Google Cloud Platform (GCP) Projects are linked to Billing Accounts to enable usage of Google APIs and Services (Google Cloud services, Google Maps Platform APIs) that are utilized by applications managed in these projects.
Each GCP Project requires Identity and Access Management (IAM) settings be in place to control which user accounts would have access to the project and what level of permissions are allowed for each user account. Similar access management is also applied to GCP Billing Accounts and managed separately from the GCP Project IAM, i.e., access assigned to a user account on the project level does not apply to the billing account the project is linked to.
IMPORTANT: This requires a Billing Account Administrator access to the billing account. For more information, see Cloud Billing access control.
Following are the steps to give users access and permissions to a billing account:
1. Login to Cloud Console.
2. On the top left corner of the page, click on the Navigation menu then select Billing.
3. If there are multiple billing accounts, the following options will be available:
- GO TO LINKED BILLING ACCOUNT
- Redirects to the Billing page of the billing account associated to the currently selected project.
- MANAGE BILLING ACCOUNTS
- Opens a page listing all billing accounts that can be selected (clicking on the billing account redirects to its Billing page).
4. Once a billing account is selected, you will be redirected to the Billing page that shows an overview of the billing information:
5. On the left menu, select Account Management. The middle panel will display projects linked to the billing account and the rightmost panel displays the current list of users aka "Principals" that has access to the billing account and the roles assigned to each. It also has the controls to add access to the billing account. Note: If the rightmost panel is not visible, click the SHOW INFO PANEL button in the top right corner of the page.
6. Click +ADD PRINCIPAL.
7. In the Add principals to my "<Billing Account Name>", fill out the New principals and select the roles to assign by clicking Select a role drop-down and selecting the role to assign (see screenshot below). Note: For Billing Account access, select Billing on the left side and then select the roles under this category. Commonly used roles are as follows:
- Billing Account Administrator: This role is an owner role for a billing account. Use it to manage payment instruments, configure billing exports, view cost information, link and unlink projects and manage other user roles on the billing account.
- Billing Account User: This role has very restricted permissions, so you can grant it broadly. When granted in combination with Project Creator, the two roles allow a user to create new projects linked to the billing account on which the Billing Account User role is granted. Or, when granted in combination with the Project Billing Manager role, the two roles allow a user to link and unlink projects on the billing account on which the Billing Account User role is granted.
- Billing Account Viewer: Billing Account Viewer access would usually be granted to finance teams, it provides access to spend information, but does not confer the right to link or unlink projects or otherwise manage the properties of the billing account.
- Billing Account Costs Manager: Create, edit, and delete budgets, view billing account cost information and transactions, and manage the export of billing cost data to BigQuery. Does not confer the right to export pricing data or view custom pricing in the Pricing page. Also, does not allow the linking or unlinking of projects or otherwise managing the properties of the billing account.
See Cloud Billing Roles in Cloud IAM for more information.
8. Click + ADD ANOTHER ROLE if multiple roles will be assigned to the user.
9. Once roles have been added, click SAVE.