Secure the link between a project and its billing account

This document describes how to lock or unlock the link between a project and a Cloud Billing account.

Why lock a project to its billing account?

To use Google Cloud resources in a project, billing must be enabled on the project. Billing is enabled when the project is linked to an active Cloud Billing account. Projects that aren't linked to an active Cloud Billing account can't use Google Cloud or Google Maps Platform services. To prevent unintentionally changing the billing account that pays for a project, or disabling billing on a project, secure the billing relationship of your project by locking the link between a project and its Cloud Billing account.

By securing the billing relationship of your project, you can protect against an outage to your normal business operations by preventing accidental or unintentional project shutdowns due to the lack of a billing account. When you lock the link between a project and its billing account, changes between the billing account and project can't be made until the relationship is unlocked. Locking creates an intentional, two-step process to change a project's billing status.

When you lock a project to its linked billing account, you can prevent the project from unintentionally being moved (linked) to a different billing account or the project link being deleted from the billing account, disabling billing. By locking the billing account and project relationship, changes between the billing account and project linkage can't be made until the relationship is unlocked.

Permissions required to lock the link

To perform the tasks needed to lock the link between a project and a Cloud Billing account, you need both project permissions and billing account permissions.

These predefined roles have adequate permissions to perform this task:

  • On the project: Project Billing Manager and Project Viewer or Project Owner

    AND

  • On the linked Cloud Billing account: Billing Account User and Billing Account Viewer or Billing Account Administrator

Specifically, to perform this task, you must have the following permissions.

Action Permission Roles with permission Resource
View projects and Cloud Billing account associations billing.resourceAssociations.list Billing Account Viewer, Billing Account Costs Manager, or Billing Account Administrator Billing account
AND
resourcemanager.projects.get Project Viewer, Project Editor, or Project Owner Project
Lock the link between a project and its Cloud Billing account billing.resourceAssociations.create Billing Account User or Billing Account Administrator Billing account
AND
resourcemanager.projects.createBillingAssignment Project Billing Manager or Project Owner Project

To lock the link between a billing account and project, complete the following steps:

  1. In the Billing section of the Google Cloud console, locate the project using one of the following methods:

    • View the list of projects linked to a specific billing account.

      1. In the Google Cloud console, go to the Account management page for the Cloud Billing account.

        Go to Account Management in Cloud Billing

      2. At the prompt, choose the Cloud Billing account you want to view.

      3. On the Account management page, from the list of projects, locate the project you want to lock.

    • View a list of all your projects and their associated Cloud Billing accounts.

      1. In the Google Cloud console, go to the My Projects page in the Billing section.

        Go to My Projects in Cloud Billing

      2. From the list of projects, locate the project you want to lock.

  2. In the project row, open the Actions menu () and then select Lock billing.

  3. On the confirmation screen, click Lock.

When successful, you see a confirmation message similar to The link between "Project Name" and "Billing Account Name" has been locked. A padlock icon displays next to each project that's locked to its linked Cloud Billing account.

After the relationship is locked, changes between the billing account and project can't be made until the relationship is unlocked.

If the link between a billing account and project is locked, you can't change or disable billing on the project until the relationship is unlocked. If you want to intentionally move (link) the project to a different billing account or delete the link to disable billing on the project, first unlock the link between the project and its billing account.

Permissions required to unlock the link

To perform the tasks needed to unlock the link between a project and a Cloud Billing account, you need both project permissions and billing account permissions.

These predefined roles have adequate permissions to perform this task:

  • On the project: Project Billing Manager and Project Viewer or Project Owner

    OR

  • On the linked Cloud Billing account: Billing Account Administrator

Specifically, to perform this task, you must have the following permissions.

Action Permission Roles with permission Resource
View projects and Cloud Billing account associations billing.resourceAssociations.list Billing Account Viewer, Billing Account Costs Manager, or Billing Account Administrator Billing account
AND
resourcemanager.projects.get Project Viewer, Project Editor, or Project Owner Project
Unlock the link between a project and its Cloud Billing account billing.resourceAssociations.delete Billing Account Administrator Billing account
OR
resourcemanager.projects.deleteBillingAssignment Project Billing Manager or Project Owner Project

To unlock the link between a billing account and project, complete the following steps:

  1. In the Billing section of the Google Cloud console, locate the project using one of the following methods:

    • View the list of projects linked to a specific billing account.

      1. In the Google Cloud console, go to the Account management page for the Cloud Billing account.

        Go to Account Management in Cloud Billing

      2. At the prompt, choose the Cloud Billing account you want to view.

      3. On the Account management page, from the list of projects, locate the project you want to unlock. Tip: A padlock icon displays next to each project that's locked to its linked Cloud Billing account.

    • View a list of all your projects and their associated Cloud Billing account.

      1. In the Google Cloud console, go to the My Projects page in the Billing section.

        Go to My Projects in Cloud Billing

      2. From the list of projects, locate the project you want to unlock. Tip: A padlock icon displays next to each project that's locked to its linked Cloud Billing account.

  2. In the project row, open the Actions menu () and then select Unlock billing.

  3. On the confirmation screen, click Unlock.

When successful, you see a confirmation message similar to The link between "Project Name" and "Billing Account Name" has been unlocked.

After the relationship is unlocked, changes between the billing account and project can be made. These changes include disabling billing on the project or linking the project to a different Cloud Billing account.