In Cloud Billing accounts, multi-project access to usage costs lets solution owners see the cost data for all their projects in a single view in the Cloud Billing console. The multi-project view uses a combination of Cloud Billing account permissions and project permissions that let Cloud Billing administrators and organization administrators jointly control access to project-level cost data.
Using project-scoped Cloud Billing account permissions, Cloud Billing administrators can control which solution owners can view aggregated cost data in the Cloud Billing console.
Get started
- Read this document to learn about the permissions required to get multi-project cost view access.
- Give project-scoped billing account permissions to solution owners.
Permissions required to get multi-project cost view access
To get multi-project access to costs views in the Cloud Billing console, which enables project owners, solution owners, developers, and other non-billing admins to view aggregated costs for their authorized projects, you need the following permissions:
- Google Cloud project permissions: To view the costs accrued in a project, you need billing-specific project-side permissions granted on each of your authorized Google Cloud projects. Project permissions are typically managed by project owners.
- Cloud Billing account permissions: You need project-scoped
billing account permissions on the
Cloud Billing account that is linked to your authorized projects.
Cloud Billing permissions are typically managed by a
Billing Account Administrator.
Project permissions
Project permissions are granted with roles on the Google Cloud project or folder. You can grant project permissions using a custom role, or with a predefined role. To view costs for a project, and access other billing tools for the project such as budgets and cost anomalies, you need a role on each project that includes the following permissions:
| Permissions | Purpose | Predefined roles |
|---|---|---|
|
To browse or retrieve details about a project, including the name and ID of the Cloud Billing account that is linked to the project. | |
|
To view costs for a project in Cloud Billing reports. | |
|
To view and manage budgets for a project in the Cloud Billing console. | |
|
To view cost anomalies for a project in the Cloud Billing console. |
Cloud Billing account permissions
Cloud Billing account permissions are granted with roles on the Cloud Billing account. To view the aggregated costs for all of your authorized Google Cloud projects that are linked to a Cloud Billing account, you need a role on the billing account that includes the following permissions:
| Permissions | Purpose | Predefined role (recommended) |
|---|---|---|
billing.accounts.get |
View the basic properties and metadata of a Cloud Billing account. |
Project Billing Costs Manager
|
billing.accounts.getIamPolicy |
Lets users view the IAM assignments to a billing account, such as principals who are Billing Account Administrators and Billing Account Viewers. | |
billing.accounts.getSpendingInformationScoped |
View costs and usage for a billing account, scoped to the projects that the current authenticated user has permission to view. | |
billing.costRecommendations.listScoped |
Access the FinOps hub in the Cloud Billing console to view cost recommendations scoped to the projects that the current authenticated user has permission to view. |
You can grant the billing account permissions using a custom role, or with the project-scoped predefined billing account role:
- Name:
billing.projectCostsManager - Title: Project Billing Costs Manager
|
For more information about Google Cloud project permissions, see: |
For more information about Cloud Billing account permissions, see: |
Grant permissions
Project administrators can grant the project permissions. Many solution owners in your organization might already have the required billing-specific project permissions, because they are the same as those needed to access the single-project view in the Cloud Billing console.
Billing Account Administrators can grant the required billing account permissions.
After your users are granted both the project-side and the billing account permissions, they can access cost data in the relevant billing account for their projects.
Project-scoped Cloud Billing account permissions
To provide the required Cloud Billing account permissions for multi-project
access to the Cloud Billing console, we recommend you use the predefined
billing role Project Billing Costs Manager.
To grant multi-project billing account permissions to solution owners, in the Google Cloud console, follow this process:
Ensure that you have the permissions required to manage user access on a billing account.
In the Google Cloud console, go to the Account management page for the Cloud Billing account:
At the prompt, choose the Cloud Billing account that you want to manage.
The Account management page for that account opens.
You can also open this page by clicking the Account management menu item in the billing account navigation menu.
In the Info panel, review and edit the Principals and Permissions for the selected Cloud Billing account. If the panel isn't already visible, click Show info panel to open it.
To add new principals and assign permissions, click Add principal.
In the New principals field, enter the principals you want to add. You can add individual users' email addresses, groups, domains, or service accounts as principals.
In the Assign roles section, from the Select a role drop-down list, select Project Billing Costs Manager.
Click Save.
What's next
Learn more about the Cloud Billing tools that are available to Google Cloud project owners.