Cloud Billing Budget API 的存取權控管

Google Cloud 提供「身分與存取權管理」(IAM) 功能,可讓您以更精細的方式授予使用者特定 Google Cloud 資源的存取權限,避免其他資源遭到未經授權者擅自存取。IAM 能讓您採用最低權限安全性原則,僅授予必要的資源存取權限給使用者。

設定 IAM 政策之後,即可控管哪些人 (使用者) 具備何種存取權限 (角色),可以存取哪些資源。身分與存取權管理政策可授予使用者特定角色,讓對方擁有特定權限。

本頁說明適用於 Cloud Billing API 的 身分與存取權管理角色。舉例來說,您可以使用 IAM 授予 Cloud Billing 帳戶的管理員、使用者和專案管理員等角色。如需 IAM 和其功能的詳細說明,請參閱 身分與存取權管理開發人員指南。特別是「 授予、變更及撤銷存取權」一節。

權限與角色

如要讓使用者在Google Cloud 控制台中查看 Cloud Billing 帳戶詳細資料,或讓 Cloud Billing API 方法傳回 Cloud Billing 帳戶資訊,使用者或呼叫者必須具備必要權限。下表列出使用 Cloud Billing Budget API 時所需的 IAM 權限和角色。

Cloud Billing Budget API 的必要權限

下表列出呼叫各項 Cloud Billing Budget API 方法所需的權限。此外,標準 IAM 帳單角色也會自動授予這些權限。

API 方法 所需權限 授予權限的 IAM 角色
GetBudget 如要取得預算詳細資料,呼叫方必須擁有預算 Cloud Billing 帳戶的 billing.budgets.get 權限。

如果是單一專案預算,呼叫者可以擁有專案的下列權限,而非帳單帳戶權限:resourcemanager.projects.getbilling.resourcebudgets.read

預算所屬 Cloud Billing 帳戶的「帳單帳戶管理員」、「帳單帳戶費用管理員」或「帳單帳戶檢視者」。

如果是單一專案預算,則為專案的專案擁有者、專案編輯者或專案檢視者。

ListBudgets 如要傳回套用至 Cloud Billing 帳戶的預算清單,呼叫者必須具備 Cloud Billing 帳戶的 billing.budgets.list 權限。

如果是單一專案預算,呼叫者可以擁有專案的下列權限,而非帳單帳戶權限:resourcemanager.projects.getbilling.resourcebudgets.read

預算所屬 Cloud Billing 帳戶的「帳單帳戶管理員」、「帳單帳戶費用管理員」或「帳單帳戶檢視者」。

如果是單一專案預算,則為專案的專案擁有者、專案編輯者或專案檢視者。

CreateBudget 如要建立新預算,呼叫方必須擁有預算所屬 Cloud Billing 帳戶的 billing.budgets.create 權限。

如果是單一專案預算,呼叫端可以擁有專案的下列權限,而不需具備帳單帳戶權限:resourcemanager.projects.getbilling.resourcebudgets.readbilling.resourcebudgets.write

預算所屬 Cloud Billing 帳戶的「帳單帳戶管理員」或「帳單帳戶費用管理員」。

如果是單一專案預算,則為專案的「專案擁有者」或「專案編輯者」。
UpdateBudget 如要更新現有預算,呼叫方必須擁有預算所屬 Cloud Billing 帳戶的 billing.budgets.update 權限。

如果是單一專案預算,呼叫端可以擁有專案的下列權限,而不需具備帳單帳戶權限:resourcemanager.projects.getbilling.resourcebudgets.readbilling.resourcebudgets.write

預算所屬 Cloud Billing 帳戶的「帳單帳戶管理員」或「帳單帳戶費用管理員」。

如果是單一專案預算,則為專案的「專案擁有者」或「專案編輯者」。
DeleteBudget 如要刪除現有預算,呼叫方必須擁有預算所屬 Cloud Billing 帳戶的 billing.budgets.delete 權限。

如果是單一專案預算,呼叫端可以擁有專案的下列權限,而不需具備帳單帳戶權限:resourcemanager.projects.getbilling.resourcebudgets.readbilling.resourcebudgets.write

預算所屬 Cloud Billing 帳戶的「帳單帳戶管理員」或「帳單帳戶費用管理員」。

如果是單一專案預算,則為專案的「專案擁有者」或「專案編輯者」。

角色

您並非直接為使用者授予權限,而是指派「角色」給他們,每個角色可能具備一或多項權限。

針對同一項資源,您可以授予一或多個角色。

下表列出可授予的標準 IAM 帳單角色,擁有這些角色的使用者即可存取 Cloud Billing API。此外,您也可以透過下表瞭解各個角色的作用和角色具備的權限。

Role Permissions

(roles/billing.admin)

Provides access to see and manage all aspects of billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.close

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.getIamPolicy

billing.accounts.getPaymentInfo

billing.accounts.getPricing

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.accounts.move

billing.accounts.redeemPromotion

billing.accounts.removeFromOrganization

billing.accounts.reopen

billing.accounts.setIamPolicy

billing.accounts.update

billing.accounts.updatePaymentInfo

billing.accounts.updateUsageExportSpec

billing.anomalies.*

  • billing.anomalies.get
  • billing.anomalies.list
  • billing.anomalies.submitFeedback

billing.anomaliesConfigs.*

  • billing.anomaliesConfigs.get
  • billing.anomaliesConfigs.update

billing.billingAccountPrice.get

billing.billingAccountPrices.list

billing.billingAccountServices.*

  • billing.billingAccountServices.get
  • billing.billingAccountServices.list

billing.billingAccountSkuGroupSkus.*

  • billing.billingAccountSkuGroupSkus.get
  • billing.billingAccountSkuGroupSkus.list

billing.billingAccountSkuGroups.*

  • billing.billingAccountSkuGroups.get
  • billing.billingAccountSkuGroups.list

billing.billingAccountSkus.*

  • billing.billingAccountSkus.get
  • billing.billingAccountSkus.list

billing.budgets.*

  • billing.budgets.create
  • billing.budgets.delete
  • billing.budgets.get
  • billing.budgets.list
  • billing.budgets.update

billing.credits.list

billing.finOpsBenchmarkInformation.get

billing.finOpsHealthInformation.get

billing.resourceAssociations.*

  • billing.resourceAssociations.create
  • billing.resourceAssociations.delete
  • billing.resourceAssociations.list

billing.subscriptions.*

  • billing.subscriptions.create
  • billing.subscriptions.get
  • billing.subscriptions.list
  • billing.subscriptions.update

cloudasset.assets.searchAllResources

cloudnotifications.activities.list

cloudsupport.properties.get

cloudsupport.techCases.*

  • cloudsupport.techCases.create
  • cloudsupport.techCases.escalate
  • cloudsupport.techCases.get
  • cloudsupport.techCases.list
  • cloudsupport.techCases.update

commerceoffercatalog.*

  • commerceoffercatalog.agreements.get
  • commerceoffercatalog.agreements.list
  • commerceoffercatalog.documents.get
  • commerceoffercatalog.documents.list
  • commerceoffercatalog.offers.get

compute.commitments.*

  • compute.commitments.create
  • compute.commitments.get
  • compute.commitments.list
  • compute.commitments.update
  • compute.commitments.updateReservations

consumerprocurement.accounts.*

  • consumerprocurement.accounts.create
  • consumerprocurement.accounts.delete
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.events.*

  • consumerprocurement.events.get
  • consumerprocurement.events.list

consumerprocurement.licensePools.*

  • consumerprocurement.licensePools.assign
  • consumerprocurement.licensePools.enumerateLicensedUsers
  • consumerprocurement.licensePools.get
  • consumerprocurement.licensePools.unassign
  • consumerprocurement.licensePools.update

consumerprocurement.orderAttributions.*

  • consumerprocurement.orderAttributions.get
  • consumerprocurement.orderAttributions.list
  • consumerprocurement.orderAttributions.update

consumerprocurement.orders.*

  • consumerprocurement.orders.cancel
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • consumerprocurement.orders.modify
  • consumerprocurement.orders.place

dataprocessing.datasources.get

dataprocessing.datasources.list

dataprocessing.groupcontrols.get

dataprocessing.groupcontrols.list

logging.logEntries.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.privateLogEntries.list

recommender.cloudsqlIdleInstanceRecommendations.get

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.get

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.commitmentUtilizationInsights.*

  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.commitmentUtilizationInsights.update

recommender.computeAddressIdleResourceRecommendations.get

recommender.computeAddressIdleResourceRecommendations.list

recommender.computeDiskIdleResourceRecommendations.get

recommender.computeDiskIdleResourceRecommendations.list

recommender.computeImageIdleResourceRecommendations.get

recommender.computeImageIdleResourceRecommendations.list

recommender.computeInstanceGroupManagerMachineTypeRecommendations.get

recommender.computeInstanceGroupManagerMachineTypeRecommendations.list

recommender.computeInstanceIdleResourceRecommendations.get

recommender.computeInstanceIdleResourceRecommendations.list

recommender.computeInstanceMachineTypeRecommendations.get

recommender.computeInstanceMachineTypeRecommendations.list

recommender.costInsights.*

  • recommender.costInsights.get
  • recommender.costInsights.list
  • recommender.costInsights.update

recommender.costRecommendations.*

  • recommender.costRecommendations.listAll
  • recommender.costRecommendations.summarizeAll

recommender.resourcemanagerProjectUtilizationRecommendations.get

recommender.resourcemanagerProjectUtilizationRecommendations.list

recommender.spendBasedCommitmentInsights.*

  • recommender.spendBasedCommitmentInsights.get
  • recommender.spendBasedCommitmentInsights.list
  • recommender.spendBasedCommitmentInsights.update

recommender.spendBasedCommitmentRecommendations.*

  • recommender.spendBasedCommitmentRecommendations.get
  • recommender.spendBasedCommitmentRecommendations.list
  • recommender.spendBasedCommitmentRecommendations.update

recommender.spendBasedCommitmentRecommenderConfig.*

  • recommender.spendBasedCommitmentRecommenderConfig.get
  • recommender.spendBasedCommitmentRecommenderConfig.update

recommender.usageCommitmentRecommendations.*

  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list
  • recommender.usageCommitmentRecommendations.update

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

resourcemanager.projects.get

resourcemanager.projects.list

(roles/billing.carbonViewer)

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.list

(roles/billing.costsManager)

Manage budgets for a billing account, and view, analyze, and export cost information of a billing account.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.accounts.updateUsageExportSpec

billing.anomalies.get

billing.anomalies.list

billing.anomaliesConfigs.*

  • billing.anomaliesConfigs.get
  • billing.anomaliesConfigs.update

billing.budgets.*

  • billing.budgets.create
  • billing.budgets.delete
  • billing.budgets.get
  • billing.budgets.list
  • billing.budgets.update

billing.resourceAssociations.list

recommender.costInsights.*

  • recommender.costInsights.get
  • recommender.costInsights.list
  • recommender.costInsights.update

(roles/billing.creator)

Provides access to create billing accounts.

Lowest-level resources where you can grant this role:

  • Organization

billing.accounts.create

resourcemanager.organizations.get

(roles/billing.projectCostsManager)

When granted in conjunction with cost view permissions on projects, provides access to billing information scoped to the projects to which the user has cost access.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.getIamPolicy

billing.accounts.getSpendingInformationScoped

billing.costRecommendations.listScoped

(roles/billing.projectManager)

When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

(roles/billing.user)

When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

(roles/billing.viewer)

View billing account cost and pricing information, transactions, and billing and commitment recommendations.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.getIamPolicy

billing.accounts.getPaymentInfo

billing.accounts.getPricing

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.anomalies.get

billing.anomalies.list

billing.anomaliesConfigs.get

billing.billingAccountPrice.get

billing.billingAccountPrices.list

billing.billingAccountServices.*

  • billing.billingAccountServices.get
  • billing.billingAccountServices.list

billing.billingAccountSkuGroupSkus.*

  • billing.billingAccountSkuGroupSkus.get
  • billing.billingAccountSkuGroupSkus.list

billing.billingAccountSkuGroups.*

  • billing.billingAccountSkuGroups.get
  • billing.billingAccountSkuGroups.list

billing.billingAccountSkus.*

  • billing.billingAccountSkus.get
  • billing.billingAccountSkus.list

billing.budgets.get

billing.budgets.list

billing.credits.list

billing.finOpsBenchmarkInformation.get

billing.finOpsHealthInformation.get

billing.resourceAssociations.list

billing.subscriptions.get

billing.subscriptions.list

commerceoffercatalog.*

  • commerceoffercatalog.agreements.get
  • commerceoffercatalog.agreements.list
  • commerceoffercatalog.documents.get
  • commerceoffercatalog.documents.list
  • commerceoffercatalog.offers.get

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

dataprocessing.datasources.get

dataprocessing.datasources.list

dataprocessing.groupcontrols.get

dataprocessing.groupcontrols.list

recommender.commitmentUtilizationInsights.get

recommender.commitmentUtilizationInsights.list

recommender.costInsights.get

recommender.costInsights.list

recommender.costRecommendations.*

  • recommender.costRecommendations.listAll
  • recommender.costRecommendations.summarizeAll

recommender.spendBasedCommitmentInsights.get

recommender.spendBasedCommitmentInsights.list

recommender.spendBasedCommitmentRecommendations.get

recommender.spendBasedCommitmentRecommendations.list

recommender.spendBasedCommitmentRecommenderConfig.get

recommender.usageCommitmentRecommendations.get

recommender.usageCommitmentRecommendations.list

請注意,roles/billing.adminroles/billing.costsManagerroles/billing.viewerroles/billing.projectManager 角色也具備其他 Google Cloud 服務的權限。