How to change gcp project billing to different billing organization? - google-cloud-platform

My company is willing to pay for my personal GCP projects and want me to change the billing id for my projects?
How do I achieve this?
Does my personal email have to be added to their billing org? OR can I just change billing id for my project?

You'll want to have them (probably!) assign your project to the organizational billing account; they own the billing account resource and only identities permitted to use it can apply it.
NOTE If your identity has the appropriate IAM role for your organization's billing account then, you could also make the change but I suspect (you asked this question that) it doesn't (and you probably shouldn't anyway) do this.
In order to do this, they will need (I think) roles/billing.projectManager on your (!) project.
https://cloud.google.com/billing/docs/how-to/billing-access
The change will only happen proactively (for charges incurred after the change of billing account is effective)

Related

Issue with BillingAccountUser role in GCP

While learning GCP billing a bit thoroughly, I have a scenario with GCP Billing, and I am not able to understand how this is addressed, so please clarify.
I have a user (admin_user) who has created a billing account. This admin user adds another user (normal_user) with BillingAccountUser role for that billing account.
Now this normal_user creates his own project and generates some ML workload which adds up a huge bill (keeping alerts aside for now) by end of the month, and the billing account gets the invoice which is obvious. Now the admin_user cannot see the normal_user's project as he is the only owner of that. If normal_user leaves the company, no one would have access to the project he created and generated the bill, and presumably billing reports may not be able to show the workload details and drilldown for that project.
So how safely to avoid/prevent this scenario while assigning the BillingAccountUser role? Any way to allow normal_user to add only organization projects to this billing account where he should not have right to create a project in the organization but manage that to add to the billing account, yet he can create his own projects and play around without actually not able to add them to this billing account?
If you grant a user Billing Account User and that user also has Project Creator, then that user will be able to attach the billing account to a new project.
To prevent the user from being able to attach a billing account to a project, grant the user Billing Account Viewer instead.
Only trusted users should have any form of access to the billing account.
Any way to allow normal_user to add only organization projects to this
billing account where he should not have right to create a project in
the organization but manage that to add to the billing account, yet he
can create his own projects and play around without actually not able
to add them to this billing account?
No. Billing accounts are not part of a project or organization. They are separate accounts and are managed independently. Billing accounts are linked to projects - they are not managed or controlled by a project. If you have the correct permissions, you can link any project to a billing account.
Normally, restrictions like this would be part of constraints. However, Google Cloud does not yet offer a constraint for billing accounts.
Organization policy constraints
If a user created a personal account and linked it to a business billing account, that would be a misuse of corporate assets. I recommend that only certain officers/managers of a company have access to a billing account. Everyone else should complete a form, or similar, and request a project be linked to a billing account.
One item that can improve the security of billing accounts, is to only add user accounts that you control. If a user mismanaged an account, you could take control of his identity (corporate email address). If you use Gmail accounts, you do not have that ability.

Is it possible to add an organization to an existing GCP account?

I am not being able to add an organization to an already exisiting GCP account. The account has two projects running. I created a different account in order to create an organization, because GCP would not let me add an organization in the same account. After creating the account I get the following message:
When you use only your personal account, the projects are attached to a virtual organization named "No Organisation".
If you have a domain name, you can create a Cloud Identity account and an admin user. Remove all licence on your user to pay nothing (even if you need to enroll for a free trial, do this and then remove the licences to pay nothing).
So, now you have a new user (with #domainName), but you don't have your old project. No problem, go to the organisation level, in the IAM page and grand your personal account as Organisation Admin.
Go back in your personal account and you will be able to see your No Organization project and your new organization with the same account. Now, you simply need to migrate project if you want to attach them to the new organization.
Note: it's maybe lot of new stuff and step, but I did it and it worked well. Let me know if you need more guidance!

How do I disable Billing Account Creation for my organization on Google Cloud Platform?

In this video at 10:54, a Google representative says:
And here, we want to call out this tip -- really important tip -- by default, [we] leave the Billing Account Creator Roles ON in your organization for everyone who's in it. We want to strongly encourage you to remove that. To turn that off.
And in this video at 3:20, a Google rep says:
We recommend sticking to a single billing account per organization, and making sure only admins can create new billing accounts. You can do that by removing the Billing Account Creator Role from your organization.
How do you actually do that?
I tried activating an Organizational Policy Constraint, but there's no mention of billing account restrictions.
I tried disabling/deleting the role from IAM Roles, but Predefined Roles cannot be deleted.
Lastly I looked at the documentation for Billing Access and the IAM Permissions Reference, and it looks like the only way someone has creation permissions is through the "Billing Account Creator" Role (and perhaps "Owner"?) Is it enough to just NOT grant that role to anyone, or is there a way to positively blacklist this permission?
Your Organization Resource is established with two default roles turned on:
Project Creator
Billing Account Creator
These two roles allow customers to open GCP services to all of their users immediately. Control of project creation and maintaining centralized billing can be accomplished by removing the default organization level IAM entries.
Removing default roles from the Organization node
This is visual representation of the process

How to link a project to GCP credits linked to a different account?

I need a guide on linking a project to an account with gcp credits. We are a startup and have received gcp credits for testing, but the credits are linked to the personal account of previous admin who is no longer working for us but has allowed us to continue using the project and credits until it expires. That is the only option available from GCP, the credits cant be transferred. So I want to create more projects and want to use the credits linked to the previous admin. The previous admin has agreed to link the project. I want to know the exact steps to link the resource usage of the new project to the credits.
I have gone through https://cloud.google.com/billing/docs/how-to/modify-project
however when I hit change billing it says there's no other billing account available as I have only a single billing account.
You probably need to ask to the previous Admin, which is the billing owner to do a few steps for you.
This is needed because he is the Billing Owner of the account.
Taking a look at the link you sent, you can find this information about permissions need to add the project and so on.
If you check there, these are the permissions needed in order to enable the billing for a project [1]:
- Project Owner or Project Billing Manager on the project, AND Billing Account Administrator or Billing Account User for the target Cloud Billing account.
I guess that you are Proj Owner of your project, but you aren't a Billing Account User of this Free Trial account with the credits.
If you want to take an advise, you could ask the previous admin to set your project under his billing account.
Or he will need to grant the permissions for you.
Either way, you need him to set up this for you, as he has the account being billed.
And an important reminder, you can't change the ownership of the trial account to another email address.
[1] - https://cloud.google.com/billing/docs/how-to/modify-project#enable_billing_for_a_new_project

Managing customer's project and billing

I have used Google Cloud for a while for my own projects. But this time I would like to deploy one of my customer's project to it. What is the best way to manage the fees?
Creating the project in my GC account and granting access to the customer to see the fees and send them invoices.
Creating the project in my GC account and somehow set their billing account to my project.
Creating the project in their GC account and ask for permissions to manage it.
Something else.
Which one is the correct solution, or what do you use? If the second solution is the good one, how can I achieve it?
Thank you!
Let's review each option and consider everything from both you as the developer and the client who owns (pays for) the project. Think security and responsibility (legal, financial and ethical) when making these decisions.
Option 1:
Creating the project in my GC account and granting access to the
customer to see the fees and send them invoices.
I would create a separate project for this customer and not mix their work into a project that has your own work. Granting the customer access to the billing information for a mixed account and then trying to separate items might take more time than it is worth. I don't recommend this method.
Option 2:
Creating the project in my GC account and somehow set their billing
account to my project.
The customer will need to grant you access to their billing account which I do not recommend. I would not grant access to my billing account to a third party. They could attach any project they want I would get the bill. I don't recommend this method.
Option 3:
Creating the project in their GC account and ask for permissions to
manage it.
This is the best option. The project and billing are under the client's control and the client grants you the required permission such as Project Editor to your user identity. Project Ownership and Billing responsibility remains with the client and the client can grant and remove access to you anytime they want easily without a ripple effect of additional work.
This all depends on your preference, however, I would go with the second one. You can create the project for them, and they can create the billing account. You then can modify the billing account on the project you created by following the steps over here.
Nevertheless, as I mentioned this is all your preference so you can use any of the other approaches you mentioned too.
Hope you find this useful.