Google Certified Associate Cloud Engineer 2020
  1. Rooms
  2. Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

Project Billing Manager — necessary to link projects to billing accounts?

In SMB Delegated scenario, do the development teams need Project Billing Manager role as well?  The voice-over on the Billing IAM Roles slide seems to suggest that they would if they were to link projects and billing accounts — unless I’ve misunderstood.

1 Answers

I’m glad you’re asking, Rik! It’s so valuable to work through your understanding like this.

First off, you are right that the dev teams will need the "Project Billing Manager" role on the projects they create. So good for you on spotting this. 👍

Now, the reason this was not specifically called out is because of the data flow around the "Project Creator" role:

Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.

And about the project "Owner" role:

All editor permissions and permissions for the following actions:

• Manage roles and permissions for a project and all resources within the project.

• Set up billing for a project.

So that means that devs will wind up with the Project Billing Manager role (Ummm… see below 😃), but only on their own projects–which is better than giving them that privilege across the whole organization/folder where they can create them.

Update!

Rik is keeping me honest with his comments, which is very good! 😂 I shouldn’t have said that having the "Owner" role grants the "Project Billing Manager" role, because that’s not technically true. Roles are not recursive–roles only ever contain permissions. So what is actually happening is that both the "Owner" role and the "Project Billing Manager" role each grant the same billing permissions–and these are exactly the resourcemanager.projects.createBillingAssignment permission that Rik pointed out 🕵️‍♂️ plus its counterpart, resourcemanager.projects.deleteBillingAssignment. 😁 You can run gcloud iam roles describe roles/billing.projectManager and compare that to what you see when you run it with the "roles/owner" role (and for the latter, you might want to grep the results–as Rik does in his comment, below).

Rik Howard

Thanks Mattias. I did later wonder about that but gcloud iam roles describe roles/owner | egrep -i billing does not return roles/ billing.projectManager to me, perhaps this has become resourcemanager.projects.createBillingAssignment?

Rik Howard

(which the description does return)

David Howes

Great summary!

Mattias Andersson

Ah, you are keeping me honest, which is very good! 😂 I shouldn’t have said that having the "Owner" role grants the "Project Billing Manager" role, because that’s not technically true. Roles are not recursive–roles only ever contain Permissions. So what is actually happening is that both the "Owner" role and the "Project Billing Manager" role each grant the same billing permissions–and these are exactly the "resourcemanager.projects.createBillingAssignment" permission that you pointed out 🕵️‍♂️ plus its counterpart, "resourcemanager.projects.deleteBillingAssignment". 😁 You can run gcloud iam roles describe roles/billing.projectManager and compare it to what you see with the "Owner" role.

Dhanabalan Rangasamy

Can Project Billing Manager create billing account??

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization