You can configure billing on Google Cloud Platform (GCP) in a variety of ways to meet different needs. This section introduces the core concepts for your organization and for billing, and discusses how to use them effectively.
What is a resource?
In the context of GCP, resource can refer to the service-level resources that are used to process your workloads (VMs, DBs, and so on) as well as to the account-level resources that sit above the services, such as projects, folders, and the organization.
What is resource management?
Resource management is focused on how you should configure and grant access to the various Cloud resources for your company/team, specifically the setup and organization of the account-level resources that sit above the service-level resources. Account-level resources are the resources involved in setting up and administering your GCP account.
GCP resources are organized hierarchically. This hierarchy allows you to map your organization's operational structure to GCP, and to manage access control and permissions for groups of related resources. The resource hierarchy provides logical attach points for access management policies (Cloud Identity and Access Management) and Organization policies.
Both Cloud IAM and Organization policies are inherited through the hierarchy, and the effective policy at each node of the hierarchy is the result of policies directly applied at the node and policies inherited from its ancestors.
The following diagram shows an example resource hierarchy illustrating the core account-level resources involved in administering your GCP account.
- Your company Domain is the primary identity of your organization and establishes your company's identity with Google services, including Google Cloud Platform.
- You use the domain to manage the users in your organization.
- At the domain level, you define which users should be associated with your organization when using Google Cloud Platform.
- Domain is also where you can universally administer policy for your users and devices (for example, enable 2-factor authentication, reset passwords for any users in your organization).
- The Domain is linked to either a G Suite or Cloud Identity account.
- The G Suite or Cloud Identity account is associated with exactly one Organization.
- You manage the domain-level functionality using the Google Admin Console (admin.google.com).
For more information on the hierarchy of resources, see the Cloud Resource Manager documentation.
- An Organization is the root node of the Google Cloud Platform hierarchy of resources.
- All GCP resources that belong to an Organization are grouped under the Organization node, allowing you to define settings, permissions, and policies for all projects, folders, resources, and billing accounts it parents.
- An Organization is associated with exactly one Domain (established with either a G Suite or Cloud Identity account), and is created automatically when you set up your domain in Google Cloud.
- Using an Organization, you can centrally manage your GCP resources and your
users' access to those resources. This includes:
- Proactive management: reorganize resources as needed (for example, restructuring or spinning up a new division may require new projects and folders).
- Reactive management: an Organization resource provides a safety net to regain access to lost resources (for example, if one of your team members loses their access or leaves the company).
- The various roles and resources that are related to GCP (including the organization, projects, folders, resources, and billing accounts) are managed within the Google Cloud Platform Console.
For more information on organizations, see the Creating and Managing Organizations.
- Folders are a grouping mechanism and can contain projects, other folders, or a combination of both.
- To use folders, you must have an Organization node.
- Folders and projects are all mapped under the Organization node.
- Folders can be used to group resources that share common Cloud IAM policies.
- While a folder can contain multiple folders or resources, a given folder or resource can have exactly one parent.
For more details about using folders, see Creating and Managing Folders.
- Projects are required to use service-level resources (such as Compute Engine virtual machines (VMs), Cloud Pub/Sub topics, Cloud Storage buckets, and so on).
- All service-level resources are parented by projects, the base-level organizing entity in GCP.
- You can use projects to represent logical projects, teams, environments, or other collections that map to a business function or structure.
- Projects form the basis for enabling services, APIs, and Cloud IAM permissions.
- Any given resource can only exist in one project.
For more details about projects, see Creating and Managing Projects.
- GCP service-level resources are the fundamental components that make up all GCP services, such as Compute Engine virtual machines (VMs), Cloud Pub/Sub topics, Cloud Storage buckets, and so on.
- For billing and access control purposes, resources exist at the lowest level of a hierarchy that also includes projects and an organization.
- Labels help you categorize your Google Cloud Platform resources (such as Compute Engine instances).
- A label is a key-value pair.
- You can attach labels to each resource, then filter the resources based on their labels.
- Labels great for cost tracking at a granular-level. Information about labels is forwarded to the billing system, so you can analyze your charges by label.
For more details about using labels, see Creating and Managing Labels.
Billing account & payments profile
A billing account is set up in GCP and is used to define who pays for a given set of GCP resources. Access control to a billing account is established by Cloud Identity and Access Management (IAM) roles. A billing account is connected to a Google payments profile that includes a payment instrument to which costs are charged.
|Billing Account||Payments Profile|
A Cloud Billing Account:
A Google Payments Profile:
Billing account types
There are two types of billing accounts:
- Payment instrument is a credit or debit card or ACH direct debit, depending on availability in each country or region.
- Costs are charged automatically.
- You can sign up for self-serve accounts online.
- Payment instrument can be check or wire transfer.
- Invoices are sent by mail or electronically.
- You must be eligible for invoiced billing. Learn more about invoiced billing eligibility.
Payments profile types
When you create your payments profile, you'll be asked to specify the profile type. This information must be accurate for tax and identity verification. This setting can't be changed. When you are setting up your payments profile, make sure to choose the type that best fits how you plan to use your profile.
There are two types of payments profiles:
- You're using your account for your own personal payments.
- If you register your payments profile as an individual, then only you can manage the profile. You won't be able to add or remove users, or change permissions on the profile.
- You're paying on behalf of a business, organization, partnership, or educational institution.
- You use Google payments center to pay for Play apps and games, and Google services like Google Ads, Google Cloud, and Fi phone service.
- A business profile allows you to add other users to the Google payments profile you manage, so that more than one person can access or manage a payments profile.
- All users added to a business profile can see the payment information on that profile.
Costs are charged to a billing account automatically in one of two ways:
- Monthly billing: Costs are charged on a regular monthly cycle.
- Threshold billing: Costs are charged when your account has accrued a specific amount.
Invoiced billing accounts are always billed monthly. Self-serve billing accounts can use monthly or threshold billing. Learn more about threshold billing.
A billing account includes a set of contacts, defined on the Google Payments profile connected to the billing account. These contacts are people who can receive billing information specific to the payment instrument on file (for example, when a credit card needs to be updated). You can manage the contacts through the Google Cloud Platform Console or the Payments console.
Billing subaccounts allow you to group charges from projects together on a separate section of your invoice. A billing subaccount is a billing account with a billing linkage to a reseller's master billing account on which the charges appear. The master billing account must be on invoiced billing.
A subaccount behaves like a billing account in most ways: it can have projects linked to it, billing exports can be configured on it, and it can have Cloud IAM roles defined on it. Any charges made to projects linked to the subaccount are grouped and subtotalled on the invoice, and the effect on resource management is that access control policy can be entirely segregated on the subaccount to allow for customer separation and management.
Subaccounts are typically used to represent resellers' customers for chargeback purposes.
The Cloud Billing API provides the ability to create and manage subaccounts via the API so you can connect to your existing systems and provision new customers or chargeback groups programmatically.
Relationships between organizations, projects, billing accounts, and payments profiles
Two types of relationships govern the interactions between organizations, billing accounts, and projects: ownership and payment linkage.
- Ownership refers to Cloud IAM permission inheritance.
- Payment linkages define which billing account pays for a given project.
The following diagram shows the relationship of ownership and payment linkages for a sample organization.
In the diagram, the organization has ownership over Projects 1, 2, and 3, meaning that it is the Cloud IAM permissions parent of the three projects.
The billing account is linked to Projects 1, 2, and 3, meaning that it pays for costs incurred by the three projects.
The billing account is also linked to a Google payments profile, which stores information like name, address, and payment methods.
In this example, any users who are granted Cloud IAM billing roles on the organization also have those roles on the billing account or the projects.
For more information on granting Cloud IAM billing roles, see Overview of Billing Access Control.
What are roles?
Roles grant one or more privileges to a user that allow performing a common business function.
How do roles work in GCP?
Google Cloud Platform offers Cloud Identity and Access Management (Cloud IAM) to manage access control to your GCP resources. Cloud IAM lets you control who (users) has what access (roles) to which resources by setting Cloud IAM policies. To assign permissions to a user, you use Cloud IAM policies to grant specific role(s) to a user. Roles have one or more permissions bundled within them, controlling user access to resources.
Policies are inherited through the hierarchy. The effective policy at each node of the hierarchy is the result of policies directly applied at the node and policies inherited from its ancestors. If you set a policy at the Organization level, it is inherited by all its child folders and projects. If you set a policy at the project level, it is inherited by all its child resources. You can enforce granular permissions at different levels in the resource hierarchy to ensure that the right individuals have the ability to spend within GCP.
Best Practices for Roles
- Assign key roles to more that one person (reasonable redundancy)
- Document who your admins are and communicate those names to people in your organization
- Keep role assignments up to date
The diagram below represents the GCP resource hierarchy in complete form, and calls out the important high-access roles at each level: