Access control for Cloud Billing APIs

Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies. IAM policies grant specific roles to a user giving the user certain permissions.

This page explains the Identity and Access Management roles that are available for the Cloud Billing APIs. For example, you can use IAM to grant roles such as Admin, User, and Viewer for a Cloud Billing account. For a detailed description of IAM and its features, see the Identity and Access Management developer's guide. In particular, see its Granting, Changing, and Revoking Access section.

Required permissions for the Cloud Billing Catalog API

Authorization is not required when using the Cloud Billing Catalog API (Services list, and SKUs list) because all of the data returned by the calls is public.

Required permissions for the Cloud Billing Budget API

To learn about the permissions required to use the Cloud Billing Budget API, see Access control for the Cloud Billing Budget API.

Permissions and Roles

For a user to view Cloud Billing account details in the Google Cloud console, or for a Cloud Billing API method to return Cloud Billing account information, the user or caller must have the necessary permissions. The following tables list the IAM permissions and roles needed for each of the Cloud Billing APIs.

Required permissions for the Cloud Billing Account API

The following table lists the permissions that the caller must have to call each Cloud Billing Account API method:

API Method Required Permissions IAM Role that grants permission
billingAccounts.create Method is used to create new Cloud Billing subaccounts. The caller must have billing.accounts.update on the subaccount's parent Cloud Billing account. Billing Account Administrator
billingAccounts.get billing.accounts.get on a Cloud Billing account. Billing Account Administrator, Billing Account Costs Manager, Billing Account Viewer, or Billing Account User
billingAccounts.list None. This method returns all accounts that the caller has permission to access. Billing Account Administrator, Billing Account Costs Manager, Billing Account Viewer, or Billing Account User on the Cloud Billing accounts, or Project Billing Manager on the projects.
billingAccounts.getIamPolicy billing.accounts.getIamPolicy on a Cloud Billing account. Billing Account Administrator, Billing Account Costs Manager, Billing Account Viewer, or Billing Account User
billingAccounts.setIamPolicy billing.accounts.setIamPolicy on a Cloud Billing account. Billing Account Administrator
billingAccounts.testIamPermissions None. This method is used to determine the permissions that a caller has on a Cloud Billing account. n/a
billingAccounts.patch billing.accounts.update on a Cloud Billing account. Billing Account Administrator
billingAccounts.projects.list billing.resourceAssociations.list on a Cloud Billing account. Billing Account Administrator, Billing Account Costs Manager, or Billing Account Viewer
projects.getBillingInfo resourcemanager.projects.get on the project.
For more information, see Access Control for Projects.
Project Owner, Project Editor, or Project Viewer
projects.updateBillingInfo billing.resourceAssociations.create on the Cloud Billing account AND resourcemanager.projects.createBillingAssignment on the project. Billing Account Administrator or Billing Account User, AND Project Billing Manager

Roles

You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.

You can grant one or more roles on the same resource.

The following table lists the standard IAM Billing roles that you can grant to access the Cloud Billing APIs, the description of what the role does, and the permissions bundled within that role.

Role Permissions

Billing Account Administrator
(roles/billing.admin)

Provides access to see and manage all aspects of billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account
  • billing.accounts.close
  • billing.accounts.get
  • billing.accounts.getCarbonInformation
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getPricing
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.move
  • billing.accounts.redeemPromotion
  • billing.accounts.removeFromOrganization
  • billing.accounts.reopen
  • billing.accounts.setIamPolicy
  • billing.accounts.update
  • billing.accounts.updatePaymentInfo
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.credits.list
  • billing.resourceAssociations.*
  • billing.subscriptions.*
  • cloudnotifications.activities.list
  • cloudsupport.properties.get
  • cloudsupport.techCases.*
  • commerceoffercatalog.*
  • consumerprocurement.accounts.*
  • consumerprocurement.consents.*
  • consumerprocurement.orderAttributions.*
  • consumerprocurement.orders.*
  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • logging.logEntries.list
  • logging.logServiceIndexes.list
  • logging.logServices.list
  • logging.logs.list
  • logging.privateLogEntries.list
  • recommender.commitmentUtilizationInsights.*
  • recommender.costInsights.*
  • recommender.spendBasedCommitmentInsights.*
  • recommender.spendBasedCommitmentRecommendations.*
  • recommender.usageCommitmentRecommendations.*
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment
  • resourcemanager.projects.get
  • resourcemanager.projects.list

Billing Account Costs Manager
(roles/billing.costsManager)

Manage budgets for a billing account, and view, analyze, and export cost information of a billing account.

Lowest-level resources where you can grant this role:

  • Billing Account
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.accounts.updateUsageExportSpec
  • billing.budgets.*
  • billing.resourceAssociations.list
  • recommender.costInsights.*

Billing Account Creator
(roles/billing.creator)

Provides access to create billing accounts.

Lowest-level resources where you can grant this role:

  • Organization
  • billing.accounts.create
  • resourcemanager.organizations.get

Project Billing Manager
(roles/billing.projectManager)

When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing.

Lowest-level resources where you can grant this role:

  • Project
  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.deleteBillingAssignment

Billing Account User
(roles/billing.user)

When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.list
  • billing.accounts.redeemPromotion
  • billing.credits.list
  • billing.resourceAssociations.create

Billing Account Viewer
(roles/billing.viewer)

View billing account cost and pricing information, transactions, and billing and commitment recommendations.

Lowest-level resources where you can grant this role:

  • Billing Account
  • billing.accounts.get
  • billing.accounts.getCarbonInformation
  • billing.accounts.getIamPolicy
  • billing.accounts.getPaymentInfo
  • billing.accounts.getPricing
  • billing.accounts.getSpendingInformation
  • billing.accounts.getUsageExportSpec
  • billing.accounts.list
  • billing.budgets.get
  • billing.budgets.list
  • billing.credits.list
  • billing.resourceAssociations.list
  • billing.subscriptions.get
  • billing.subscriptions.list
  • commerceoffercatalog.*
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list
  • consumerprocurement.consents.check
  • consumerprocurement.consents.list
  • consumerprocurement.orderAttributions.get
  • consumerprocurement.orderAttributions.list
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • dataprocessing.datasources.get
  • dataprocessing.datasources.list
  • dataprocessing.groupcontrols.get
  • dataprocessing.groupcontrols.list
  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.costInsights.get
  • recommender.costInsights.list
  • recommender.spendBasedCommitmentInsights.get
  • recommender.spendBasedCommitmentInsights.list
  • recommender.spendBasedCommitmentRecommendations.get
  • recommender.spendBasedCommitmentRecommendations.list
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list

Note that the roles roles/billing.admin, roles/billing.costsManager, roles/billing.viewer, and roles/billing.projectManager include permissions for other Google Cloud services as well.