You can configure billing on Google Cloud Platform (GCP) in a variety of ways to meet different needs. This section introduces the core concepts for your organization and for billing, and discusses how to use them effectively.
GCP resource hierarchy overview
The GCP resource hierarchy, especially in its most complete form which includes an Organization node and folders, allows companies to map their organization onto GCP and provides logical attach points for access management policies (Cloud Identity and Access Management) and Organization policies.
Both Cloud IAM and Organization policies are inherited through the hierarchy, and the effective policy at each node of the hierarchy is the result of policies directly applied at the node and policies inherited from its ancestors.
The diagram below represents an example GCP resource hierarchy in complete form:
An organization is the top of the hierarchy of resources. Within the organization, folders group projects, as well as other folders. Projects contain resources. Resources can be further categorized using labels. You can enforce granular permissions at different levels in the resource hierarchy to ensure that the right individuals have the ability to spend within GCP.
Billing accounts are linked to and pay for projects.
An organization is the top of the hierarchy of resources. All resources that belong to an organization are grouped under the organization node, which provides insight into and access control over every resource in the organization.
For more information on organizations and the hierarchy of resources, see the Cloud Resource Manager documentation.
Folders are a grouping mechanism and can contain projects, other folders, or a combination of both. To use folders, you must have an Organization node. Folders and projects are all mapped under the Organization node. Folders can be used to group resources that share common Cloud IAM policies. While a folder can contain multiple folders or resources, a given folder or resource can have exactly one parent.
For more details about using folders, see Creating and Managing Folders.
All lower level resources are parented by projects, which are the middle layer in the hierarchy of resources. You can use projects to represent logical projects, teams, environments, or other collections that map to a business function or structure. Any given resource can only exist in one project.
For more details about projects, see Creating and Managing Projects.
GCP resources are the fundamental components that make up all GCP services, such as Compute Engine virtual machines (VMs), Cloud Pub/Sub topics, Cloud Storage buckets, and so on. For billing and access control purposes, resources exist at the lowest level of a hierarchy that also includes projects and an organization.
Labels help you categorize your Google Cloud Platform resources (such as Compute Engine instances). A label is a key-value pair. You can attach a label to each resource, then filter the resources based on their labels. Information about labels is forwarded to the billing system, so you can break down your billing charges by label.
For more details about using labels, see Creating and Managing Labels.
A billing account is used to define who pays for a given set of resources. Access control to a billing account is established by Cloud Identity and Access Management (IAM) roles. A billing account is connected to a Google payments profile that includes a payment instrument to which costs are charged.
A billing account can be linked to one or more projects. Project usage is charged to the linked billing account. Projects that are not linked to a billing account cannot use GCP services that aren't free.
There are two types of billing accounts:
- Payment instrument is a credit or debit card or ACH direct debit, depending on availability in each country or region.
- Costs are charged automatically.
- You can sign up for self-serve accounts online.
- Payment instrument can be check or wire transfer.
- Invoices are sent by mail or electronically.
- You must be eligible for invoiced billing. Learn more about invoiced billing eligibility.
Costs are charged to a billing account automatically in one of two ways:
- Monthly billing: Costs are charged on a regular monthly cycle.
- Threshold billing: Costs are charged when your account has accrued a specific amount.
Invoiced billing accounts are always billed monthly. Self-serve billing accounts can use monthly or threshold billing. Learn more about threshold billing.
A billing account includes a set of contacts, defined on the Google Payments profile connected to the account, for people who can receive billing information specific to the payment instrument on file (for example, when a credit card needs to be updated). You can manage those contacts through the Google Cloud Platform Console or the Payments console.
Billing subaccounts allow you to group charges from projects together on a separate section of your invoice. A billing subaccount is a billing account with a billing linkage to a reseller's master billing account on which the charges appear. The master billing account must be on invoiced billing.
A subaccount behaves like a billing account in most ways: it can have projects linked to it, billing exports can be configured on it, and it can have Cloud IAM roles defined on it. Any charges made to projects linked to the subaccount are grouped and subtotalled on the invoice, and the effect on resource management is that access control policy can be entirely segregated on the subaccount to allow for customer separation and management.
Subaccounts are typically used to represent resellers' customers for chargeback purposes.
The Cloud Billing API provides the ability to create and manage subaccounts via the API so you can connect to your existing systems and provision new customers or chargeback groups programmatically.
Relationships between organizations, projects, billing accounts, and payments profiles
Two types of relationships govern the interactions between billing accounts, organizations, and projects: ownership and payment linkage.
- Ownership refers to Cloud IAM permission inheritance.
- Payment linkages define which billing account pays for a given project.
The following diagram shows the relationship of ownership and payment linkages for a sample organization.
In the diagram, the organization has ownership over Projects A, B, and C, meaning that it is the Cloud IAM permissions parent of the three projects.
The billing account is linked to Projects A, B, and C, meaning that it pays for expenses incurred by the three projects.
The billing account is connected to a Google payments profile, which stores information like name, address, and payment methods.
In this example, any users who are granted Cloud IAM billing roles on the organization also have those roles on the billing account or the projects.
For more information on granting Cloud IAM billing roles, see Overview of Billing Access Control.
How roles work: Google Cloud Platform (GCP) offers Cloud Identity and Access Management (IAM) to manage access control to your GCP resources. Cloud IAM lets you control who (users) has what access (roles) to which resources by setting Cloud IAM policies. To assign permissions to a user, you use Cloud IAM policies to grant specific role(s) to a user. Roles have one or more permissions bundled within them, controlling user access to resources.
Policies are inherited through the hierarchy. The effective policy at each node of the hierarchy is the result of policies directly applied at the node and policies inherited from its ancestors. You can enforce granular permissions at different levels in the resource hierarchy to ensure that the right individuals have the ability to spend within GCP.
The diagram below represents the GCP resource hierarchy in complete form, and calls out the important high-access roles at each level: