Cloud Billing API Access Control

Google Cloud Platform offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies. IAM policies grant specific role(s) to a user giving the user certain permissions.

This page explains the Identity and Access Management (IAM) roles that are available for Google Cloud Billing API. For example, you can use IAM to grant roles such as Admin, User, and Project Manager for a billing account. For a detailed description of IAM and its features, see the Google Cloud Identity and Access Management developer's guide. In particular, see its Granting, Changing, and Revoking Access section.

Permissions and Roles

For a user to view billing account details in the Google Cloud Platform console, or for a Google Cloud Billing API method to return billing account information, the user or caller must have the necessary permissions. The following tables list the permissions and roles Google Cloud Billing API IAM supports.

Required Permissions

The following table lists the permissions that the caller must have to call each method:

Method Required Permission(s)
billingAccounts.get billing.accounts.get on a billing account.
billingAccounts.list None. This method returns all accounts that the caller has permission to access.
billingAccounts.projects.list billing.resourceAssociations.list on a billing account.
projects.getBillingInfo resourcemanager.projects.get on the project.
For more information, see Access Control for Projects.
projects.updateBillingInfo billing.resourceAssociations.create and resourcemanager.projects.createBillingAssignment on the billing account.

Roles

You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.

You can grant one or more roles on the same resource.

The following table lists the roles that you can grant to access billing API, the description of what the role does, and the permissions bundled within that role.

Role Includes Permission(s): For Resource Type:
roles/billing.projectManager
resourcemanager.projects.createBillingAssignment
Applies to Organizations only. For information about Organizations, see Creating and Managing Organizations. Note also that the current authenticated user must have permissions on both the project and on the billing account. For more information about permissions, see Configuring permissions on Google Cloud Platform.
Organization
resourcemanager.projects.deleteBillingAssignment
Applies to Organizations only. For information about Organizations, see Creating and Managing Organizations. The current authenticated user must have permissions on either the project or on the billing account. For more information about permissions, see Configuring permissions on Google Cloud Platform.
Billing Account
roles/billing.user
billing.accounts.get Billing Account
billing.accounts.getIamPolicy Billing Account
billing.accounts.list Billing Account
billing.accounts.redeemPromotion Billing Account
billing.resourceAssociations.create Billing Account
roles/billing.admin
All of the above permissions for Project Manager and User, as well as:
billing.accounts.close Billing Account
billing.accounts.getPaymentInfo Billing Account
billing.accounts.getSpendingInformation Billing Account
billing.accounts.getUsageExportSpec Billing Account
billing.accounts.manageBillableUsageExport Billing Account
billing.accounts.move Billing Account
billing.accounts.removeFromOrganization Billing Account
billing.accounts.reopen Billing Account
billing.accounts.setIamPolicy Billing Account
billing.accounts.update Billing Account
billing.accounts.updatePaymentInfo Billing Account
billing.accounts.updateUsageExportSpec Billing Account
billing.budgets.create Billing Account
billing.budgets.delete Billing Account
billing.budgets.get Billing Account
billing.budgets.list Billing Account
billing.budgets.update Billing Account
billing.credits.list Billing Account
billing.projectAssociations.create
Applies to Organizations only. For information about Organizations, see Creating and Managing Organizations. Note also that the current authenticated user must have permissions on both the project and on the billing account. For more information about permissions, see Configuring permissions on Google Cloud Platform.
Billing Account
billing.projectAssociations.delete
Applies to Organizations only. For information about Organizations, see Creating and Managing Organizations. The current authenticated user must have permissions on either the project or on the billing account. For more information about permissions, see Configuring permissions on Google Cloud Platform.
Billing Account
billing.resourceAssociations.delete Billing Account
billing.resourceAssociations.list Billing Account
cloudnotifications.activities.list
Applies to Cloud Notifications. For more information, see Email and Mobile Notifications.
Billing Account
logging.logEntries.list
Applies to Stackdriver Logging. For more informaton, see Stackdriver Access Control.
Billing Account
logging.logs.list
Applies to Stackdriver logging. For more informaton, see Stackdriver Access Control.
Billing Account

Note that the roles roles/billing.user, roles/billing.projectManager, and roles/billing.admin include permissions for other Google Cloud Platform services as well.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.