just want to understand, in AWS, the root user is having all access including billing information and usually we create a new standard user with necessary privilege to build cloud solution and this user may not have access to all resources including billing unless its granted by root user through IAM policy.
In GCP, when we are creating the billing configuration and export to Big query , it looks like all users having access to this information. is that not possible to have separate root user and other standard user to be created for specific projects in GCP similar to AWS with least privileges?
It is possible and this is explained in the lectures too. You can:
1. Create admin user ("root") with billing admin role.
2. As a "root" user create a separate project (in lectures it is called "Admin Project") and create a dataset for billing data export in that project. Other users will not have access to that project unless granted.
3. Create second user Google account.
4. As a "root" user go to billing account management and assign second user to Billing Account User role.
5. Login as second user. Observe that now second user can use the billing account to create new projects but he cannot manage the billing account nor it can access billing data export.