In SMB Delegated scenario, do the development teams need Project Billing Manager role as well? The voice-over on the Billing IAM Roles slide seems to suggest that they would if they were to link projects and billing accounts — unless I’ve misunderstood.
I’m glad you’re asking, Rik! It’s so valuable to work through your understanding like this.
First off, you are right that the dev teams will need the "Project Billing Manager" role on the projects they create. So good for you on spotting this. 👍
Now, the reason this was not specifically called out is because of the data flow around the "Project Creator" role:
Provides access to create new projects. Once a user creates a project, they're automatically granted the owner role for that project.
And about the project "Owner" role:
All editor permissions and permissions for the following actions: • Manage roles and permissions for a project and all resources within the project. • Set up billing for a project.
So that means that devs will wind up with the Project Billing Manager role (Ummm… see below 😃), but only on their own projects–which is better than giving them that privilege across the whole organization/folder where they can create them.
Rik is keeping me honest with his comments, which is very good! 😂 I shouldn’t have said that having the "Owner" role grants the "Project Billing Manager" role, because that’s not technically true. Roles are not recursive–roles only ever contain permissions. So what is actually happening is that both the "Owner" role and the "Project Billing Manager" role each grant the same billing permissions–and these are exactly the
resourcemanager.projects.createBillingAssignment permission that Rik pointed out 🕵️♂️ plus its counterpart,
resourcemanager.projects.deleteBillingAssignment. 😁 You can run
gcloud iam roles describe roles/billing.projectManager and compare that to what you see when you run it with the "roles/owner" role (and for the latter, you might want to grep the results–as Rik does in his comment, below).