Google Cloud Platform offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies. IAM policies grant specific role(s) to a user giving the user certain permissions.
This page explains the Identity and Access Management (IAM) roles that are available for Google Cloud Billing API. For example, you can use IAM to grant roles such as Admin, User, and Project Manager for a billing account. For a detailed description of IAM and its features, see the Google Cloud Identity and Access Management developer's guide. In particular, see its Granting, Changing, and Revoking Access section.
Permissions and Roles
For a user to view billing account details in the Google Cloud Platform console, or for a Google Cloud Billing API method to return billing account information, the user or caller must have the necessary permissions. The following tables list the permissions and roles Google Cloud Billing API IAM supports.
Required Permissions
The following table lists the permissions that the caller must have to call each method:
| Method | Required Permission(s) |
|---|---|
billingAccounts.create |
When creating a billing subaccount, the caller must have
billing.accounts.update on the subaccount's master billing account.
|
billingAccounts.get |
billing.accounts.get on a billing account. |
billingAccounts.list |
None. This method returns all accounts that the caller has permission to access. |
billingAccounts.getIamPolicy |
billing.accounts.getIamPolicy on a billing account. |
billingAccounts.setIamPolicy |
billing.accounts.setIamPolicy on a billing account. |
billingAccounts.testIamPermissions |
None. This method is used to determine the permissions that a caller has on a billing account. |
billingAccounts.patch |
billing.accounts.update on a billing account. |
billingAccounts.projects.list |
billing.resourceAssociations.list on a billing account.
|
projects.getBillingInfo |
resourcemanager.projects.get on the project.For more information, see Access Control for Projects. |
projects.updateBillingInfo |
billing.resourceAssociations.create and
resourcemanager.projects.createBillingAssignment on the billing account. |
Roles
You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.
You can grant one or more roles on the same resource.
The following table lists the roles that you can grant to access billing API, the description of what the role does, and the permissions bundled within that role.
| Role | Includes Permission(s): | For Resource Type: |
|---|---|---|
roles/billing.projectManager |
||
resourcemanager.projects.createBillingAssignmentApplies to Organizations only. For information about Organizations, see Creating and Managing Organizations. Note also that the current authenticated user must have permissions on both the project and on the billing account. For more information about permissions, see Configuring permissions on Google Cloud Platform. |
Organization | |
resourcemanager.projects.deleteBillingAssignmentApplies to Organizations only. For information about Organizations, see Creating and Managing Organizations. The current authenticated user must have permissions on either the project or on the billing account. For more information about permissions, see Configuring permissions on Google Cloud Platform. |
Organization | |
roles/billing.viewer |
||
billing.accounts.get |
Billing Account | |
billing.accounts.getIamPolicy |
Billing Account | |
billing.accounts.getPaymentInfo |
Billing Account | |
billing.accounts.getSpendingInformation |
Billing Account | |
billing.accounts.getUsageExportSpec |
Billing Account | |
billing.accounts.list |
Billing Account | |
billing.budgets.get |
Billing Account | |
billing.budgets.list |
Billing Account | |
billing.credits.list |
Billing Account | |
billing.resourceAssociations.list |
Billing Account | |
billing.subscriptions.get |
Billing Account | |
billing.subscriptions.list |
Billing Account | |
roles/billing.user |
All of the above permissions for Project Manager and Viewer, as well as: | |
billing.accounts.redeemPromotion |
Billing Account | |
billing.resourceAssociations.create |
Billing Account | |
roles/billing.admin |
All of the above permissions for Project Manager, Viewer, and User, as well as: | |
billing.accounts.close |
Billing Account | |
billing.accounts.manageBillableUsageExport |
Billing Account | |
billing.accounts.move |
Billing Account | |
billing.accounts.removeFromOrganization |
Billing Account | |
billing.accounts.reopen |
Billing Account | |
billing.accounts.setIamPolicy |
Billing Account | |
billing.accounts.update |
Billing Account | |
billing.accounts.updatePaymentInfo |
Billing Account | |
billing.accounts.updateUsageExportSpec |
Billing Account | |
billing.budgets.create |
Billing Account | |
billing.budgets.delete |
Billing Account | |
billing.budgets.update |
Billing Account | |
billing.projectAssociations.createApplies to Organizations only. For information about Organizations, see Creating and Managing Organizations. Note also that the current authenticated user must have permissions on both the project and on the billing account. For more information about permissions, see Configuring permissions on Google Cloud Platform. |
Organization | |
billing.projectAssociations.deleteApplies to Organizations only. For information about Organizations, see Creating and Managing Organizations. The current authenticated user must have permissions on either the project or on the billing account. For more information about permissions, see Configuring permissions on Google Cloud Platform. |
Organization | |
billing.resourceAssociations.delete |
Billing Account | |
cloudnotifications.activities.listApplies to Cloud Notifications. For more information, see Email and Mobile Notifications. |
Billing Account | |
logging.logEntries.listApplies to Stackdriver Logging. For more informaton, see Stackdriver Access Control. |
Billing Account | |
logging.logs.listApplies to Stackdriver logging. For more informaton, see Stackdriver Access Control. |
Billing Account | |
Note that the roles roles/billing.user, roles/billing.projectManager, and
roles/billing.admin include permissions for other Google Cloud Platform services as
well.