Access control for Cloud Billing APIs

Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies. IAM policies grant specific roles to a user giving the user certain permissions.

This page explains the Identity and Access Management roles that are available for the Cloud Billing APIs. For example, you can use IAM to grant roles such as Admin, User, and Project Manager for a Cloud Billing account. For a detailed description of IAM and its features, see the Identity and Access Management developer's guide. In particular, see its Granting, Changing, and Revoking Access section.

Permissions and Roles

For a user to view Cloud Billing account details in the Google Cloud Console, or for a Cloud Billing API method to return Cloud Billing account information, the user or caller must have the necessary permissions. The following tables list the IAM permissions and roles needed for each of the Cloud Billing APIs.

Required permissions for the Cloud Billing Account API

The following table lists the permissions that the caller must have to call each Cloud Billing Account API method:

API Method	Required Permissions	IAM Role that grants permission
`billingAccounts.create`	When creating a Cloud Billing subaccount, the caller must have `billing.accounts.update` on the subaccount's master Cloud Billing account.	Billing Admin
`billingAccounts.get`	`billing.accounts.get` on a Cloud Billing account.	Billing Admin or Billing Viewer
`billingAccounts.list`	None. This method returns all accounts that the caller has permission to access.	Billing Admin, Billing Viewer, Billing User, or Billing Project Manager
`billingAccounts.getIamPolicy`	`billing.accounts.getIamPolicy` on a Cloud Billing account.	Billing Admin or Billing Viewer
`billingAccounts.setIamPolicy`	`billing.accounts.setIamPolicy` on a Cloud Billing account.	Billing Admin
`billingAccounts.testIamPermissions`	None. This method is used to determine the permissions that a caller has on a Cloud Billing account.	n/a
`billingAccounts.patch`	`billing.accounts.update` on a Cloud Billing account.	Billing Admin
`billingAccounts.projects.list`	`billing.resourceAssociations.list` on a Cloud Billing account.	Billing Admin or Billing Viewer
`projects.getBillingInfo`	`resourcemanager.projects.get` on the project. For more information, see Access Control for Projects.	Project Viewer
`projects.updateBillingInfo`	`billing.resourceAssociations.create` AND `resourcemanager.projects.createBillingAssignment` on the Cloud Billing account.	Billing Admin or Billing User, AND Project Billing Manager

Required permissions for the Cloud Billing Budget API

The following table outlines which permissions are necessary to call each Cloud Billing Budget API method. Also included are the standard IAM Billing roles that automatically grant those permissions.

API Method	Required Permission	IAM Role that grants permission
`GetBudget`	To get the details of a budget, the caller must have the `billing.budgets.get` permission on the budget's Cloud Billing account.	Billing Admin or Billing Viewer
`ListBudgets`	To return a list of budgets applied to a Cloud Billing account, the caller must have the `billing.budgets.list` permission on the Cloud Billing account.	Billing Admin or Billing Viewer
`CreateBudget`	To create a new budget, the caller must have the `billing.budgets.create` permission on the budget's Cloud Billing account.	Billing Admin
`UpdateBudget`	To update an existing budget, the caller must have the `billing.budgets.update` permission on the budget's Cloud Billing account.	Billing Admin
`DeleteBudget`	To delete an existing budget, the caller must have the `billing.budgets.delete` permission on the budget's Cloud Billing account.	Billing Admin

Required permissions for the Cloud Billing Catalog API

Authorization is not required when using the Cloud Billing Catalog API (Services list, and SKUs list) because all of the data returned by the calls is public.

Roles

You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.

You can grant one or more roles on the same resource.

The following table lists the standard IAM Billing roles that you can grant to access the Cloud Billing APIs, the description of what the role does, and the permissions bundled within that role.

Role	Title	Description	Permissions	Lowest resource
`roles/billing.admin`	Billing Account Administrator	Provides access to see and manage all aspects of billing accounts.	billing.accounts.close billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.move billing.accounts.redeemPromotion billing.accounts.removeFromOrganization billing.accounts.reopen billing.accounts.setIamPolicy billing.accounts.update billing.accounts.updatePaymentInfo billing.accounts.updateUsageExportSpec billing.budgets.* billing.credits.* billing.resourceAssociations.* billing.subscriptions.* cloudnotifications.* commerceoffercatalog.* consumerprocurement.accounts.* consumerprocurement.orders.* dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list logging.logEntries.list logging.logServiceIndexes.* logging.logServices.* logging.logs.list logging.privateLogEntries.* recommender.commitmentUtilizationInsights.* recommender.usageCommitmentRecommendations.* resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	Billing Account
`roles/billing.costsManager`	Billing Account Costs Manager	Can view and export cost information of billing accounts.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.accounts.updateUsageExportSpec billing.budgets.* billing.resourceAssociations.list
`roles/billing.creator`	Billing Account Creator	Provides access to create billing accounts.	billing.accounts.create resourcemanager.organizations.get	Organization
`roles/billing.projectManager`	Project Billing Manager	Provides access to assign a project's billing account or disable its billing.	resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment	Project
`roles/billing.user`	Billing Account User	Provides access to associate projects with billing accounts.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.list billing.accounts.redeemPromotion billing.credits.* billing.resourceAssociations.create	Billing Account
`roles/billing.viewer`	Billing Account Viewer	View billing account cost information and transactions.	billing.accounts.get billing.accounts.getIamPolicy billing.accounts.getPaymentInfo billing.accounts.getPricing billing.accounts.getSpendingInformation billing.accounts.getUsageExportSpec billing.accounts.list billing.budgets.get billing.budgets.list billing.credits.* billing.resourceAssociations.list billing.subscriptions.get billing.subscriptions.list commerceoffercatalog.* consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orders.get consumerprocurement.orders.list dataprocessing.datasources.get dataprocessing.datasources.list dataprocessing.groupcontrols.get dataprocessing.groupcontrols.list recommender.commitmentUtilizationInsights.get recommender.commitmentUtilizationInsights.list recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list	Billing Account

Note that the roles roles/billing.projectManager and roles/billing.admin include permissions for other Google Cloud services as well.