Access control for Cloud Billing APIs

Google Cloud offers Identity and Access Management (IAM), which lets you give access to specific Google Cloud resources but not others. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who (users) has what access (roles) to which resources by setting IAM allow policies. Allow policies grant specific roles to a user, which gives the user the permissions in those roles.

This page explains the IAM roles that are available for the Cloud Billing APIs. For example, you can use IAM to grant roles such as Billing Account Costs Manager or Billing Account Viewer on a Cloud Billing account. For a detailed description of IAM and its features, see the IAM documentation. In particular, see Manage access to projects, folders, and organizations and Manage access to other resources.

Permissions and roles

For a user to view Cloud Billing account details in the Google Cloud console, or for a Cloud Billing API method to return Cloud Billing account information, the user or caller must have the necessary permissions.

Required permissions for the Cloud Billing Catalog API

No permissions are required to use the Cloud Billing Catalog API (Services list and SKUs list). All of the data that this API returns is public.

Required permissions for the Cloud Billing Budget API

The following table outlines which permissions are necessary to call each Cloud Billing Budget API method. Also included are the standard IAM Billing roles that automatically grant those permissions.

API Method Required Permission IAM Role that grants permissions
GetBudget To get the details of a budget, the caller must have the billing.budgets.get permission on the budget's Cloud Billing account.

For single-project budgets, instead of billing account permissions, the caller can have the following permissions on the project: resourcemanager.projects.get and billing.resourcebudgets.read.

Billing Account Administrator, Billing Account Costs Manager, or Billing Account Viewer on the budget's Cloud Billing account.

For single-project budgets, Project Owner, Project Editor, or Project Viewer on the project.

ListBudgets To return a list of budgets applied to a Cloud Billing account, the caller must have the billing.budgets.list permission on the Cloud Billing account.

For single-project budgets, instead of billing account permissions, the caller can have the following permissions on the project: resourcemanager.projects.get and billing.resourcebudgets.read.

Billing Account Administrator, Billing Account Costs Manager, or Billing Account Viewer on the budget's Cloud Billing account.

For single-project budgets, Project Owner, Project Editor, or Project Viewer on the project.

CreateBudget To create a new budget, the caller must have the billing.budgets.create permission on the budget's Cloud Billing account.

For single-project budgets, instead of billing account permissions, the caller can have the following permissions on the project: resourcemanager.projects.get, billing.resourcebudgets.read, and billing.resourcebudgets.write.

Billing Account Administrator or Billing Account Costs Manager on the budget's Cloud Billing account.

For single-project budgets, Project Owner or Project Editor on the project.

UpdateBudget To update an existing budget, the caller must have the billing.budgets.update permission on the budget's Cloud Billing account.

For single-project budgets, instead of billing account permissions, the caller can have the following permissions on the project: resourcemanager.projects.get, billing.resourcebudgets.read, and billing.resourcebudgets.write.

Billing Account Administrator or Billing Account Costs Manager on the budget's Cloud Billing account.

For single-project budgets, Project Owner or Project Editor on the project.

DeleteBudget To delete an existing budget, the caller must have the billing.budgets.delete permission on the budget's Cloud Billing account.

For single-project budgets, instead of billing account permissions, the caller can have the following permissions on the project: resourcemanager.projects.get, billing.resourcebudgets.read, and billing.resourcebudgets.write.

Billing Account Administrator or Billing Account Costs Manager on the budget's Cloud Billing account.

For single-project budgets, Project Owner or Project Editor on the project.

Required permissions for the Cloud Billing Account API

The following table lists the required permissions to call each Cloud Billing Account API method, as well as the IAM roles for Cloud Billing that include those permissions.

API method Required permissions IAM roles that include permission
billingAccounts.create Method is used to create new Cloud Billing subaccounts. The caller must have billing.accounts.update on the subaccount's parent Cloud Billing account. Billing Account Administrator
billingAccounts.get billing.accounts.get on a Cloud Billing account. Billing Account Administrator, Billing Account Costs Manager, Billing Account Viewer, or Billing Account User
billingAccounts.list None. This method returns all accounts that the caller has permission to access. Billing Account Administrator, Billing Account Costs Manager, Billing Account Viewer, or Billing Account User on the Cloud Billing accounts, or Project Billing Manager on the projects.
billingAccounts.getIamPolicy billing.accounts.getIamPolicy on a Cloud Billing account. Billing Account Administrator, Billing Account Costs Manager, Billing Account Viewer, or Billing Account User
billingAccounts.setIamPolicy billing.accounts.setIamPolicy on a Cloud Billing account. Billing Account Administrator
billingAccounts.testIamPermissions None. This method is used to determine the permissions that a caller has on a Cloud Billing account. n/a
billingAccounts.patch billing.accounts.update on a Cloud Billing account. Billing Account Administrator
billingAccounts.projects.list billing.resourceAssociations.list on a Cloud Billing account. Billing Account Administrator, Billing Account Costs Manager, or Billing Account Viewer
projects.getBillingInfo resourcemanager.projects.get on the project.
For more information, see Access Control for Projects.
Project Owner, Project Editor, or Project Viewer
projects.updateBillingInfo billing.resourceAssociations.create on the Cloud Billing account AND resourcemanager.projects.createBillingAssignment on the project. Billing Account Administrator or Billing Account User, AND Project Billing Manager

Roles

You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.

You can grant one or more roles on the same resource.

The following table lists the IAM roles that you can grant to access the Cloud Billing APIs, the description of what the role does, and the permissions bundled within that role. Some of these roles also include permissions for other Google Cloud services.

Role Permissions

(roles/billing.admin)

Provides access to see and manage all aspects of billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.close

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.getIamPolicy

billing.accounts.getPaymentInfo

billing.accounts.getPricing

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.accounts.move

billing.accounts.redeemPromotion

billing.accounts.removeFromOrganization

billing.accounts.reopen

billing.accounts.setIamPolicy

billing.accounts.update

billing.accounts.updatePaymentInfo

billing.accounts.updateUsageExportSpec

billing.billingAccountPrice.get

billing.billingAccountPrices.list

billing.billingAccountServices.*

  • billing.billingAccountServices.get
  • billing.billingAccountServices.list

billing.billingAccountSkuGroupSkus.*

  • billing.billingAccountSkuGroupSkus.get
  • billing.billingAccountSkuGroupSkus.list

billing.billingAccountSkuGroups.*

  • billing.billingAccountSkuGroups.get
  • billing.billingAccountSkuGroups.list

billing.billingAccountSkus.*

  • billing.billingAccountSkus.get
  • billing.billingAccountSkus.list

billing.budgets.*

  • billing.budgets.create
  • billing.budgets.delete
  • billing.budgets.get
  • billing.budgets.list
  • billing.budgets.update

billing.credits.list

billing.finOpsBenchmarkInformation.get

billing.finOpsHealthInformation.get

billing.resourceAssociations.*

  • billing.resourceAssociations.create
  • billing.resourceAssociations.delete
  • billing.resourceAssociations.list

billing.subscriptions.*

  • billing.subscriptions.create
  • billing.subscriptions.get
  • billing.subscriptions.list
  • billing.subscriptions.update

cloudasset.assets.searchAllResources

cloudnotifications.activities.list

cloudsupport.properties.get

cloudsupport.techCases.*

  • cloudsupport.techCases.create
  • cloudsupport.techCases.escalate
  • cloudsupport.techCases.get
  • cloudsupport.techCases.list
  • cloudsupport.techCases.update

commerceoffercatalog.*

  • commerceoffercatalog.agreements.get
  • commerceoffercatalog.agreements.list
  • commerceoffercatalog.documents.get
  • commerceoffercatalog.documents.list
  • commerceoffercatalog.offers.get

compute.commitments.*

  • compute.commitments.create
  • compute.commitments.get
  • compute.commitments.list
  • compute.commitments.update
  • compute.commitments.updateReservations

consumerprocurement.accounts.*

  • consumerprocurement.accounts.create
  • consumerprocurement.accounts.delete
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.events.*

  • consumerprocurement.events.get
  • consumerprocurement.events.list

consumerprocurement.licensePools.*

  • consumerprocurement.licensePools.assign
  • consumerprocurement.licensePools.enumerateLicensedUsers
  • consumerprocurement.licensePools.get
  • consumerprocurement.licensePools.unassign
  • consumerprocurement.licensePools.update

consumerprocurement.orderAttributions.*

  • consumerprocurement.orderAttributions.get
  • consumerprocurement.orderAttributions.list
  • consumerprocurement.orderAttributions.update

consumerprocurement.orders.*

  • consumerprocurement.orders.cancel
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • consumerprocurement.orders.modify
  • consumerprocurement.orders.place

dataprocessing.datasources.get

dataprocessing.datasources.list

dataprocessing.groupcontrols.get

dataprocessing.groupcontrols.list

logging.logEntries.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.privateLogEntries.list

recommender.cloudsqlIdleInstanceRecommendations.get

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.get

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.commitmentUtilizationInsights.*

  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.commitmentUtilizationInsights.update

recommender.computeAddressIdleResourceRecommendations.get

recommender.computeAddressIdleResourceRecommendations.list

recommender.computeDiskIdleResourceRecommendations.get

recommender.computeDiskIdleResourceRecommendations.list

recommender.computeImageIdleResourceRecommendations.get

recommender.computeImageIdleResourceRecommendations.list

recommender.computeInstanceGroupManagerMachineTypeRecommendations.get

recommender.computeInstanceGroupManagerMachineTypeRecommendations.list

recommender.computeInstanceIdleResourceRecommendations.get

recommender.computeInstanceIdleResourceRecommendations.list

recommender.computeInstanceMachineTypeRecommendations.get

recommender.computeInstanceMachineTypeRecommendations.list

recommender.costInsights.*

  • recommender.costInsights.get
  • recommender.costInsights.list
  • recommender.costInsights.update

recommender.costRecommendations.*

  • recommender.costRecommendations.listAll
  • recommender.costRecommendations.summarizeAll

recommender.resourcemanagerProjectUtilizationRecommendations.get

recommender.resourcemanagerProjectUtilizationRecommendations.list

recommender.spendBasedCommitmentInsights.*

  • recommender.spendBasedCommitmentInsights.get
  • recommender.spendBasedCommitmentInsights.list
  • recommender.spendBasedCommitmentInsights.update

recommender.spendBasedCommitmentRecommendations.*

  • recommender.spendBasedCommitmentRecommendations.get
  • recommender.spendBasedCommitmentRecommendations.list
  • recommender.spendBasedCommitmentRecommendations.update

recommender.spendBasedCommitmentRecommenderConfig.*

  • recommender.spendBasedCommitmentRecommenderConfig.get
  • recommender.spendBasedCommitmentRecommenderConfig.update

recommender.usageCommitmentRecommendations.*

  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list
  • recommender.usageCommitmentRecommendations.update

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

resourcemanager.projects.get

resourcemanager.projects.list

(roles/billing.costsManager)

Manage budgets for a billing account, and view, analyze, and export cost information of a billing account.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.accounts.updateUsageExportSpec

billing.budgets.*

  • billing.budgets.create
  • billing.budgets.delete
  • billing.budgets.get
  • billing.budgets.list
  • billing.budgets.update

billing.resourceAssociations.list

recommender.costInsights.*

  • recommender.costInsights.get
  • recommender.costInsights.list
  • recommender.costInsights.update

(roles/billing.creator)

Provides access to create billing accounts.

Lowest-level resources where you can grant this role:

  • Organization

billing.accounts.create

resourcemanager.organizations.get

(roles/billing.projectManager)

When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

(roles/billing.user)

When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

(roles/billing.viewer)

View billing account cost and pricing information, transactions, and billing and commitment recommendations.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.getIamPolicy

billing.accounts.getPaymentInfo

billing.accounts.getPricing

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.billingAccountPrice.get

billing.billingAccountPrices.list

billing.billingAccountServices.*

  • billing.billingAccountServices.get
  • billing.billingAccountServices.list

billing.billingAccountSkuGroupSkus.*

  • billing.billingAccountSkuGroupSkus.get
  • billing.billingAccountSkuGroupSkus.list

billing.billingAccountSkuGroups.*

  • billing.billingAccountSkuGroups.get
  • billing.billingAccountSkuGroups.list

billing.billingAccountSkus.*

  • billing.billingAccountSkus.get
  • billing.billingAccountSkus.list

billing.budgets.get

billing.budgets.list

billing.credits.list

billing.finOpsBenchmarkInformation.get

billing.finOpsHealthInformation.get

billing.resourceAssociations.list

billing.subscriptions.get

billing.subscriptions.list

commerceoffercatalog.*

  • commerceoffercatalog.agreements.get
  • commerceoffercatalog.agreements.list
  • commerceoffercatalog.documents.get
  • commerceoffercatalog.documents.list
  • commerceoffercatalog.offers.get

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

dataprocessing.datasources.get

dataprocessing.datasources.list

dataprocessing.groupcontrols.get

dataprocessing.groupcontrols.list

recommender.commitmentUtilizationInsights.get

recommender.commitmentUtilizationInsights.list

recommender.costInsights.get

recommender.costInsights.list

recommender.costRecommendations.*

  • recommender.costRecommendations.listAll
  • recommender.costRecommendations.summarizeAll

recommender.spendBasedCommitmentInsights.get

recommender.spendBasedCommitmentInsights.list

recommender.spendBasedCommitmentRecommendations.get

recommender.spendBasedCommitmentRecommendations.list

recommender.spendBasedCommitmentRecommenderConfig.get

recommender.usageCommitmentRecommendations.get

recommender.usageCommitmentRecommendations.list

Note that the roles roles/billing.admin, roles/billing.costsManager, roles/billing.viewer, and roles/billing.projectManager include permissions for other Google Cloud services as well.