Guide to Cloud Billing Resource Organization & Access Management

This article is intended for domain and system administrators who want to set up a production-ready environment for use with Google Cloud Platform (GCP). The guide discusses best practices, design decisions, and configuration options that help make cost management easy so that you can focus on getting the most out of your cloud spend.

The goals of this guide are to:

  • Provide a conceptual overview of the various resources involved with billing.
  • Show you how to set up your Cloud Billing resources efficiently and for ease of management, to align your strategic priorities with cloud usage.
  • Help you avoid the most common billing-related issues faced by GCP customers.
  • Teach you about best practices when configuring resource access permissions to ensure redundancy and security.
  • Provide step-by-step instructions to help you set up your financial governance tools for greater clarity, accountability, and control.

If you are an enterprise developer already familiar with Google Cloud Platform and the services it offers, and are looking for guidance in launching your application, see the launch checklist documentation.

If you are just starting out with GCP and want to experiment with Cloud products and services, or create a proof of concept, see the Google Cloud Platform overview or start a free trial.

Before you Begin

Before working through the set-up guide, familiarize yourself with the GCP resources and billing concepts. Understanding the key concepts will help you with configuration decisions for your cloud.

Resource hierarchy and labels

Configure your resource hierarchy to allocate cloud costs to departments and teams to drive clear accountability and better understand the ROI of your cloud investments. Designed to accommodate companies of all sizes, this flexible hierarchy lets you structure and manage your account by organization, folder, project, and resource, aligning with your business needs.

Use resource labels to group together multiple resources for further granularity. For example, labels can be used to distinguish instances owned by different teams or cost centers.

The diagram below represents an example GCP resource hierarchy in complete form:

Resource Hierarchy

An organization is the top of the hierarchy of resources. Within the organization, folders group projects, as well as other folders. Projects contain resources. Resources can be further categorized using labels. You can enforce granular permissions at different levels in the resource hierarchy to ensure that the right individuals have the ability to spend within GCP.

Cloud Billing accounts are linked to and pay for projects.

Hierarchy and Roles

How roles work: Google Cloud Platform offers Cloud Identity and Access Management (Cloud IAM) to manage access control to your GCP resources. Cloud IAM lets you control who (users) has what access (roles) to which resources by setting Cloud IAM policies. To assign permissions to a user, you use Cloud IAM policies to grant specific role(s) to a user. Roles have one or more permissions bundled within them, controlling user access to resources.

You can set a Cloud IAM policy at the organization level, the folder level, the project level, or (in some cases) the resource level. Resources inherit the policies of the parent node. If you set a policy at the Organization level, it is inherited by all its child folders and projects. If you set a policy at the project level, it is inherited by all its child resources.

public Domain
The G Suite or Cloud Identity super administrators at the domain level are the first users who can access an organization after creation. Super admins can create Organizations (and any other resource), grant the Organization Admin role (or any other role) and recover accounts at the Domain level.
domain Organization
An organization (for example, a company) is the root node in the GCP resource hierarchy. The Organization resource is the hierarchical ancestor of project resources and Folders. The Cloud IAM access control policies applied on the Organization resource apply throughout the hierarchy on all resources in the organization.
Learn more about Organization roles.
folder Folders
Folder resources provide an additional grouping mechanism and isolation boundaries between projects. They can be seen as sub-organizations within the Organization. Folders can be used to model different legal entities, departments, and teams within a company. Folders can contain sub-folders and projects.
Learn more about Folder roles.
Projects
The project resource is the base-level organizing entity. Organizations and folders may contain multiple projects. A project is required to use Google Cloud Platform, and forms the basis for creating, enabling, and using all GCP services, managing APIs, enabling billing, adding and removing collaborators, and managing permissions.
Learn more about Project roles.
monetization_on Cloud Billing Account
Cloud Billing Accounts are linked to and pay for Projects. Cloud Billing accounts are connected to a Google Payments Profile.
Learn more about Cloud Billing roles.
payment Payments Profile
Payments Profiles are managed outside of your Cloud Organization, in the Google Payments Center, a single location where you can manage the ways you pay for all Google products and services, such as Google Ads, Google Cloud, and Fi phone service. Payments Profiles are connected to Cloud Billing accounts.
Learn more about Payments Profile user permissions.

Set-up Guide

Each section in the set-up guide provides information about decision points, offers best-practice recommendations, describes important roles, and provides a configuration checklist. Information about potential issues is also provided, with the ultimate goal of helping you configure your GCP resources optimized for your billing needs. The guidelines help to ensure your setup is best protected against the most common access and billing issues faced by GCP customers.

The set-up guide contains the following sections:


Identity and Organizations

Identity is used for authentication and access management of your users to GCP resources. An Organization is the top of the hierarchy of resources. All resources that belong to an Organization are grouped under the Organization node, which provides insight into and access control over every resource in the Organization.

stars Best Practice: Configure an Organization

GCP users are not required to have an Organization resource. However, if you need to manage more than one user account, we strongly recommend configuring an Organization. The Organization resource provides many benefits, including: Cloud IAM policy inheritance and resource access recovery.

For more information, see Creating and Managing Organizations.

stars Key Decision: Cloud Identity and G Suite

For user authentication and identity, should you use Cloud Identity or G Suite?

The Organization resource is closely associated with a G Suite or Cloud Identity account. A user acquires an Organization resource only if they are also a G Suite or Cloud Identity customer. Each G Suite or Cloud Identity account may have exactly one Organization provisioned with it. Once an Organization resource is created for a domain, all GCP projects created by members of the account domain will, by default, belong to the Organization resource.

Google Cloud Platform uses Google Accounts for authentication and access management. Google recommends using fully managed corporate Google accounts for increased visibility, auditing, and control over access to Google Cloud Platform resources.
Cloud Identity
Cloud Identity provides free, managed Google Accounts you can use with Google services including Google Cloud Platform. Using Cloud Identity accounts for each of your users, you can manage all users across your entire domain from the Google Admin console.

Use case: You do not need G Suite features like Drive or Gmail and only need the account management features offered by integrating your domain.

Recommend: Obtain an Organization for free by using Cloud Identity.

G Suite
If you're a G Suite administrator, you can manage all of your users and settings through the G Suite Admin Console. By default, all new users are assigned a G Suite license. If you have a subset of developers who don't require G Suite licenses, you can add Cloud Identity accounts instead.

Use case: You want to take advantage of G Suite features like Drive or Gmail in addition to the account management features of G Suite.

Recommend: Obtain an Organization by signing up for G Suite.

For more information, see Getting an Organization resource and Get started with Cloud Identity.

Important Roles

public Domain Super Admin
The Super Admin can grant the Organization Admin role (or any other role) and recover accounts at the Domain level.
Who?
The Super Admin is usually someone who manages accesses at a high level, like a Domain Administrator.
Learn more about G Suite administrator roles and Cloud Identity admin roles.
domain Role: Organization Admin
The Organization Admin can administer any resource and grant any role within the Organization.
Who?
The Organization Admin is usually someone who manages access control, like an IT Administrator.
Learn more about Organization roles.

Checklist

1. Create the Resource
Obtain an Organization following the information in this Quickstart.
2. Configure Access
Set up more than one Super Admin and ensure other project owners, administrators, and employees know who they are, so they can reach out in case of account access issues or if there is a need to delegate another Organization Admin.
Set up multiple Organization Administrators who will be responsible for defining Cloud IAM policies and delegating responsibility for resources throughout your organization, like Cloud Billing and Project management.
Grant Cloud IAM roles at the Organization level that you want everyone to use, while keeping in mind the security principle of least privilege.
3. Configure the Resource
Migrate your Projects and Billing Accounts into your Organization.

Once migrated, if an owner of a project or billing account loses access to their account or leaves the company, ownership of the project or billing account can be recovered by the Organization Admin.


Cloud Billing Accounts

A billing account is used to define who pays for a given set of resources. A billing account includes a payment instrument, to which costs are charged, and access control that is established by Cloud Identity and Access Management roles.

A billing account can be linked to one or more projects. Project usage is charged to the linked billing account. Projects that are not linked to a billing account cannot use GCP services that aren't free.

stars Key Decision: One Billing Account or Multiple Billing Accounts?

We recommend the creation of one central Cloud Billing account that lives in your Organization. For most customers, adding additional billing accounts creates unneeded extra overhead, making them more difficult to track and manage. And multiple billing accounts might not behave in the way you expect with Committed Use Discounts or might cause issues with any promotional credits.

You may need multiple Cloud Billing accounts if you have any of these requirements:

  • You need to split charges for legal or accounting reasons.
  • You need to pay in multiple currencies.

stars Key Decision: Pay with Credit / Debit Card or Use Invoiced Billing?

When you first set up a Cloud Billing account using the Google Cloud Platform Console, by default, you are creating an online billing account, connected to a credit or debit card as the payment instrument.

If you have a dedicated Finance/Accounting team, or if you anticipate a large amount of spend when you first start on GCP, you may be better off using invoiced billing. To learn if your organization is eligible for invoiced billing, contact Cloud Billing Support. You must be a billing administrator of your organization's current billing account to apply.

Important Roles

monetization_on Role: Billing Account Admin
The Billing Account Admin can enable Billing Export, view cost/spend, set budgets and alerts, and link/unlink projects.
Who?
The Billing Admins in your organization may be someone more finance-minded.
monetization_on Role: Billing User
Billing Users can link Projects to billing accounts, but cannot unlink them. It is usually issued broadly in concert with the Project Creator role.
Who?
Trusted Project Creators in your Organization typically need this role.
Learn more about Billing roles.

Checklist

1. Create the Resource
star Create or Identify your main Billing Account that you want to use. If you have an invoiced account, this step is already done for you.
2. Configure Access
Grant access to view Billing Reports to people in finance and other departments and roles where users need to track spend or need to review cost anomalies.
Assign multiple Billing Account Administrators to each Billing Account – you might also consider using Organization-level permissions.
3. Configure the Resource
star Consolidate multiple Billing Accounts into your main Billing Account(s).
  1. First identify your main Billing Account(s) and the projects you want link to those billing accounts. Learn how to view projects linked to a billing account.
  2. Link or move existing projects onto your main Billing Account(s).
star Settle and close any other billing accounts that you no longer intend to use to avoid potential issues in the future.
  1. View your old Billing Accounts to verify that they no longer have any linked projects.
  2. After moving all your projects onto your main Billing Account(s), wait two days for the charges to stop on your old Billing Accounts.
  3. After two days, settle any existing balances on the old billing accounts, and then close the old Billing Accounts.
attach_money Set up budget alerts with multiple alert thresholds to reduce spending surprises and unexpected cost overruns.
attach_money Set up automatic exports of billing data to use for monitoring and analyzing costs. Two data export options are available:

Projects, Folders, and Labels

Projects, folders, and labels help you create logical groupings of resources that support your management and cost attribution requirements.

Projects are:

  • the base-level organizing entity in GCP – all lower-level resources are parented by projects;
  • required to use resources (such as Compute Engine virtual machines (VMs), Cloud Pub/Sub topics, Cloud Storage buckets, and so on);
  • used to form the basis for enabling services, APIs, and Cloud IAM permissions.

Folders are:

  • a grouping mechanism for projects and can contain both projects and other folders;
  • used to group resources that share common Cloud IAM policies;
  • mapped under an Organization node (so you must have an Organization node to use folders).

Labels are:

  • used to categorize your Google Cloud Platform resources (such as Compute Engine instances);
  • key-value pairs you attach to resources, allowing you to filter resources based on their labels;
  • forwarded to the billing system so you can analyze your charges by label.

stars Key Decision: Folders and Projects Strategy

Projects are required. Folders are optional, but recommended.

Why use projects? Projects are required to use resources, such as Compute Engine and Cloud Storage. You may need to create multiple projects, depending on the number of products or services you are running on GCP. You'll want to define a meaningful naming strategy for your projects so you can easily identify them. For more details about projects, see Creating and Managing Projects.

Why use folders? You may want to group your resources together logically using folders, depending on the number of people and teams you have who will be using GCP, and the number of products and services you’ll be running on GCP. For example, you could set up separate folders for development, staging, and production projects for a service. Or, you might choose to spread the projects and services across folders that reflect different environments. You could use folders to organize your projects by departments within your company. One benefit of using folders is you can enforce different Cloud IAM policies on each folder. For more details about using folders, see Creating and Managing Folders.

Why use labels? Depending on your cost tracking requirements, you might want to apply labels to resources to identify them by what they are, what they do, or what team they are related to. For example, you might label all of your Compute Engine instances that are HTTP servers, or label all of the components that are related to your database service. For more details about using labels, see Creating and Managing Labels.

Important Roles

Role: Project Creator
The Project Creator role allows for the creation of Projects and inherently allows resources to be spun up on GCP and incur usage.
Who?
Project Creators in your organization might be team leads or service accounts (for automation).
Learn more about Project roles.
folder Role: Folder Administrator
The Folder Administrator can create and edit the Cloud IAM policy of folders. They decide how roles are inherited by Projects in the folders.
Who?
The Folder Administrator manages finer access control, and is typically a department head or team manager.
Learn more about Folder roles.

Checklist

1. Create the Resource
star Create Projects to group resources together that share a common goal, theme, or purpose. If a product or service needs to use multiple GCP resources, like Compute and Storage, use Projects to group them together.
star Name Projects meaningfully. Decide on a strategy for naming your projects. For example, you could name your project to reflect the service and the collection of resources it contains, such as productname-prod. The project name is a human-readable way to identify your projects. The project ID is generated from the project name you enter when you create the project in the GCP Console.
Set up folders to mirror the way you work in your organization and on your infrastructure.
2. Configure Access
Use Folders to silo Cloud IAM permissions per team, products, services, or environments.
Set project-level Cloud IAM permissions as needed (if you are not using folders or need another level of granularity).
3. Configure the Resource
attach_money Use Labels to further categorize your resources. You can use labels to tag resources cross-Project and cross-Folder. Each resource can be tagged with multiple labels. Information about labels is forwarded to the billing system and picked up in Billing Export so they are useful in cost reporting and analysis.
Decide whether or not you’ll be purchasing Committed Use Discounts (CUDs) for your Projects and understand how Sustained Use Discounts (SUDs) apply to your Compute Engine resources and bills.

Payments Profiles and Accounts

warning IMPORTANT: Google Cloud Platform is integrated into the Google Payments Center, a single location where you can manage the ways you pay for all Google products and services, such as Google Ads, Google Cloud, and Fi phone service. Cloud Billing accounts are connected a Google Payments Profile. Payments Profiles are managed outside of your Cloud Organization, and thus Cloud IAM roles do not apply. Your business is represented by a Payments Profile, and you pay for services using the payment methods that are attached to that Profile. For Payment Profiles, you can add and remove users or change permissions in Google Payments Center.

Your Google payments profile stores information like:

  • Name, address, and tax ID (when required legally) of who is responsible for the profile;
  • Credit cards, debit cards, bank accounts, and other payment methods you’ve used to buy through Google in the past.

stars Key Decision: Use One or Multiple Payments Profiles?

Similar to billing accounts, for administrative purposes, fewer payments profiles are generally recommended. For most customers, creating additional payments profiles adds more overhead and exposure to potential issues.

You might want to create multiple payment profiles if:

  • You want to have separate personal and business profiles tied to your Google Account.
  • You want to manage profiles for more than one business or organization.
  • You want to have profiles in multiple countries. (You may have to create a new profile when changing countries.)

Your Cloud Billing accounts should all link back to the appropriate Google Payments Profile.

Important Roles

payment Payments Profile Admin
The Payments Profile Admin can view and manage payment methods, make payments, view invoices, and see Payments Accounts.
Who?
The Payments Profile Admins in your organization are typically part of your Finance or Accounting teams.
Learn more about Payments Profile user permissions.

Checklist

1. Create the Resource
star Create a Business Payments Profile for use with GCP. If you have an Invoiced Billing Account created for you, this step is already done for you. If you are setting up a Billing Account online, creating a Payments Profile is part of that process.
2. Configure Access
Assign more than one Payments Profile Administrator to be in charge of editing information like addresses, payment methods, tax information, and other account settings.
For invoiced billing, assign multiple invoice delivery addresses, both for email delivery and for paper invoice delivery, to ensure that you are always aware of when a new invoice has been sent out.
For electronic notifications and monthly statements, add users and set their email preferences to receive documents and notices.
3. Configure the Resource
Regularly review the information on your payments profile to ensure it is up to date, especially physical and email addresses, payments users, and payment instruments.
If not on invoiced billing:
For invoiced billing:
  • Each month, review your invoice carefully, and look for anomalies and unexpected changes.
  • Regularly check for any unapplied credits and payments to ensure that your monthly payments and credits are correctly applied to your invoices. For help, reach out to our collections team to apply any unmatched credits you might have.

stars Key Concepts: Billing Export, Billing Reports, and Invoices

Your usage is reported from your Projects to your Billing Accounts and your usage data is made available to you in a variety of ways, all of which can be used to help you understand the full picture of your spend.

  • Your invoice tells you what you owe.
  • Billing reports tell you why and where your costs came from.

Recommendation: To answer cost questions, look at billing reports first.

Billing Export outputs your daily usage estimates to a dataset or file you specify. You can use it to run analysis on your usage data. Billing Export to BigQuery includes an invoice.month field so you can match your exported data to your invoices.

  • It is possible that late-reported usage may cause your data to not map directly to your invoice; that is, some product usage at the very end of a month may be charged to the next month’s invoice.
  • Note that exported billing data does not include any tax accrued or credits issued to a billing account.
  • Tip: Use Data Studio to visualize your spend over time.

Billing Reports uses the same data that Billing Export uses, and displays an interactive chart that plots usage costs for all projects linked to a billing account. Use billing reports to get an at-a-glance overview of your usage costs and discover and analyze trends.

  • You access billing reports in the Google Cloud Platform Console.
  • If you have multiple billing accounts, the billing report displays usage costs for one billing account at a time, not aggregated across all billing accounts.
  • Depending on your level of access, your view of usage costs may be limited to viewing the costs of certain projects, rather than all of the projects linked to a billing account.

Invoices represent the canonical amount you are billed for each month and provide an exact breakdown of what usage you were billed for. Review your invoice PDF or CSV line items each month and review the payments center for credit memos and invoice payments history.


Learn More

Cloud OnAir: Getting Started with GCP Cost Management

To maximize the move to cloud, organizations need a clear understanding of their cloud costs. During this webinar, we’ll share best practices for how to get started with managing your GCP costs and usage. We’ll demo how to set up billing accounts, organizations, projects, basic permissions, and budgets. We’ll also introduce Billing reports to help you understand your current cost trends and forecast your spend at month-end so that you can prevent budget overruns.

Managing Costs in GCP: How to Structure Your Resources (Cloud Next '18)

How much do all of my frontend servers cost? How many resources are used in my staging environment? How do I understand and optimize my spending across departments? GCP tools such as organizations, folders, projects, and labels help you create logical groupings of resources that support your management and cost attribution requirements at scale. In this session, we will show you how to use these tools to take control of your costs, whether you’re a solo developer or a multinational corporation.

Controlling Cloud Costs with GCP Financial Governance (Cloud Next '18)

With businesses increasingly making the shift from on-premises to cloud, it’s more important than ever to put financial governance policies in place to control cloud costs. During this session, we’ll cover how financial governance controls; quotas, permissions, and budgets help prevent unexpected cost overruns. In addition, the Broad Institute will demo how to use programmatic notifications to take automated actions to control and cap your cloud usage and costs.

Diving into Your Billing Data with BigQuery and DataStudio (Cloud Next '18)

Many large organizations build custom dashboards and reporting around their cloud usage to track that usage across teams and applications, and to understand cost drivers. In this session, the Billing team and Vendasta will show you how to export your detailed billing data to BigQuery, write useful queries around that data, and create custom dashboards based on those queries in Data Studio.

Monitoring and Forecasting Your GCP Costs (Cloud Next '18)

Managing your GCP usage and cost trends can be easier than you think. In this session, we’ll help you understand how to view graphs of your GCP costs, set up custom reports and budgets, forecast your end-of-month-bill and set up alerts if you are likely to exceed your budget.

Saving More Money on Google Compute Engine (Cloud Next '18)

In the time since Next '17's "Saving Money on Compute Engine," a lot has changed, but customers like you are still looking to control costs and get the most capability out of every cloud dollar. In this talk, we'll review all the latest products and techniques for optimizing your usage to get the most compute for the lowest bill.

Was this page helpful? Let us know how we did: