Overview of Billing Access Control

Google Cloud Platform (GCP) provides Cloud Identity Access Management (Cloud IAM), which you can use to grant or prevent access to specific GCP resources. Cloud IAM lets you control who (users) has what access (roles) to which resources by setting Cloud IAM policies on the resources.

To grant or limit access to Cloud Billing, you can set a Cloud IAM policy at the organization level or the billing account level. GCP resources inherit the Cloud IAM policies of their parent node, which means you can set a policy at the organization level to apply it to all the child billing accounts in the organization.

Overview of Billing roles in Cloud IAM

The following predefined Billing Cloud IAM roles are designed to allow you to use access control to enforce separation of duties:

Role Purpose Level Use Case
Billing Account Creator Create new self-serve billing accounts. Organization Use this role for initial billing setup or temporarily to create a billing account in a different currency.
Users must have this role to sign up for GCP with a credit card using their corporate identity.
Tip: Minimize the number of users who have this role to help prevent proliferation of untracked cloud spend in your organization.
Billing Account Administrator


Manage billing accounts (but not create them). Organization or billing account. This role is an owner role for a billing account. Use it to manage payment instruments, configure billing exports, view cost information, link and unlink projects and manage other user roles on the billing account.
Billing Account User Link projects to billing accounts. Organization or billing account. This role has very restricted permissions, so you can grant it broadly, typically in combination with Project Creator. These two roles allow a user to create new projects linked to the billing account on which the role is granted.
Billing Account Viewer View billing account cost information and transactions. Organization or billing account. Billing Account Viewer access would usually be granted to finance teams, it provides access to spend information, but does not confer the right to link or unlink projects or otherwise manage the properties of the billing account.
Project Billing Manager

Link/unlink the project to/from a billing account. Organization or project. This role allows a user to attach the project to the billing account, but does not grant any rights over resources. Project Owners can use this role to allow someone else to manage the billing for the project without granting them resource access.

Relationships between organizations, projects, and billing accounts

Two types of relationship govern the interactions between billing accounts, organizations, and projects: ownership and payment linkage.

  • Ownership refers to Cloud IAM permission inheritance.
  • Payment linkages define which billing account pays for a given project.

The following diagram shows the relationship of ownership and payment linkages for a sample organization.

Relationship of Ownership and Payment Linkages

In the diagram, the organization has ownership over Projects A, B, and C, meaning that it is the Cloud IAM permissions parent of the three projects.

The billing account is linked to Projects A, B, and C, meaning that it pays for expenses incurred by the three projects.

In this example, any users who are granted Cloud IAM billing roles on the organization also have those roles on the billing account or the projects.

Billing access control examples

Combine Cloud IAM roles as follows to meet the needs of a variety of scenarios.

Scenario: Small-to-Medium Enterprise (SME) with a preference for centralized control.

User type Billing Cloud IAM roles Billing activities
CEO Billing Account Administrator Manage payment instrument.
View and approve invoices.
CTO Billing Account Administrator
Project Creator
Set and track budgets.
View spend.
Create new billable projects.
Development teams None None

Scenario: SME with a preference for delegated authority.

User type Billing Cloud IAM roles Billing activities
CEO Billing Account Administrator Manage payment instrument.
Delegate authority.
CFO Billing Account Administrator Set and track budgets.
View spend.
Accounts payable Billing Account Viewer View and approve invoices.
Development teams Billing Account User
Project Creator
Create new billable projects.

Scenario: Separate Financial Planning & Procurement Functions

User type Billing Cloud IAM roles Billing activities
Procurement or Central IT Billing Account Administrator Manage payment instrument.
Set and track budgets.
Communicate spend to development teams.
Financial planning Billing Account Viewer View billing reports.
Process exports.
Communicate with CxO.
Accounts payable Billing Account Viewer Approve invoices.
Development teams Billing Account User
Project Creator
Create new billable projects.

Scenario: Development Agency

User type Billing Cloud IAM roles Billing activities
CEO Billing Account Administrator Manage payment instrument.
Delegate authority.
CFO Billing Account Administrator Set and track budgets.
View spend.
Approve invoices.
Project lead Billing Account User
Project Creator
Create new billable projects.
Project development team None Develop within existing projects.
Client Project Billing Manager Take payment ownership of the project when it is completed.

Update billing permissions

To add or remove billing permissions:

  1. Go to the Google Cloud Platform Console.
  2. Open the console left side menu and click Billing.
  3. If you have more than one billing account, select Go to linked billing account to manage the current project's billing permissions. To locate a different billing account, select Manage billing accounts.
  4. On the right, use the Permissions panel to edit permissions for the selected billing account. (If the panel isn't already open, click SHOW INFO PANEL to open it.) Then, do either of the following:
    • To assign permissions, under Add members, enter the email address of the person you want to assign the permission to, then select a permission from Select a role. Click Add.
    • To remove a member's billing permission, click and expand the list for the corresponding permission, hover over the member you want to remove, and then click the trash can icon on the right.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.