Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies. IAM policies grant specific roles to a user giving the user certain permissions.
This page explains the Identity and Access Management roles that are available for the Cloud Billing APIs. For example, you can use IAM to grant roles such as Admin, User, and Project Manager for a Cloud Billing account. For a detailed description of IAM and its features, see the Identity and Access Management developer's guide. In particular, see its Granting, Changing, and Revoking Access section.
Permissions and Roles
For a user to view Cloud Billing account details in the Google Cloud Console, or for a Cloud Billing API method to return Cloud Billing account information, the user or caller must have the necessary permissions. The following tables list the IAM permissions and roles needed for each of the Cloud Billing APIs.
Required permissions for the Cloud Billing Account API
The following table lists the permissions that the caller must have to call each Cloud Billing Account API method:
API Method | Required Permissions | IAM Role that grants permission |
---|---|---|
billingAccounts.create |
When creating a Cloud Billing subaccount, the caller must have
billing.accounts.update on the subaccount's master Cloud Billing account.
|
Billing Admin |
billingAccounts.get |
billing.accounts.get on a Cloud Billing account. |
Billing Admin or Billing Viewer |
billingAccounts.list |
None. This method returns all accounts that the caller has permission to access. | Billing Admin, Billing Viewer, Billing User, or Billing Project Manager |
billingAccounts.getIamPolicy |
billing.accounts.getIamPolicy on a Cloud Billing account. |
Billing Admin or Billing Viewer |
billingAccounts.setIamPolicy |
billing.accounts.setIamPolicy on a Cloud Billing account. |
Billing Admin |
billingAccounts.testIamPermissions |
None. This method is used to determine the permissions that a caller has on a Cloud Billing account. | n/a |
billingAccounts.patch |
billing.accounts.update on a Cloud Billing account. |
Billing Admin |
billingAccounts.projects.list |
billing.resourceAssociations.list on a Cloud Billing account.
|
Billing Admin or Billing Viewer |
projects.getBillingInfo |
resourcemanager.projects.get on the project.For more information, see Access Control for Projects. |
Project Viewer |
projects.updateBillingInfo |
billing.resourceAssociations.create AND
resourcemanager.projects.createBillingAssignment on the Cloud Billing account. |
Billing Admin or Billing User, AND Project Billing Manager |
Required permissions for the Cloud Billing Budget API
The following table outlines which permissions are necessary to call each Cloud Billing Budget API method. Also included are the standard IAM Billing roles that automatically grant those permissions.
API Method | Required Permission | IAM Role that grants permission |
---|---|---|
GetBudget |
To get the details of a budget, the caller must have the billing.budgets.get
permission on the budget's Cloud Billing account.
|
Billing Admin or Billing Viewer |
ListBudgets |
To return a list of budgets applied to a Cloud Billing account, the caller must have
the billing.budgets.list permission on the Cloud Billing account.
|
Billing Admin or Billing Viewer |
CreateBudget |
To create a new budget, the caller must have the billing.budgets.create
permission on the budget's Cloud Billing account.
|
Billing Admin |
UpdateBudget |
To update an existing budget, the caller must have the billing.budgets.update
permission on the budget's Cloud Billing account.
|
Billing Admin |
DeleteBudget |
To delete an existing budget, the caller must have the billing.budgets.delete
permission on the budget's Cloud Billing account.
|
Billing Admin |
Required permissions for the Cloud Billing Catalog API
Authorization is not required when using the Cloud Billing Catalog API (Services list, and SKUs list) because all of the data returned by the calls is public.
Roles
You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.
You can grant one or more roles on the same resource.
The following table lists the standard IAM Billing roles that you can grant to access the Cloud Billing APIs, the description of what the role does, and the permissions bundled within that role.
Role | Title | Description | Permissions | Lowest resource |
---|---|---|---|---|
roles/ |
Billing Account Administrator | Provides access to see and manage all aspects of billing accounts. |
|
Billing Account |
roles/ |
Billing Account Costs Manager | Can view and export cost information of billing accounts. |
|
|
roles/ |
Billing Account Creator | Provides access to create billing accounts. |
|
Organization |
roles/ |
Project Billing Manager | Provides access to assign a project's billing account or disable its billing. |
|
Project |
roles/ |
Billing Account User | Provides access to associate projects with billing accounts. |
|
Billing Account |
roles/ |
Billing Account Viewer | View billing account cost information and transactions. |
|
Billing Account |
Note that the roles roles/billing.projectManager
and
roles/billing.admin
include permissions for other Google Cloud services as
well.
Related topics
- Overview of Billing Access Control
- Granting, Changing, and Revoking Access to Project Members in the Identity and Access Management documentation
- Create Custom Roles for Billing