Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies. IAM policies grant specific roles to a user giving the user certain permissions.
This page explains the Identity and Access Management roles that are available for the Cloud Billing APIs. For example, you can use IAM to grant roles such as Admin, User, and Viewer for a Cloud Billing account. For a detailed description of IAM and its features, see the Identity and Access Management developer's guide. In particular, see its Granting, Changing, and Revoking Access section.
Required permissions for the Cloud Billing Catalog API
Authorization is not required when using the Cloud Billing Catalog API (Services list, and SKUs list) because all of the data returned by the calls is public.
Required permissions for the Cloud Billing Budget API
To learn about the permissions required to use the Cloud Billing Budget API, see Access control for the Cloud Billing Budget API.
Permissions and Roles
For a user to view Cloud Billing account details in the Google Cloud console, or for a Cloud Billing API method to return Cloud Billing account information, the user or caller must have the necessary permissions. The following tables list the IAM permissions and roles needed for each of the Cloud Billing APIs.
Required permissions for the Cloud Billing Account API
The following table lists the permissions that the caller must have to call each Cloud Billing Account API method:
| API Method | Required Permissions | IAM Role that grants permission |
|---|---|---|
billingAccounts.create |
Method is used to create new Cloud Billing subaccounts. The caller must have
billing.accounts.update on the subaccount's parent Cloud Billing
account.
|
Billing Account Administrator |
billingAccounts.get |
billing.accounts.get on a Cloud Billing account. |
Billing Account Administrator, Billing Account Costs Manager, Billing Account Viewer, or Billing Account User |
billingAccounts.list |
None. This method returns all accounts that the caller has permission to access. | Billing Account Administrator, Billing Account Costs Manager, Billing Account Viewer, or Billing Account User on the Cloud Billing accounts, or Project Billing Manager on the projects. |
billingAccounts.getIamPolicy |
billing.accounts.getIamPolicy on a Cloud Billing account. |
Billing Account Administrator, Billing Account Costs Manager, Billing Account Viewer, or Billing Account User |
billingAccounts.setIamPolicy |
billing.accounts.setIamPolicy on a Cloud Billing account. |
Billing Account Administrator |
billingAccounts.testIamPermissions |
None. This method is used to determine the permissions that a caller has on a Cloud Billing account. | n/a |
billingAccounts.patch |
billing.accounts.update on a Cloud Billing account. |
Billing Account Administrator |
billingAccounts.projects.list |
billing.resourceAssociations.list on a Cloud Billing account.
|
Billing Account Administrator, Billing Account Costs Manager, or Billing Account Viewer |
projects.getBillingInfo |
resourcemanager.projects.get on the project.For more information, see Access Control for Projects. |
Project Owner, Project Editor, or Project Viewer |
projects.updateBillingInfo |
billing.resourceAssociations.create on the Cloud Billing account
AND resourcemanager.projects.createBillingAssignment on the project. |
Billing Account Administrator or Billing Account User, AND Project Billing Manager |
Roles
You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.
You can grant one or more roles on the same resource.
The following table lists the standard IAM Billing roles that you can grant to access the Cloud Billing APIs, the description of what the role does, and the permissions bundled within that role.
| Role | Permissions |
|---|---|
|
Billing Account Administrator
Provides access to see and manage all aspects of billing accounts. Lowest-level resources where you can grant this role:
|
|
|
Billing Account Costs Manager
Manage budgets for a billing account, and view, analyze, and export cost information of a billing account. Lowest-level resources where you can grant this role:
|
|
|
Billing Account Creator
Provides access to create billing accounts. Lowest-level resources where you can grant this role:
|
|
|
Project Billing Manager
When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing. Lowest-level resources where you can grant this role:
|
|
|
Billing Account User
When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts. Lowest-level resources where you can grant this role:
|
|
|
Billing Account Viewer
View billing account cost and pricing information, transactions, and billing and commitment recommendations. Lowest-level resources where you can grant this role:
|
|
Note that the roles roles/billing.admin, roles/billing.costsManager,
roles/billing.viewer, and roles/billing.projectManager include permissions
for other Google Cloud services as well.
Related topics
- Overview of Billing Access Control
- Granting, Changing, and Revoking Access in the Identity and Access Management documentation
- Create Custom Roles for Billing