Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies. IAM policies grant specific roles to a user giving the user certain permissions.
This page explains the Identity and Access Management roles that are available for the Cloud Billing APIs. For example, you can use IAM to grant roles such as Admin, User, and Project Manager for a Cloud Billing account. For a detailed description of IAM and its features, see the Identity and Access Management developer's guide. In particular, see its Granting, Changing, and Revoking Access section.
Permissions and Roles
For a user to view Cloud Billing account details in the Google Cloud console, or for a Cloud Billing API method to return Cloud Billing account information, the user or caller must have the necessary permissions. The following table list the IAM permissions and roles needed to use the Cloud Billing Budget API.
Required permissions for the Cloud Billing Budget API
The following table outlines which permissions are necessary to call each Cloud Billing Budget API method. Also included are the standard IAM Billing roles that automatically grant those permissions.
API Method | Required Permission | IAM Role that grants permission |
---|---|---|
GetBudget |
To get the details of a budget, the caller must have the
billing.budgets.get permission on the budget's
Cloud Billing account.
|
Billing Account Administrator, Billing Account Costs Manager, or Billing Account Viewer |
ListBudgets |
To return a list of budgets applied to a Cloud Billing account,
the caller must have the billing.budgets.list permission
on the Cloud Billing account.
|
Billing Account Administrator, Billing Account Costs Manager, or Billing Account Viewer |
CreateBudget |
To create a new budget, the caller must have the
billing.budgets.create permission on the budget's
Cloud Billing account.
|
Billing Account Administrator or Billing Account Costs Manager |
UpdateBudget |
To update an existing budget, the caller must have the
billing.budgets.update permission on the budget's
Cloud Billing account.
|
Billing Account Administrator or Billing Account Costs Manager |
DeleteBudget |
To delete an existing budget, the caller must have the
billing.budgets.delete permission on the budget's
Cloud Billing account.
|
Billing Account Administrator or Billing Account Costs Manager |
Roles
You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.
You can grant one or more roles on the same resource.
The following table lists the standard IAM Billing roles that you can grant to access the Cloud Billing APIs, the description of what the role does, and the permissions bundled within that role.
Role | Permissions |
---|---|
Billing Account Administrator( Provides access to see and manage all aspects of billing accounts. Lowest-level resources where you can grant this role:
Contains 33 owner permissions |
manage_accounts billing.accounts.close manage_accounts billing.accounts.get
manage_accounts
billing. manage_accounts billing.accounts.getIamPolicy
manage_accounts
billing. manage_accounts billing.accounts.getPricing
manage_accounts
billing.
manage_accounts
billing. manage_accounts billing.accounts.list manage_accounts billing.accounts.move
manage_accounts
billing.
manage_accounts
billing. manage_accounts billing.accounts.reopen manage_accounts billing.accounts.setIamPolicy manage_accounts billing.accounts.update
manage_accounts
billing.
manage_accounts
billing. billing.budgets.*
manage_accounts billing.credits.list billing.resourceAssociations.*
billing.subscriptions.*
cloudnotifications. cloudsupport.properties.get cloudsupport.techCases.*
commerceoffercatalog.*
compute.commitments.*
consumerprocurement.accounts.*
consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement.
consumerprocurement.
consumerprocurement.orders.*
dataprocessing.datasources.get dataprocessing. dataprocessing. dataprocessing. logging.logEntries.list logging.logServiceIndexes.list logging.logServices.list logging.logs.list manage_accounts logging.privateLogEntries.list
recommender.
recommender.costInsights.*
recommender.
recommender.
recommender.
recommender.
manage_accounts
resourcemanager.
manage_accounts
resourcemanager. resourcemanager.projects.get resourcemanager.projects.list |
Billing Account Costs Manager( Manage budgets for a billing account, and view, analyze, and export cost information of a billing account. Lowest-level resources where you can grant this role:
Contains 12 owner permissions |
manage_accounts billing.accounts.get manage_accounts billing.accounts.getIamPolicy
manage_accounts
billing.
manage_accounts
billing. manage_accounts billing.accounts.list
manage_accounts
billing. billing.budgets.*
manage_accounts
billing. recommender.costInsights.*
|
Billing Account Creator( Provides access to create billing accounts. Lowest-level resources where you can grant this role:
Contains 1 owner permission |
manage_accounts billing.accounts.create resourcemanager. |
Project Billing Manager( When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing. Lowest-level resources where you can grant this role:
Contains 2 owner permissions |
manage_accounts
resourcemanager.
manage_accounts
resourcemanager. |
Billing Account User( When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts. Lowest-level resources where you can grant this role:
Contains 6 owner permissions |
manage_accounts billing.accounts.get manage_accounts billing.accounts.getIamPolicy manage_accounts billing.accounts.list
manage_accounts
billing. manage_accounts billing.credits.list
manage_accounts
billing. |
Billing Account Viewer( View billing account cost and pricing information, transactions, and billing and commitment recommendations. Lowest-level resources where you can grant this role:
Contains 14 owner permissions |
manage_accounts billing.accounts.get
manage_accounts
billing. manage_accounts billing.accounts.getIamPolicy
manage_accounts
billing. manage_accounts billing.accounts.getPricing
manage_accounts
billing.
manage_accounts
billing. manage_accounts billing.accounts.list manage_accounts billing.budgets.get manage_accounts billing.budgets.list manage_accounts billing.credits.list
manage_accounts
billing. manage_accounts billing.subscriptions.get manage_accounts billing.subscriptions.list commerceoffercatalog.*
consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement. consumerprocurement.orders.get consumerprocurement. dataprocessing.datasources.get dataprocessing. dataprocessing. dataprocessing. recommender. recommender. recommender.costInsights.get recommender.costInsights.list recommender. recommender. recommender. recommender. recommender. recommender. recommender. |
Note that the roles roles/billing.admin
, roles/billing.costsManager
,
roles/billing.viewer
, and roles/billing.projectManager
include permissions
for other Google Cloud services as well.
Related topics
- Cloud Billing API Access Control
- Granting, Changing, and Revoking Access in the IAM documentation
- Create Custom Roles for Cloud Billing