Overview of Cloud Billing Concepts

You can configure billing on Google Cloud Platform (GCP) in a variety of ways to meet different needs. This section introduces the core concepts for your organization and for billing, and discusses how to use them effectively.

GCP resource hierarchy overview

The GCP resource hierarchy, especially in its most complete form which includes an Organization node and folders, allows companies to map their organization onto GCP and provides logical attach points for access management policies (Cloud Identity and Access Management) and Organization policies.

Both Cloud IAM and Organization policies are inherited through the hierarchy, and the effective policy at each node of the hierarchy is the result of policies directly applied at the node and policies inherited from its ancestors.

The diagram below represents an example GCP resource hierarchy in complete form:

Resource Hierarchy

An organization is the top of the hierarchy of resources. Within the organization, folders group projects, as well as other folders. Projects contain resources. Resources can be further categorized using labels. You can enforce granular permissions at different levels in the resource hierarchy to ensure that the right individuals have the ability to spend within GCP.

Billing accounts are linked to and pay for projects.

Organization

An organization is the top of the hierarchy of resources. All resources that belong to an organization are grouped under the organization node, which provides insight into and access control over every resource in the organization.

For more information on organizations and the hierarchy of resources, see the Cloud Resource Manager documentation.

Folders

Folders are a grouping mechanism and can contain projects, other folders, or a combination of both. To use folders, you must have an Organization node. Folders and projects are all mapped under the Organization node. Folders can be used to group resources that share common Cloud IAM policies. While a folder can contain multiple folders or resources, a given folder or resource can have exactly one parent.

For more details about using folders, see Creating and Managing Folders.

Projects

All lower level resources are parented by projects, which are the middle layer in the hierarchy of resources. You can use projects to represent logical projects, teams, environments, or other collections that map to a business function or structure. Any given resource can only exist in one project.

For more details about projects, see Creating and Managing Projects.

Resources

GCP resources are the fundamental components that make up all GCP services, such as Compute Engine virtual machines (VMs), Cloud Pub/Sub topics, Cloud Storage buckets, and so on. For billing and access control purposes, resources exist at the lowest level of a hierarchy that also includes projects and an organization.

Labels

Labels help you categorize your Google Cloud Platform resources (such as Compute Engine instances). A label is a key-value pair. You can attach a label to each resource, then filter the resources based on their labels. Information about labels is forwarded to the billing system, so you can break down your billing charges by label.

For more details about using labels, see Creating and Managing Labels.

Billing account

Overview

A billing account is used to define who pays for a given set of resources. Access control to a billing account is established by Cloud Identity and Access Management (IAM) roles. A billing account is connected to a Google payments profile that includes a payment instrument to which costs are charged.

A billing account can be linked to one or more projects. Project usage is charged to the linked billing account. Projects that are not linked to a billing account cannot use GCP services that aren't free.

Google Cloud Platform Billing Projects

Account types

There are two types of billing accounts:

Charging cycle

Costs are charged to a billing account automatically in one of two ways:

  • Monthly billing: Costs are charged on a regular monthly cycle.
  • Threshold billing: Costs are charged when your account has accrued a specific amount.

Invoiced billing accounts are always billed monthly. Self-serve billing accounts can use monthly or threshold billing. Learn more about threshold billing.

Billing contacts

A billing account includes a set of contacts, defined on the Google Payments profile connected to the account, for people who can receive billing information specific to the payment instrument on file (for example, when a credit card needs to be updated). You can manage those contacts through the Google Cloud Platform Console or the Payments console.

Subaccounts

Billing subaccounts allow you to group charges from projects together on a separate section of your invoice. A billing subaccount is a billing account with a billing linkage to a reseller's master billing account on which the charges appear. The master billing account must be on invoiced billing.

A subaccount behaves like a billing account in most ways: it can have projects linked to it, billing exports can be configured on it, and it can have Cloud IAM roles defined on it. Any charges made to projects linked to the subaccount are grouped and subtotalled on the invoice, and the effect on resource management is that access control policy can be entirely segregated on the subaccount to allow for customer separation and management.

Subaccounts are typically used to represent resellers' customers for chargeback purposes.

Google Cloud Platform Billing Projects

The Cloud Billing API provides the ability to create and manage subaccounts via the API so you can connect to your existing systems and provision new customers or chargeback groups programmatically.

Relationships between organizations, projects, billing accounts, and payments profiles

Two types of relationships govern the interactions between billing accounts, organizations, and projects: ownership and payment linkage.

  • Ownership refers to Cloud IAM permission inheritance.
  • Payment linkages define which billing account pays for a given project.

The following diagram shows the relationship of ownership and payment linkages for a sample organization.

Relationship of Ownership and Payment Linkages

In the diagram, the organization has ownership over Projects A, B, and C, meaning that it is the Cloud IAM permissions parent of the three projects.

The billing account is linked to Projects A, B, and C, meaning that it pays for expenses incurred by the three projects.

The billing account is connected to a Google payments profile, which stores information like name, address, and payment methods.

In this example, any users who are granted Cloud IAM billing roles on the organization also have those roles on the billing account or the projects.

For more information on granting Cloud IAM billing roles, see Overview of Billing Access Control.

Important Roles

How roles work: Google Cloud Platform (GCP) offers Cloud Identity and Access Management (IAM) to manage access control to your GCP resources. Cloud IAM lets you control who (users) has what access (roles) to which resources by setting Cloud IAM policies. To assign permissions to a user, you use Cloud IAM policies to grant specific role(s) to a user. Roles have one or more permissions bundled within them, controlling user access to resources.

Policies are inherited through the hierarchy. The effective policy at each node of the hierarchy is the result of policies directly applied at the node and policies inherited from its ancestors. You can enforce granular permissions at different levels in the resource hierarchy to ensure that the right individuals have the ability to spend within GCP.

The diagram below represents the GCP resource hierarchy in complete form, and calls out the important high-access roles at each level:

public Domain

Domain Super Admin
The Super Admin can grant the Organization Admin role (or any other role) and recover accounts at the Domain level.
Who?
The Super Admin is usually someone who manages accesses at a high level, like a Domain Administrator.
Learn more about G Suite administrator roles and Cloud Identity admin roles.

domain Organization

Role: Organization Admin
The Organization Admin can administer any resource and grant any role within the Organization.
Who?
The Organization Admin is usually someone who manages access control, like an IT Administrator.
Learn more about Organization roles.

folder Folders

Role: Folder Administrator
The Folder Administrator can create and edit the Cloud IAM policy of folders. They decide how roles are inherited by Projects in the folders.
Who?
The Folder Administrator manages finer access control, and is typically a department head or team manager.
Learn more about Folder roles.

Projects

Role: Project Creator
The Project Creator role allows for the creation of Projects and inherently allows resources to be spun up on GCP and incur usage.
Who?
Project Creators in your organization might be team leads or service accounts (for automation).
Learn more about Project roles.

monetization_on Billing Account

Role: Billing Account Admin
The Billing Account Admin can enable Billing Export, view cost/spend, set budgets and alerts, and link/unlink projects.
Who?
The Billing Admins in your organization may be someone more finance-minded.
Role: Billing User
Billing Users can link Projects to billing accounts, but cannot unlink them. It is usually issued broadly in concert with the Project Creator role.
Who?
Trusted Project Creators in your Organization typically need this role.
Learn more about Billing roles.

payment Payments Profile

Payments Profile Admin
The Payments Profile Admin can view and manage payment methods, make payments, view invoices, and see Payments Accounts.
Who?
The Payments Profile Admins in your organization are typically part of your Finance or Accounting teams.
Learn more about Payments Profile user permissions.

Additional reading

picture_as_pdf A Guide to Financial Governance in the Cloud

Was this page helpful? Let us know how we did: