Managing customer's project and billing - google-cloud-platform

I have used Google Cloud for a while for my own projects. But this time I would like to deploy one of my customer's project to it. What is the best way to manage the fees?
Creating the project in my GC account and granting access to the customer to see the fees and send them invoices.
Creating the project in my GC account and somehow set their billing account to my project.
Creating the project in their GC account and ask for permissions to manage it.
Something else.
Which one is the correct solution, or what do you use? If the second solution is the good one, how can I achieve it?
Thank you!

Let's review each option and consider everything from both you as the developer and the client who owns (pays for) the project. Think security and responsibility (legal, financial and ethical) when making these decisions.
Option 1:
Creating the project in my GC account and granting access to the
customer to see the fees and send them invoices.
I would create a separate project for this customer and not mix their work into a project that has your own work. Granting the customer access to the billing information for a mixed account and then trying to separate items might take more time than it is worth. I don't recommend this method.
Option 2:
Creating the project in my GC account and somehow set their billing
account to my project.
The customer will need to grant you access to their billing account which I do not recommend. I would not grant access to my billing account to a third party. They could attach any project they want I would get the bill. I don't recommend this method.
Option 3:
Creating the project in their GC account and ask for permissions to
manage it.
This is the best option. The project and billing are under the client's control and the client grants you the required permission such as Project Editor to your user identity. Project Ownership and Billing responsibility remains with the client and the client can grant and remove access to you anytime they want easily without a ripple effect of additional work.

This all depends on your preference, however, I would go with the second one. You can create the project for them, and they can create the billing account. You then can modify the billing account on the project you created by following the steps over here.
Nevertheless, as I mentioned this is all your preference so you can use any of the other approaches you mentioned too.
Hope you find this useful.

Related

How to change gcp project billing to different billing organization?

My company is willing to pay for my personal GCP projects and want me to change the billing id for my projects?
How do I achieve this?
Does my personal email have to be added to their billing org? OR can I just change billing id for my project?
You'll want to have them (probably!) assign your project to the organizational billing account; they own the billing account resource and only identities permitted to use it can apply it.
NOTE If your identity has the appropriate IAM role for your organization's billing account then, you could also make the change but I suspect (you asked this question that) it doesn't (and you probably shouldn't anyway) do this.
In order to do this, they will need (I think) roles/billing.projectManager on your (!) project.
https://cloud.google.com/billing/docs/how-to/billing-access
The change will only happen proactively (for charges incurred after the change of billing account is effective)

Projects under No Organization that cannot be accessed

In the cloud-resource-manager page, there are 2 projects listed under No organization, one of them curiously has the id you-can-see-this-project, the other looks like an automatically generated project with the prefix My Project xxx.
The issue is that there seems to be no way to access these 2 projects even though I can see them under my account. The IAM page shows that I do not have the permission resourcemanager.projects.getIamPolicy and every other page or action notes some missing permission.
Is there a way to shutdown/delete these projects or a way to remove myself from these projects?
Edit:
Seems like the 2 projects that are showing up in my account are the same with other people that have the same issue.
They are
Update (20221114): Checked recently and both the rogue projects are gone with no action on our part. Probably it was finally cleaned-up?
Root cause
Your Google Cloud Account is subscribed to "google-appengine#googlegroups.com".
Solution
Unsubscribing from this group will remove these projects. See Google Groups Help for reference.
I got this feedback directly from the Google Cloud Support team and confirmed it working on with my account. I did not consciously subscribe to that group, maybe this happens or happened automatically in the past. Also why these ghost projects are added remains a mystery to me, no idea what they should be used for. Here's hoping that Google will fix this in the future...
You will need to identify the Projects' members that have the Owner role; I think that there is not a specific IAM permission that permits Project deletion but that some identities must have the Owner role.
I suspect (!) you can't orphan Projects by removing the last Owner, so there must be at least one.
If you're unable to determine Ownership, Google Cloud Support can determine the Owners for you though I suspect Support won't be able to disclose this information to you but will need to contact the Owners directly about this.
Once you have created your Google Workspace or Cloud Identity account and associated it with a domain, your organization resource will be automatically created for you. The resource will be provisioned at different times depending on your account status:
If you are new to Google Cloud and have not created a project yet,
the organization resource will be created for you when you log in to
the Google Cloud console and accept the terms and conditions.
If you are an existing Google Cloud user, the organization resource
will be created for you when you create a new project or billing
account. Any projects you created previously will be listed under "No
organization", and this is normal. The organization resource will
appear and the new project you created will be linked to it
automatically. You will need to move any projects you created under
"No organization" into your new organization resource. For
instructions on how to move your projects, see Migrating projects
into an organization.
Users can only view and list projects they have access to via IAM roles. The Organization Administrator can view and list all projects in the organization.
The No organization option in the Organization drop-down lists the following projects:
Projects that do not belong to the Organization yet.
Projects for which the user has access to, but are under an
Organization to which the user does not have access.
Refer to this documentation for more information on creating and managing organizations.

Is it possible to add an organization to an existing GCP account?

I am not being able to add an organization to an already exisiting GCP account. The account has two projects running. I created a different account in order to create an organization, because GCP would not let me add an organization in the same account. After creating the account I get the following message:
When you use only your personal account, the projects are attached to a virtual organization named "No Organisation".
If you have a domain name, you can create a Cloud Identity account and an admin user. Remove all licence on your user to pay nothing (even if you need to enroll for a free trial, do this and then remove the licences to pay nothing).
So, now you have a new user (with #domainName), but you don't have your old project. No problem, go to the organisation level, in the IAM page and grand your personal account as Organisation Admin.
Go back in your personal account and you will be able to see your No Organization project and your new organization with the same account. Now, you simply need to migrate project if you want to attach them to the new organization.
Note: it's maybe lot of new stuff and step, but I did it and it worked well. Let me know if you need more guidance!

How to link a project to GCP credits linked to a different account?

I need a guide on linking a project to an account with gcp credits. We are a startup and have received gcp credits for testing, but the credits are linked to the personal account of previous admin who is no longer working for us but has allowed us to continue using the project and credits until it expires. That is the only option available from GCP, the credits cant be transferred. So I want to create more projects and want to use the credits linked to the previous admin. The previous admin has agreed to link the project. I want to know the exact steps to link the resource usage of the new project to the credits.
I have gone through https://cloud.google.com/billing/docs/how-to/modify-project
however when I hit change billing it says there's no other billing account available as I have only a single billing account.
You probably need to ask to the previous Admin, which is the billing owner to do a few steps for you.
This is needed because he is the Billing Owner of the account.
Taking a look at the link you sent, you can find this information about permissions need to add the project and so on.
If you check there, these are the permissions needed in order to enable the billing for a project [1]:
- Project Owner or Project Billing Manager on the project, AND Billing Account Administrator or Billing Account User for the target Cloud Billing account.
I guess that you are Proj Owner of your project, but you aren't a Billing Account User of this Free Trial account with the credits.
If you want to take an advise, you could ask the previous admin to set your project under his billing account.
Or he will need to grant the permissions for you.
Either way, you need him to set up this for you, as he has the account being billed.
And an important reminder, you can't change the ownership of the trial account to another email address.
[1] - https://cloud.google.com/billing/docs/how-to/modify-project#enable_billing_for_a_new_project

AWS like account linking and consolidated billing on GCP

Say I have a business and multiple DBA (doing business as), on AWS I can create a org hierarchy of the business and DBAs. I can invite the DBA accounts into the business org and link them so the business org is the payer. This keeps the operations of DBA independent and isolated with the convenience of consolidated billing for the business. This can also make it easy to transfer ownership of the DBA if desired without effecting the operations.
I was looking to setup something similar on GCP but it seems like each org is tied to a domain and there is no way to invite one org into another to link and provide billing. Is this correct or are there ways to link and provide billing for one org on behalf of the other?
Say I have a business and multiple DBA (doing business as), on AWS I
can create an org hierarchy of the business and DBAs.
You can create a similar hierarchy on Google Cloud.
I can invite the DBA accounts into the business org and link them so
the business org is the payer.
You can accomplish this with Google Cloud but in a different way. You cannot make one organization a branch/child of another organization, but you can add its members (identities) to another organization. The key to this is the members are not actually part of the organization. Identities are independent and added and removed easily.
This keeps the operations of DBA independent and isolated with the
convenience of consolidated billing for the business.
Google Cloud supports one or more billing accounts. Bill accounts can be assigned to projects independently of organizations. I can make my billing account responsible for any Google project (oversimplification).
This can also make it easy to transfer ownership of the DBA if desired
without affecting the operations.
Google does not have this flexibility without effort. In Google Cloud, I would not merge projects into an organization unless this objective was permanent. Instead, I would add the members required to access that project to IAM.
Projects independent of an organization can still participate in another organization and vice versa. Google Cloud Identity and Access Management (IAM) is very flexible. If I want bob#example.com to have access to Project ABC, I can add his email address to IAM and grant roles. You can also add an entire domain of users *#example.com to Google IAM. There are many more options.
You can move projects around inside the organization, but you cannot move projects to a different organization yourself - this requires opening a support ticket with Google Cloud Support.
I was looking to set up something similar on GCP but it seems like each
org is tied to a domain
Google Cloud is not tied to a domain name, Google G Suite is. If you plan to also use G Suite for multiple DBA, I would have separate Google accounts and not combine G Suite with my resources in Google Cloud. Note: G Suite supports multiple domains; for a single organization linking G Suite and Google Cloud is fine.
I find Google Cloud's method of organizations, folders, projects and IAM more flexible than AWS.
AWS and Google have powerful IAM systems. I know both very well, each has its positives and drawbacks.
While the answer from John tells what all might be possible, it didn't have details on how to do it. After a lot of searching online and experimenting I managed to do what I wanted. Below are the steps using the "business" and "dba" references in my question.
Create a payment profile with primary contact say
billing#businessdomain
Make sure the account type is Business and
not Individual. In my case, I some how ended up with an Individual
account. It is not allowed to change the account type once created.
Don't know why, but this was my first hurdle.
With business account type, it is possible to invite other users.
I wasn't sure
how to create a business account and if I could use the same email
for the business account type. From within GCP, I went ahead and did
the billing setup. Based on my login user which had the individual
payment profile, it defaulted the payment profile but allowed me to
create a new profile. I picked account type as Business but all
other details were same as what I had in the other personal account
that got created. Luckily, it went ahead and created a business
payment profile.
Once I had the business payment profile, I could
go ahead and invite user from my dba by specifying the email, say
billing#dbadomain
That email got an invitation and upon accepting
it, was linked to the same payment profile. This is the key! This
essentially allows payment profile associated with one domain
(organization) can be used for the billing account of another domain
(organization).
At this point, I went ahead and even closed the
payment profile with Individual account type and it seemed to have
worked. I didn't have any transactions so far and so it's like it
never need to exist. I wish it was possible to change the account
type for such profiles.
With this setup, the dba organization and its operations are done isolated and if ever it needs to change ownership, it can add a different billing method and separate out from the business org completely.