Cloud Billing lets you control which users have administrative and cost viewing permissions for specified resources by setting Cloud Identity and Access Management (Cloud IAM) policies on the resources.
To grant or limit access to Cloud Billing, you can set a Cloud IAM policy at the organization level, the billing account level, and/or the project level. GCP resources inherit the Cloud IAM policies of their parent node, which means you can set a policy at the organization level to apply it to all the billing accounts, projects, and resources in the organization.
You can control viewing permissions at different levels for different users or
roles by setting access permissions at the billing account or project level.
To grant permission to a user to view the costs of all projects under a
billing account, give the user permission to view the costs for a billing
account (billing.accounts.getSpendingInformation
). To
grant permission to a user to view the costs for a specific project, give the
user view permissions for individual projects (billing.resourceCosts.get
).
Overview of Billing roles in Cloud IAM
The following predefined Billing Cloud IAM roles are designed to allow you to use access control to enforce separation of duties:
Role | Purpose | Level | Use Case |
---|---|---|---|
Billing Account Creator | Create new self-serve (online) billing accounts. | Organization | Use this role for initial billing setup or to allow creation of additional
billing accounts. Users must have this role to sign up for Google Cloud with a credit card using their corporate identity. Tip: Minimize the number of users who have this role to help prevent proliferation of untracked cloud spend in your organization. |
Billing Account Administrator |
Manage billing accounts (but not create them). | Organization or billing account. | This role is an owner role for a billing account. Use it to manage payment instruments, configure billing exports, view cost information, link and unlink projects and manage other user roles on the billing account. |
Billing Account User | Link projects to billing accounts. | Organization or billing account. | This role has very restricted permissions, so you can grant it broadly, typically in combination with Project Creator. These two roles allow a user to create new projects linked to the billing account on which the role is granted. |
Billing Account Viewer | View billing account cost information and transactions. | Organization or billing account. | Billing Account Viewer access would usually be granted to finance teams, it provides access to spend information, but does not confer the right to link or unlink projects or otherwise manage the properties of the billing account. |
Project Billing Manager |
Link/unlink the project to/from a billing account. | Organization or project. | This role allows a user to attach the project to the billing account, but does not grant any rights over resources. Project Owners can use this role to allow someone else to manage the billing for the project without granting them resource access. |
Relationships between organizations, projects, billing accounts, and payments profiles
Two types of relationships govern the interactions between organizations, billing accounts, and projects: ownership and payment linkage.
- Ownership refers to Cloud IAM permission inheritance.
- Payment linkages define which billing account pays for a given project.
The following diagram shows the relationship of ownership and payment linkages for a sample organization.
In the diagram, the organization has ownership over Projects 1, 2, and 3, meaning that it is the Cloud IAM permissions parent of the three projects.
The billing account is linked to Projects 1, 2, and 3, meaning that it pays for costs incurred by the three projects.
The billing account is also linked to a Google payments profile, which stores information like name, address, and payment methods.
In this example, any users who are granted Cloud IAM billing roles on the organization also have those roles on the billing account or the projects.
Billing access control examples
Combine Cloud IAM roles as follows to meet the needs of a variety of scenarios.
Scenario: Small-to-medium enterprise with a preference for centralized control. | ||
---|---|---|
User type | Billing Cloud IAM roles | Billing activities |
CEO | Billing Account Administrator | Manage payment instrument. View and approve invoices. |
CTO | Billing Account Administrator Project Creator |
Set budget alerts. View spend. Create new billable projects. |
Development teams | None | None |
Scenario: Small-to-medium enterprise with a preference for delegated authority. | ||
---|---|---|
User type | Billing Cloud IAM roles | Billing activities |
CEO | Billing Account Administrator | Manage payment instrument. Delegate authority. |
CFO | Billing Account Administrator | Set budget alerts. View spend. |
Accounts payable | Billing Account Viewer | View and approve invoices. |
Development teams | Billing Account User Project Creator |
Create new billable projects. |
Scenario: Separate financial planning & procurement functions | ||
---|---|---|
User type | Billing Cloud IAM roles | Billing activities |
Procurement or Central IT | Billing Account Administrator | Manage payment instrument. Set budget alerts. Communicate spend to development teams. |
Financial planning | Billing Account Viewer | View billing reports. Process exports. Communicate with CxO. |
Accounts payable | Billing Account Viewer | Approve invoices. |
Development teams | Billing Account User Project Creator |
Create new billable projects. |
Scenario: Development agency | ||
---|---|---|
User type | Billing Cloud IAM roles | Billing activities |
CEO | Billing Account Administrator | Manage payment instrument. Delegate authority. |
CFO | Billing Account Administrator | Set budget alerts. View spend. Approve invoices. |
Project lead | Billing Account User Project Creator |
Create new billable projects. |
Project development team | None | Develop within existing projects. |
Client | Project Billing Manager | Take payment ownership of the project when it is completed. |
Update billing permissions
To add or remove billing permissions:
- Sign in to the Google Cloud Console.
- Open the console navigation menu ( ) and select Billing.
- If you have more than one billing account, select Go to linked billing account to manage the current project's billing. To locate a different billing account, select Manage billing accounts.
- From the Billing navigation menu, click Account management.
- On the right side of the Account management page, use the Permissions panel to edit permissions for the selected billing account. If the panel isn't already visible, click SHOW INFO PANEL to open it. (The link is in the upper-right corner of the page.)
The Permissions panel is organized by role, with members listed in each role. For example, in your permissions panel, you might see
- Billing Account Administrator (2 members)
- Billing Account User (6 members)
- Billing Account Viewer (10 members)
You can assign the same member to more than one role.
To view the list of members for a corresponding role, click the role name to expand (or collapse) the list of members assigned to that role.
To find a specific member and see which roles are assigned to that member, use the Search members filter.
To update billing permissions, in the Permissions panel, do any of the following:
To add new members and assign permissions:
- Click Add members.
- In the New members field, enter one or more email addresses for the members you want to add. You can add individuals, service accounts, or Google Groups as members.
- Select a permission for the member(s) from Select a role.
- Set any conditions on the role (optional).
- If needed, you can Add another role to assign additional permissions for the member(s).
- When done, click Save.
To edit a member's billing permissions:
- Use the Search members filter to locate a specific member or role.
- In the list, locate the member you want to edit.
In the member's row, click the edit icon (
) on the right.The Edit permissions panel opens, specific to the selected member and resource (billing account) you are viewing.
In the Edit permissions panel, add, edit, and delete roles for the selected member and resource.
When done, click Save.
To remove a member from a role's list of members:
- Use the Search members filter to locate a specific member or role.
- In the list, locate the member you want to remove from that role.
- In the member's row, click the delete icon ( ) on the right.
You will be prompted to confirm your action.
Related topics
- Cloud Billing API Access Control
- Granting, Changing, and Revoking Access to Project Members in the Cloud Identity and Access Management documentation
- Create Custom Roles for Billing