Overview of Cloud Billing Concepts

You can configure billing on Google Cloud Platform (GCP) in a variety of ways to meet different needs. This section introduces the core concepts for your organization and for billing, and discusses how to use them effectively.

Resource Overview

What is a resource?

In the context of GCP, resource can refer to the service-level resources that are used to process your workloads (VMs, DBs, and so on) as well as to the account-level resources that sit above the services, such as projects, folders, and the organization.

What is resource management?

Resource management is focused on how you should configure and grant access to the various Cloud resources for your company/team, specifically the setup and organization of the account-level resources that sit above the service-level resources. Account-level resources are the resources involved in setting up and administering your GCP account.

Resource Hierarchy

GCP resources are organized hierarchically. This hierarchy allows you to map your organization's operational structure to GCP, and to manage access control and permissions for groups of related resources. The resource hierarchy provides logical attach points for access management policies (Cloud Identity and Access Management) and Organization policies.

Both Cloud IAM and Organization policies are inherited through the hierarchy, and the effective policy at each node of the hierarchy is the result of policies directly applied at the node and policies inherited from its ancestors.

The following diagram shows an example resource hierarchy illustrating the core account-level resources involved in administering your GCP account.

Resource Hierarchy

Domain

  • Your company Domain is the primary identity of your organization and establishes your company's identity with Google services, including Google Cloud Platform.
  • You use the domain to manage the users in your organization.
    • At the domain level, you define which users should be associated with your organization when using Google Cloud Platform.
    • Domain is also where you can universally administer policy for your users and devices (for example, enable 2-factor authentication, reset passwords for any users in your organization).
  • The Domain is linked to either a G Suite or Cloud Identity account.
  • The G Suite or Cloud Identity account is associated with exactly one Organization.
  • You manage the domain-level functionality using the Google Admin Console (admin.google.com).

For more information on the hierarchy of resources, see the Cloud Resource Manager documentation.

Organization

  • An Organization is the root node of the Google Cloud Platform hierarchy of resources.
  • All GCP resources that belong to an Organization are grouped under the Organization node, allowing you to define settings, permissions, and policies for all projects, folders, resources, and billing accounts it parents.
  • An Organization is associated with exactly one Domain (established with either a G Suite or Cloud Identity account), and is created automatically when you set up your domain in Google Cloud.
  • Using an Organization, you can centrally manage your GCP resources and your users' access to those resources. This includes:
    • Proactive management: reorganize resources as needed (for example, restructuring or spinning up a new division may require new projects and folders).
    • Reactive management: an Organization resource provides a safety net to regain access to lost resources (for example, if one of your team members loses their access or leaves the company).
  • The various roles and resources that are related to GCP (including the organization, projects, folders, resources, and billing accounts) are managed within the Google Cloud Platform Console.

For more information on organizations, see the Creating and Managing Organizations.

Folders

  • Folders are a grouping mechanism and can contain projects, other folders, or a combination of both.
  • To use folders, you must have an Organization node.
  • Folders and projects are all mapped under the Organization node.
  • Folders can be used to group resources that share common Cloud IAM policies.
  • While a folder can contain multiple folders or resources, a given folder or resource can have exactly one parent.

For more details about using folders, see Creating and Managing Folders.

Projects

  • Projects are required to use service-level resources (such as Compute Engine virtual machines (VMs), Cloud Pub/Sub topics, Cloud Storage buckets, and so on).
  • All service-level resources are parented by projects, the base-level organizing entity in GCP.
  • You can use projects to represent logical projects, teams, environments, or other collections that map to a business function or structure.
  • Projects form the basis for enabling services, APIs, and Cloud IAM permissions.
  • Any given resource can only exist in one project.

For more details about projects, see Creating and Managing Projects.

Resources

  • GCP service-level resources are the fundamental components that make up all GCP services, such as Compute Engine virtual machines (VMs), Cloud Pub/Sub topics, Cloud Storage buckets, and so on.
  • For billing and access control purposes, resources exist at the lowest level of a hierarchy that also includes projects and an organization.

Labels

  • Labels help you categorize your Google Cloud Platform resources (such as Compute Engine instances).
  • A label is a key-value pair.
  • You can attach labels to each resource, then filter the resources based on their labels.
  • Labels great for cost tracking at a granular-level. Information about labels is forwarded to the billing system, so you can analyze your charges by label.

For more details about using labels, see Creating and Managing Labels.

Billing account & payments profile

Overview

A billing account is set up in GCP and is used to define who pays for a given set of GCP resources. Access control to a billing account is established by Cloud Identity and Access Management (IAM) roles. A billing account is connected to a Google payments profile that includes a payment instrument to which costs are charged.

monetization_on Billing Account payment Payments Profile
A Cloud Billing Account:
  • A Cloud-level resource managed in the Google Cloud Platform Console.
  • Tracks all of the costs (charges and usage credits) incurred by your GCP usage
    • A billing account can be linked to one or more projects.
    • Project usage is charged to the linked billing account.
  • Results in a single invoice per billing account
  • Operates in a single currency
  • Defines who pays for a given set of resources
  • Is connected to a Google Payments Profile, which includes a payment instrument, defining how you pay for your charges
  • Has billing-specific roles and permissions to control accessing and modifying billing-related functions (established by Cloud Identity and Access Management roles)
A Google Payments Profile:
  • Is a Google-level resource managed at payments.google.com.
  • Connects to ALL of your Google services (such as Google Ads, Google Cloud, and Fi phone service).
  • Processes payments for ALL Google services (not just Google Cloud).
  • Stores information like name, address, and tax ID (when required legally) of who is responsible for the profile.
  • Stores your various payment instruments (credit cards, debit cards, bank accounts, and other payment methods you've used to buy through Google in the past.)
  • Functions as a document center, where you can view invoices, payment history, and so on.
  • Controls who can view and receive invoices for your various billing accounts and products.

Google Cloud Platform Billing Projects

Billing account types

There are two types of billing accounts:

Payments profile types

When you create your payments profile, you'll be asked to specify the profile type. This information must be accurate for tax and identity verification. This setting can't be changed. When you are setting up your payments profile, make sure to choose the type that best fits how you plan to use your profile.

There are two types of payments profiles:

  • Individual

    • You're using your account for your own personal payments.
    • If you register your payments profile as an individual, then only you can manage the profile. You won't be able to add or remove users, or change permissions on the profile.
  • Business

    • You're paying on behalf of a business, organization, partnership, or educational institution.
    • You use Google payments center to pay for Play apps and games, and Google services like Google Ads, Google Cloud, and Fi phone service.
    • A business profile allows you to add other users to the Google payments profile you manage, so that more than one person can access or manage a payments profile.
    • All users added to a business profile can see the payment information on that profile.

Charging cycle

Costs are charged to a billing account automatically in one of two ways:

  • Monthly billing: Costs are charged on a regular monthly cycle.
  • Threshold billing: Costs are charged when your account has accrued a specific amount.

Invoiced billing accounts are always billed monthly. Self-serve billing accounts can use monthly or threshold billing. Learn more about threshold billing.

Billing contacts

A billing account includes a set of contacts, defined on the Google Payments profile connected to the billing account. These contacts are people who can receive billing information specific to the payment instrument on file (for example, when a credit card needs to be updated). You can manage the contacts through the Google Cloud Platform Console or the Payments console.

Subaccounts

Billing subaccounts allow you to group charges from projects together on a separate section of your invoice. A billing subaccount is a billing account with a billing linkage to a reseller's master billing account on which the charges appear. The master billing account must be on invoiced billing.

A subaccount behaves like a billing account in most ways: it can have projects linked to it, billing exports can be configured on it, and it can have Cloud IAM roles defined on it. Any charges made to projects linked to the subaccount are grouped and subtotalled on the invoice, and the effect on resource management is that access control policy can be entirely segregated on the subaccount to allow for customer separation and management.

Subaccounts are typically used to represent resellers' customers for chargeback purposes.

Google Cloud Platform Billing Projects

The Cloud Billing API provides the ability to create and manage subaccounts via the API so you can connect to your existing systems and provision new customers or chargeback groups programmatically.

Relationships between organizations, projects, billing accounts, and payments profiles

Two types of relationships govern the interactions between organizations, billing accounts, and projects: ownership and payment linkage.

  • Ownership refers to Cloud IAM permission inheritance.
  • Payment linkages define which billing account pays for a given project.

The following diagram shows the relationship of ownership and payment linkages for a sample organization.

Relationship of Ownership and Payment Linkages

In the diagram, the organization has ownership over Projects 1, 2, and 3, meaning that it is the Cloud IAM permissions parent of the three projects.

The billing account is linked to Projects 1, 2, and 3, meaning that it pays for costs incurred by the three projects.

The billing account is also linked to a Google payments profile, which stores information like name, address, and payment methods.

In this example, any users who are granted Cloud IAM billing roles on the organization also have those roles on the billing account or the projects.

For more information on granting Cloud IAM billing roles, see Overview of Billing Access Control.

Roles Overview

What are roles?

Roles grant one or more privileges to a user that allow performing a common business function.

How do roles work in GCP?

Google Cloud Platform offers Cloud Identity and Access Management (Cloud IAM) to manage access control to your GCP resources. Cloud IAM lets you control who (users) has what access (roles) to which resources by setting Cloud IAM policies. To assign permissions to a user, you use Cloud IAM policies to grant specific role(s) to a user. Roles have one or more permissions bundled within them, controlling user access to resources.

You can set a Cloud IAM policy (roles) at the organization level, the folder level, the project level, or (in some cases) on the service-level resource.

Policies are inherited through the hierarchy. The effective policy at each node of the hierarchy is the result of policies directly applied at the node and policies inherited from its ancestors. If you set a policy at the Organization level, it is inherited by all its child folders and projects. If you set a policy at the project level, it is inherited by all its child resources. You can enforce granular permissions at different levels in the resource hierarchy to ensure that the right individuals have the ability to spend within GCP.

Best Practices for Roles

  • Assign key roles to more that one person (reasonable redundancy)
  • Document who your admins are and communicate those names to people in your organization
  • Keep role assignments up to date

Important Roles

The diagram below represents the GCP resource hierarchy in complete form, and calls out the important high-access roles at each level:

public Domain
The G Suite or Cloud Identity super administrators at the domain level are the first users who can access an organization after creation.
Domain Super Admin
The Super Admin can grant the Organization Admin role (or any other role) and recover accounts at the Domain level.
Recommended Assignee
The Super Admin is usually someone who manages accesses at a high level, like a Domain Administrator.
Learn more about G Suite administrator roles and Cloud Identity admin roles.
domain Organization
An organization (for example, a company) is the root node in the GCP resource hierarchy. The Organization resource is the hierarchical ancestor of project resources and Folders. The Cloud IAM access control policies applied on the Organization resource apply throughout the hierarchy on all resources in the organization.
Role: Organization Admin
The Organization Admin can administer any resource and grant any role within the Organization.
Recommended Assignee
The Organization Admin is usually someone who manages access control, like an IT Administrator.
Learn more about Organization roles.
folder Folders
Folder resources provide additional grouping mechanisms and isolation boundaries between projects. They can be seen as sub-organizations within the Organization. Folders can be used to model different legal entities, departments, and teams within a company. Folders can contain sub-folders and projects.
Role: Folder Administrator
The Folder Administrator can create and edit the Cloud IAM policy of folders. They decide how roles are inherited by Projects in the folders.
Recommended Assignee
The Folder Administrator manages finer access control, and is typically a department head or team manager.
Learn more about Folder roles.
Projects
The project resource is the base-level organizing entity. Organizations and folders may contain multiple projects. A project is required to use Google Cloud Platform, and forms the basis for creating, enabling, and using all GCP services, managing APIs, enabling billing, adding and removing collaborators, and managing permissions.
Role: Project Creator
The Project Creator role allows for the creation of Projects and inherently allows resources to be spun up on GCP and incur usage.
Recommended Assignee
Project Creators in your organization might be team leads or service accounts (for automation).
Role: Project Owner & User
The Project Owner & User role allows you to see costs and usage in project and to label resources.
Recommended Assignee
Project owners and users in your organization might be team leads or developers.
Learn more about Project roles.
monetization_on Billing Account
Cloud Billing Accounts are linked to and pay for Projects. Cloud Billing accounts are connected to a Google Payments Profile.
Role: Billing Account Admin
The Billing Account Admin can enable Billing Export, view cost/spend, set budgets and alerts, and link/unlink projects.
Recommended Assignee
The Billing Admins in your organization may be someone more finance-minded.
Role: Billing User
Billing Users can link Projects to billing accounts, but cannot unlink them. It is usually issued broadly in concert with the Project Creator role.
Recommended Assignee
Trusted Project Creators in your Organization typically need this role.
Learn more about Billing roles.
payment Payments Profile
Payments Profiles are managed outside of your Cloud Organization, in the Google Payments Center, a single location where you can manage the ways you pay for all Google products and services, such as Google Ads, Google Cloud, and Fi phone service. Payments Profiles are connected to Cloud Billing accounts.
Payments Profile Admin
The Payments Profile Admin can view and manage payment methods, make payments, view invoices, and see Payments Accounts.
Recommended Assignee
The Payments Profile Admins in your organization are typically part of your Finance or Accounting teams.
Learn more about Payments Profile user permissions.

picture_as_pdf A Guide to Financial Governance in the Cloud

video_library Video library: Google Cloud Cost Management. Learn best practices for monitoring and managing your costs.

Оцените, насколько информация на этой странице была вам полезна:

Оставить отзыв о...

Текущей странице
Cloud Billing Documentation