When following our best practices article one of the steps that you eventually end up doing is setting up access to manage and view billing. This article documents the steps necessary to do that and assumes a continuation of best practices when using GCP, specifically that Cloud Identity or G Suite has already been setup.
- Have the ability to modify the billing account used in a project.
- Provide insight into the spend on each GCP SKU.
- Enable Woolpert to provide the best support possible.
- Do the above while following the best practices of least privilege.
Step 1: Create the Google Group
- This section assumes you already have Cloud Identity (free) or G Suite.
- Create a new group with the email address of google-billing@<your-domain.com> using the official guide.
- Add yourself, a backup and firstname.lastname@example.org as members of the group.
- Optionally, more granular billing groups and access can be setup to enable changing of the billing account in use on any given project (Billing Administration role) to be a separate group of users from those that can see the associated spend on each cloud SKU's (Billing Account Viewer role). Create additional groups and membership as needed.
Step 2: Grant The Group Access
- Identify and coordinate with whomever has GCP Project Owner access, they will need to perform the steps below for every project.
- Browse to the projects IAM settings page.
- Click "Add".
- Enter the newly created group email address, it should look like google-billing@<your-domain.com> from the steps above.
- Select the following roles Billing Administrator and Project Browser. Project Browser is optional but it provides Woolpert and billing admins the ability to query/list all the project Id's without being explicitly granted any access to them.
- Click Save