Manage access to Cloud Billing accounts

This document describes how to configure access permissions for Cloud Billing accounts.

A Cloud Billing account is set up in Google Cloud and defines who pays for a given set of Google Cloud resources and Google Maps Platform APIs. A Cloud Billing account is connected to a Google payments profile. Access permissions for Cloud Billing and Google payments are configured in two different systems depending on what type of access you want to provide.

If you need to configure access permissions for a Google payments profile, see Manage Google payments users, permissions, and notification settings.

Cloud Billing account user permissions

Each Cloud Billing account needs at least one Billing Account Administrator. By default, the person who creates the Cloud Billing account is a Billing Account Administrator for that billing account. For redundancy, we recommend that you configure more than one administrator on each Cloud Billing account.

You can grant different levels of access to billing accounts to your users, depending on what they need to do (for example, track spend, review cost anomalies, manage budgets, optimize costs, or review and pay invoices).

You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them. You can grant one or more roles on the same resource.

If you have an organization associated with your Google Cloud account, you can grant or limit access to Cloud Billing by setting an IAM policy at the organization level. You can also set Cloud Billing IAM policy on the Cloud Billing account level or limit billing access to a folder or project level.

Before you begin

Familiarize yourself with the roles and permissions available in Cloud Billing.

Permissions required for this task

To manage user permissions on a Cloud Billing account, you need a role that includes the following permissions on your Cloud Billing account:

To gain this permission using a predefined role, ask your administrator to grant you the following role on the Cloud Billing account:

Update user permissions for a Cloud Billing account

To review, add, or remove Cloud Billing permissions:

  1. Sign in to the Manage billing accounts page in the Google Cloud console.

    Sign in to Manage billing accounts

  2. Select the row of a Cloud Billing account to view the principals and permissions for the billing account in the info panel. If the panel isn't already visible, click Show info panel to open it.

Alternatively, you can access a Cloud Billing account's permissions on its Account management page:

  1. In the Google Cloud console, go to the Account management page for the Cloud Billing account.

    Go to Account management in Cloud Billing

  2. At the prompt, choose the Cloud Billing account that you want to view.

  3. In the Info panel, review and edit the Principals and Permissions for the selected Cloud Billing account. If the panel isn't already visible, click Show info panel to open it.

The Permissions panel is organized by role, along with the number of principals that have each role. For example, in your permissions panel, you might see

  • Billing Account Administrator (2 principals)
  • Billing Account User (6 principals)
  • Billing Account Viewer (10 principals)

You can grant multiple roles to the same principal.

To view the list of principals assigned to a role, expand the role node.

To find a specific principal and see which roles are granted to that principal, use the Filter and enter the email address of the principal.

To update Cloud Billing permissions, in the Permissions panel, do any of the following:

  • To add new principals and assign permissions:

    1. Click Add principal.
    2. In the New principals field, enter one or more email addresses for the principals you want to add. You can add individuals, service accounts, or Google Groups as principals.
    3. Select a permission for the principals from Select a role.
    4. If needed, you can Add another role to grant additional permissions to the principals.
    5. When done, click Save.
  • To edit a principal's billing permissions:

    1. Use the Filter to locate a specific principal or role.
    2. In the list, locate the principal you want to edit.
    3. In the principal's row, click Edit .

      The Edit permissions panel opens, specific to the selected principal and resource (Cloud Billing account) that you're viewing.

    4. In the Edit permissions panel, add, edit, and delete roles for the selected principal and resource.

    5. When done, click Save.

  • To revoke a role from a principal:

    1. Use the Filter to locate a specific principal or role.
    2. In the list, locate the principal whose role you want to revoke.
    3. In the principal's row, click Delete .
    4. Confirm your action.

Google payments user permissions

Each Google payments account needs at least one Admin with all permissions, and one Primary Contact (the person Google will contact with any payments-related alerts or questions). By default, the person who creates the Google payments account is both the Admin with all permissions, and the Primary Contact. For redundancy, we recommend that you set more than one Google payments administrator.

You can add users to any Google payments business profile you manage, and grant different levels of access to your users depending on what they need to do (for example, manage payment methods or payments profile details). You can also configure user email preferences for receiving billing and payments emails.

For more information, see Manage Google payments users, permissions, and notification settings.

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Get started for free