric operation using Cloud Assist