Access Control for Cloud Billing APIs

Google Cloud offers Cloud Identity and Access Management (Cloud IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. Cloud IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

Cloud IAM lets you control who (users) has what access (roles) to which resources by setting Cloud IAM policies. Cloud IAM policies grant specific roles to a user giving the user certain permissions.

This page explains the Cloud Identity and Access Management roles that are available for the Cloud Billing APIs. For example, you can use Cloud IAM to grant roles such as Admin, User, and Project Manager for a Cloud Billing Account. For a detailed description of Cloud IAM and its features, see the Cloud Identity and Access Management developer's guide. In particular, see its Granting, Changing, and Revoking Access section.

Permissions and Roles

For a user to view billing account details in the Google Cloud Console, or for a Cloud Billing API method to return billing account information, the user or caller must have the necessary permissions. The following tables list the Cloud IAM permissions and roles needed for each of the Cloud Billing APIs.

Required permissions for the Cloud Billing Account API

The following table lists the permissions that the caller must have to call each Cloud Billing Account API method:

API Method Required Permissions Cloud IAM Role that grants permission
billingAccounts.create When creating a billing subaccount, the caller must have billing.accounts.update on the subaccount's master billing account. Billing Admin
billingAccounts.get billing.accounts.get on a billing account. Billing Admin or Billing Viewer
billingAccounts.list None. This method returns all accounts that the caller has permission to access. Billing Admin, Billing Viewer, Billing User, or Billing Project Manager
billingAccounts.getIamPolicy billing.accounts.getIamPolicy on a billing account. Billing Admin or Billing Viewer
billingAccounts.setIamPolicy billing.accounts.setIamPolicy on a billing account. Billing Admin
billingAccounts.testIamPermissions None. This method is used to determine the permissions that a caller has on a billing account. n/a
billingAccounts.patch billing.accounts.update on a billing account. Billing Admin
billingAccounts.projects.list billing.resourceAssociations.list on a billing account. Billing Admin or Billing Viewer
projects.getBillingInfo resourcemanager.projects.get on the project.
For more information, see Access Control for Projects.
Project Viewer
projects.updateBillingInfo billing.resourceAssociations.create AND resourcemanager.projects.createBillingAssignment on the billing account. Billing Admin or Billing User, AND Project Billing Manager

Required permissions for the Cloud Billing Budget API

The following table outlines which permissions are necessary to call each Cloud Billing Budget API method. Also included are the standard Cloud IAM Billing roles that automatically grant those permissions.

API Method Required Permission Cloud IAM Role that grants permission
GetBudget To get the details of a budget, the caller must have billing.budgets.get permission on the budget's Cloud Billing Account. Billing Admin or Billing Viewer
ListBudgets To return a list of budgets applied to a Cloud Billing Account, the caller must have the billing.budgets.list permission on the Cloud Billing Account. Billing Admin or Billing Viewer
CreateBudget To create a new budget, the caller must have billing.budgets.create permission on the budget's Cloud Billing Account. Billing Admin
UpdateBudget To update an existing budget, the caller must have billing.budgets.update permission on the budget's Cloud Billing Account. Billing Admin
DeleteBudget To delete an existing budget, the caller must have billing.budgets.delete permission on the budget's Cloud Billing Account. Billing Admin

Required permissions for the Cloud Billing Catalog API

Authorization is not required when using the Cloud Billing Catalog API (Services list, and SKUs list) because all of the data returned by the calls is public.

Roles

You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.

You can grant one or more roles on the same resource.

The following table lists the standard Cloud IAM Billing roles that you can grant to access the Cloud Billing APIs, the description of what the role does, and the permissions bundled within that role.

Billing roles

Role Title Description Permissions Lowest Resource
roles/
billing.admin
Billing Account Administrator Provides access to see and manage all aspects of billing accounts. billing.accounts.close
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.accounts.move
billing.accounts.redeemPromotion
billing.accounts.removeFromOrganization
billing.accounts.reopen
billing.accounts.setIamPolicy
billing.accounts.update
billing.accounts.updatePaymentInfo
billing.accounts.updateUsageExportSpec
billing.budgets.*
billing.credits.*
billing.resourceAssociations.*
billing.subscriptions.*
cloudnotifications.*
logging.logEntries.list
logging.logServiceIndexes.*
logging.logServices.*
logging.logs.list
logging.privateLogEntries.*
resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment
Billing Account
roles/
billing.creator
Billing Account Creator Provides access to create billing accounts. billing.accounts.create
resourcemanager.organizations.get
Project
roles/
billing.projectManager
Project Billing Manager Provides access to assign a project's billing account or disable its billing. resourcemanager.projects.createBillingAssignment
resourcemanager.projects.deleteBillingAssignment
Project
roles/
billing.user
Billing Account User Provides access to associate projects with billing accounts. billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
billing.accounts.redeemPromotion
billing.credits.*
billing.resourceAssociations.create
Billing Account
roles/
billing.viewer
Billing Account Viewer View billing account cost information and transactions. billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.getPaymentInfo
billing.accounts.getSpendingInformation
billing.accounts.getUsageExportSpec
billing.accounts.list
billing.budgets.get
billing.budgets.list
billing.credits.*
billing.resourceAssociations.list
billing.subscriptions.get
billing.subscriptions.list
Organization
Billing Account

Note that the roles roles/billing.projectManager and roles/billing.admin include permissions for other Google Cloud services as well.

Related topics

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Billing
Need help? Visit our support page.