Overview of Cloud Billing access control

Cloud Billing lets you control which users have administrative and cost viewing permissions for specified resources by setting Identity and Access Management (IAM) policies on the resources.

To grant or limit access to Cloud Billing, you can set an IAM policy at the organization level, the Cloud Billing account level, and/or the project level. Google Cloud resources inherit the IAM policies of their parent node, which means you can set a policy at the organization level to apply it to all the Cloud Billing accounts, projects, and resources in the organization.

You can control viewing permissions at different levels for different users or roles by setting access permissions at the Cloud Billing account or project level. To grant permission to a user to view the costs of all projects under a Cloud Billing account, give the user permission to view the costs for a Cloud Billing account (billing.accounts.getSpendingInformation). To grant permission to a user to view the costs for a specific project, give the user view permissions for individual projects (billing.resourceCosts.get).

Overview of Cloud Billing roles in IAM

You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.

You can grant one or more roles on the same resource.

The following predefined Cloud Billing IAM roles are designed to allow you to use access control to enforce separation of duties:

Role Purpose Level Use Case
Billing Account Creator
(roles/billing.creator)
Create new self-serve (online) billing accounts. Organization Use this role for initial billing setup or to allow creation of additional billing accounts.
Users must have this role to sign up for Google Cloud with a credit card using their corporate identity.
Tip: Minimize the number of users who have this role to help prevent proliferation of untracked cloud spend in your organization.
Billing Account Administrator
(roles/billing.admin)
Manage billing accounts (but not create them). Organization or billing account. This role is an owner role for a billing account. Use it to manage payment instruments, configure billing exports, view cost information, link and unlink projects and manage other user roles on the billing account.
Billing Account User
(roles/billing.user)
Link projects to billing accounts. Organization or billing account. This role has very restricted permissions, so you can grant it broadly, typically in combination with Project Creator. These two roles allow a user to create new projects linked to the billing account on which the role is granted.
Billing Account Viewer
(roles/billing.viewer)
View billing account cost information and transactions. Organization or billing account. Billing Account Viewer access would usually be granted to finance teams, it provides access to spend information, but does not confer the right to link or unlink projects or otherwise manage the properties of the billing account.
Project Billing Manager
(roles/billing.projectManager)
Link/unlink the project to/from a billing account. Organization, folder, or project. This role allows a user to attach the project to the billing account, but does not grant any rights over resources. Project Owners can use this role to allow someone else to manage the billing for the project without granting them resource access.

The following table lists the details of the predefined IAM Billing roles, including the permissions bundled within each role.

Role Permissions

Billing Account Administrator
(roles/billing.admin)

Provides access to see and manage all aspects of billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account
  • billing.accounts.close
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getPricing
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.move
  • billing.accounts.redeemPromotion
  • billing.accounts.removeFromOrganization
  • billing.accounts.reopen
  • billing.accounts.setIamPolicy
  • billing.accounts.update
  • billing.accounts.updatePaymentInfo
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.credits.*
  • billing.resourceAssociations.*
  • billing.subscriptions.*
  • cloudnotifications.*
  • commerceoffercatalog.*
  • consumerprocurement.accounts.*
  • consumerprocurement.orders.*
  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • logging.logEntries.list
  • logging.logServiceIndexes.*
  • logging.logServices.*
  • logging.logs.list
  • logging.privateLogEntries.*
  • recommender.commitmentUtilizationInsights.*
  • recommender.usageCommitmentRecommendations.*
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment

Billing Account Costs Manager
(roles/billing.costsManager)

Can view and export cost information of billing accounts.

  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.resourceAssociations.list

Billing Account Creator
(roles/billing.creator)

Provides access to create billing accounts.

Lowest-level resources where you can grant this role:

  • Organization
  • billing.accounts.create
  • resourcemanager.organizations.get

Project Billing Manager
(roles/billing.projectManager)

Provides access to assign a project's billing account or disable its billing.

Lowest-level resources where you can grant this role:

  • Project
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment

Billing Account User
(roles/billing.user)

Provides access to associate projects with billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.list
  • billing.accounts.redeemPromotion
  • billing.credits.*
  • billing.resourceAssociations.create

Billing Account Viewer
(roles/billing.viewer)

View billing account cost information and transactions.

Lowest-level resources where you can grant this role:

  • Billing Account
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getPricing
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.budgets.get
  • billing.budgets.list
  • billing.credits.*
  • billing.resourceAssociations.list
  • billing.subscriptions.get
  • billing.subscriptions.list
  • commerceoffercatalog.*
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list

IAM relationships between organizations, projects, Cloud Billing accounts, and payments profiles

Two types of relationships govern the interactions between organizations, Cloud Billing accounts, and projects: ownership and payment linkage.

  • Ownership refers to IAM permission inheritance.
  • Payment linkages define which Cloud Billing account pays for a given project.

The following diagram shows the relationship of ownership and payment linkages for a sample organization.

describes how projects relate to Cloud Billing and your payments profile. One side shows your Cloud-level resources (Cloud Billing account and associated projects) and the other side, divided by a vertical dotted line, shows your Google-level resource (a payments profile). Your projects are paid for by your Cloud Billing account, which is linked to your payments profile.

In the diagram, the organization has ownership over Projects 1, 2, and 3, meaning that it is the IAM permissions parent of the three projects.

The Cloud Billing account is linked to Projects 1, 2, and 3, meaning that it pays for costs incurred by the three projects. The Cloud Billing account can also pay for projects in other organizations, but it inherits IAM permissions from its parent organization.

The Cloud Billing account is also linked to a Google payments profile, which stores information like name, address, and payment methods.

Although you link Cloud Billing accounts to projects, Cloud Billing accounts are not parents of projects in an IAM sense, and therefore projects don't inherit permissions from the Cloud Billing account they are linked to.

In this example, any users who are granted IAM billing roles on the organization also have those roles on the Cloud Billing account or the projects.

Cloud Billing access control examples

Combine IAM roles as follows to meet the needs of a variety of scenarios.

Scenario: Small-to-medium enterprise with a preference for centralized control.
User type Billing IAM roles Billing activities
CEO Billing Account Administrator Manage payment instrument.
View and approve invoices.
CTO Billing Account Administrator
Project Creator
Set budget alerts.
View spend.
Create new billable projects.
Development teams None None
Scenario: Small-to-medium enterprise with a preference for delegated authority.
User type Billing IAM roles Billing activities
CEO Billing Account Administrator Manage payment instrument.
Delegate authority.
CFO Billing Account Administrator Set budget alerts.
View spend.
Accounts payable Billing Account Viewer View and approve invoices.
Development teams Billing Account User
Project Creator
Create new billable projects.
Scenario: Separate financial planning & procurement functions
User type Billing IAM roles Billing activities
Procurement or Central IT Billing Account Administrator Manage payment instrument.
Set budget alerts.
Communicate spend to development teams.
Financial planning Billing Account Viewer View billing reports.
Process exports.
Communicate with CxO.
Accounts payable Billing Account Viewer Approve invoices.
Development teams Billing Account User
Project Creator
Create new billable projects.
Scenario: Development agency
User type Billing IAM roles Billing activities
CEO Billing Account Administrator Manage payment instrument.
Delegate authority.
CFO Billing Account Administrator Set budget alerts.
View spend.
Approve invoices.
Project lead Billing Account User
Project Creator
Create new billable projects.
Project development team None Develop within existing projects.
Client Project Billing Manager Take payment ownership of the project when it is completed.

Update Cloud Billing permissions

To add or remove Cloud Billing permissions:

  1. Sign in to the Google Cloud Console.

    SIGN IN TO Cloud Console

  2. Open the Cloud Console Navigation menu , and then select Billing.

    If you have more than one Cloud Billing account, do one of the following:

    • To manage Cloud Billing for the current project, select Go to linked billing account.
    • To locate a different Cloud Billing account, select Manage billing accounts and then choose the account that you want to manage.
  3. In the Billing navigation menu, click Account management.

  4. Use the Permissions panel to edit permissions for the selected Cloud Billing account. If the panel isn't already visible, click SHOW INFO PANEL to open it.

The Permissions panel is organized by role, along with the number of principals that have each role. For example, in your permissions panel, you might see

  • Billing Account Administrator (2 principals)
  • Billing Account User (6 principals)
  • Billing Account Viewer (10 principals)

You can grant multiple roles to the same principal.

To view the list of principals that have a role, click the role name to expand (or collapse) the list of principals.

To find a specific principal and see which roles are granted to that principal, use the Search principals filter.

To update Cloud Billing permissions, in the Permissions panel, do any of the following:

  • To add new principals and assign permissions:

    1. Click Add principals.
    2. In the New principals field, enter one or more email addresses for the principals you want to add. You can add individuals, service accounts, or Google Groups as principals.
    3. Select a permission for the principal(s) from Select a role.
    4. Set any conditions on the role (optional).
    5. If needed, you can Add another role to grant additional roles to the principal(s).
    6. When done, click Save.
  • To edit a principal's billing permissions:

    1. Use the Search principals filter to locate a specific principal or role.
    2. In the list, locate the principal you want to edit.
    3. In the principal's row, click Edit .

      The Edit permissions panel opens, specific to the selected principal and resource (Cloud Billing Account) that you are viewing.

    4. In the Edit permissions panel, add, edit, and delete roles for the selected principal and resource.

    5. When done, click Save.

  • To revoke a role from a principal:

    1. Use the Search principals filter to locate a specific principal or role.
    2. In the list, locate the principal whose role you want to revoke.
    3. In the principal's row, click Delete .
    4. You will be prompted to confirm your action.

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Get started for free