In create free tier GCP account lecture, if forwarding billing email to normal gmail, why attacker can reset password of billing account when he got normal account? Doesn’t he have to have billing account password?
Well, if the attacker already has the billing account password, then it wouldn’t matter–they could simply change the password.
But if the attacker doesn’t have the current password but can access the email messages of the admin account, then that might be used as a piece of evidence that they already do have access to the account–such as via "Click the reset link" or "Enter the verification code" emails. That might then allow a password reset, though I can’t say for sure what the password reset process will be for any account at any particular time.
Hope that helps explain what I meant.