适用于 Cloud Billing API 的访问权限控制

Google Cloud 提供 Identity and Access Management (IAM),可让您授予对特定 Google Cloud 资源的访问权限,但没有其他资源的访问权限。IAM 允许您采用最小权限安全原则,因此您只需授予对您的资源的必要访问权限即可。

IAM 允许您通过设置 IAM 允许政策来控制谁(用户)哪些资源具有什么访问权限(角色)。允许政策可向用户授予特定角色,从而为用户授予这些角色的权限。

本页面介绍适用于 Cloud Billing API 的 IAM 角色。例如,您可以使用 IAM 授予对 Cloud Billing 账号的 Billing Account Costs Manager 或 Billing Account Viewer 等角色。如需详细了解 IAM 及其功能,请参阅 IAM 文档。具体地说,请参阅管理对项目、文件夹和组织的访问权限管理对其他资源的访问权限

权限和角色

要让用户在 Google Cloud 控制台中查看 Cloud Billing 账号详细信息,或者使 Cloud Billing API 方法返回 Cloud Billing 账号信息,用户或调用方必须拥有必要的权限。

Cloud Billing Catalog API 所需的权限

无需任何权限即可使用 Cloud Billing Catalog API(服务列表和 SKU 列表)。此 API 返回的所有数据都是公开的。

Cloud Billing Budget API 所需的权限

下表概括了调用每个 Cloud Billing Budget API 方法所需的权限,还包括可自动授予这些权限的标准 IAM Billing 角色。

API 方法 所需权限 可授予权限的 IAM 角色
GetBudget 如需获取预算的详细信息,调用方必须对预算的 Cloud Billing 账号拥有 billing.budgets.get 权限。

对于单项目预算,调用者可以对项目具有以下权限(而不是结算账号权限):resourcemanager.projects.getbilling.resourcebudgets.read

预算的 Cloud Billing 账号的 Billing Account Administrator、Billing Account Costs Manager 或 Billing Account Viewer。

对于单个项目的预算:项目的 Project Owner、Project Editor 或 Project Viewer。

ListBudgets 如需返回应用到 Cloud Billing 账号的预算列表,调用者必须对 Cloud Billing 账号拥有 billing.budgets.list 权限。

对于单项目预算,调用者可以对项目具有以下权限(而不是结算账号权限):resourcemanager.projects.getbilling.resourcebudgets.read

预算的 Cloud Billing 账号的 Billing Account Administrator、Billing Account Costs Manager 或 Billing Account Viewer。

对于单个项目的预算:项目的 Project Owner、Project Editor 或 Project Viewer。

CreateBudget 如需创建新预算,调用方必须对预算的 Cloud Billing 账号拥有 billing.budgets.create 权限。

对于单项目预算,调用者可以对项目具有以下权限(而不是结算账号权限):resourcemanager.projects.getbilling.resourcebudgets.readbilling.resourcebudgets.write

预算的 Cloud Billing 账号的 Billing Account Administrator 或 Billing Account Costs Manager。

对于单个项目的预算:项目的 Project Owner 或 Project Editor。

UpdateBudget 如需更新现有预算,调用方必须对预算的 Cloud Billing 账号拥有 billing.budgets.update 权限。

对于单项目预算,调用者可以对项目具有以下权限(而不是结算账号权限):resourcemanager.projects.getbilling.resourcebudgets.readbilling.resourcebudgets.write

预算的 Cloud Billing 账号的 Billing Account Administrator 或 Billing Account Costs Manager。

对于单个项目的预算:项目的 Project Owner 或 Project Editor。

DeleteBudget 如需删除现有预算,调用方必须对预算的 Cloud Billing 账号拥有 billing.budgets.delete 权限。

对于单项目预算,调用者可以对项目具有以下权限(而不是结算账号权限):resourcemanager.projects.getbilling.resourcebudgets.readbilling.resourcebudgets.write

预算的 Cloud Billing 账号的 Billing Account Administrator 或 Billing Account Costs Manager。

对于单个项目的预算:项目的 Project Owner 或 Project Editor。

Cloud Billing Account API 所需的权限

下表列出了调用每个 Cloud Billing Account API 方法所需的权限,以及可提供这些权限的 Cloud Billing IAM 角色。

API 方法 所需权限 包含权限的 IAM 角色
billingAccounts.create 此方法用于创建新的 Cloud Billing 子账号。调用方必须拥有对子账号的父级 Cloud Billing 账号的 billing.accounts.update 权限。 Billing Account Administrator
billingAccounts.get 对 Cloud Billing 账号的 billing.accounts.get 权限。 Billing Account Administrator、Billing Account Costs Manager、Billing Account Viewer 或 Billing Account User
billingAccounts.list 无。此方法会返回调用方有权访问的所有账号。 Cloud Billing 账号的 Billing Account Administrator、Billing Account Costs Manager、Billing Account Viewer 或 Billing Account User,或项目的 Project Billing Manager。
billingAccounts.getIamPolicy 对 Cloud Billing 账号的 billing.accounts.getIamPolicy 权限。 Billing Account Administrator、Billing Account Costs Manager、Billing Account Viewer 或 Billing Account User
billingAccounts.setIamPolicy 对 Cloud Billing 账号的 billing.accounts.setIamPolicy 权限。 Billing Account Administrator
billingAccounts.testIamPermissions 无。此方法用于确定调用方对 Cloud Billing 账号具有的权限。 不适用
billingAccounts.patch 对 Cloud Billing 账号的 billing.accounts.update 权限。 Billing Account Administrator
billingAccounts.projects.list 对 Cloud Billing 账号的 billing.resourceAssociations.list 权限。 Billing Account Administrator、Billing Account Costs Manager 或 Billing Account Viewer
projects.getBillingInfo 项目的 resourcemanager.projects.get
如需了解详情,请参阅项目的访问权限控制
Project Owner、Project Editor 或 Project Viewer
projects.updateBillingInfo 对 Cloud Billing 账号的 billing.resourceAssociations.create 权限,以及对项目的 resourcemanager.projects.createBillingAssignment 权限。 Billing Account Administrator 或 Billing Account User,以及 Project Billing Manager

角色

您不直接授予用户权限,而是向其授予角色(角色自带一个或多个权限)。

您可以针对同一项资源授予一个或多个角色。

下表列出了您可以为访问 Cloud Billing API 而授予的 IAM 角色、角色的作用说明以及该角色提供的权限。其中一些角色还包括对其他 Google Cloud 服务的权限。

Role Permissions

(roles/billing.admin)

Provides access to see and manage all aspects of billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.close

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.getIamPolicy

billing.accounts.getPaymentInfo

billing.accounts.getPricing

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.accounts.move

billing.accounts.redeemPromotion

billing.accounts.removeFromOrganization

billing.accounts.reopen

billing.accounts.setIamPolicy

billing.accounts.update

billing.accounts.updatePaymentInfo

billing.accounts.updateUsageExportSpec

billing.anomalies.*

  • billing.anomalies.get
  • billing.anomalies.list
  • billing.anomalies.submitFeedback

billing.anomaliesConfigs.*

  • billing.anomaliesConfigs.get
  • billing.anomaliesConfigs.update

billing.billingAccountPrice.get

billing.billingAccountPrices.list

billing.billingAccountServices.*

  • billing.billingAccountServices.get
  • billing.billingAccountServices.list

billing.billingAccountSkuGroupSkus.*

  • billing.billingAccountSkuGroupSkus.get
  • billing.billingAccountSkuGroupSkus.list

billing.billingAccountSkuGroups.*

  • billing.billingAccountSkuGroups.get
  • billing.billingAccountSkuGroups.list

billing.billingAccountSkus.*

  • billing.billingAccountSkus.get
  • billing.billingAccountSkus.list

billing.budgets.*

  • billing.budgets.create
  • billing.budgets.delete
  • billing.budgets.get
  • billing.budgets.list
  • billing.budgets.update

billing.credits.list

billing.finOpsBenchmarkInformation.get

billing.finOpsHealthInformation.get

billing.resourceAssociations.*

  • billing.resourceAssociations.create
  • billing.resourceAssociations.delete
  • billing.resourceAssociations.list

billing.subscriptions.*

  • billing.subscriptions.create
  • billing.subscriptions.get
  • billing.subscriptions.list
  • billing.subscriptions.update

cloudasset.assets.searchAllResources

cloudnotifications.activities.list

cloudsupport.properties.get

cloudsupport.techCases.*

  • cloudsupport.techCases.create
  • cloudsupport.techCases.escalate
  • cloudsupport.techCases.get
  • cloudsupport.techCases.list
  • cloudsupport.techCases.update

commerceoffercatalog.*

  • commerceoffercatalog.agreements.get
  • commerceoffercatalog.agreements.list
  • commerceoffercatalog.documents.get
  • commerceoffercatalog.documents.list
  • commerceoffercatalog.offers.get

compute.commitments.*

  • compute.commitments.create
  • compute.commitments.get
  • compute.commitments.list
  • compute.commitments.update
  • compute.commitments.updateReservations

consumerprocurement.accounts.*

  • consumerprocurement.accounts.create
  • consumerprocurement.accounts.delete
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.events.*

  • consumerprocurement.events.get
  • consumerprocurement.events.list

consumerprocurement.licensePools.*

  • consumerprocurement.licensePools.assign
  • consumerprocurement.licensePools.enumerateLicensedUsers
  • consumerprocurement.licensePools.get
  • consumerprocurement.licensePools.unassign
  • consumerprocurement.licensePools.update

consumerprocurement.orderAttributions.*

  • consumerprocurement.orderAttributions.get
  • consumerprocurement.orderAttributions.list
  • consumerprocurement.orderAttributions.update

consumerprocurement.orders.*

  • consumerprocurement.orders.cancel
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • consumerprocurement.orders.modify
  • consumerprocurement.orders.place

dataprocessing.datasources.get

dataprocessing.datasources.list

dataprocessing.groupcontrols.get

dataprocessing.groupcontrols.list

logging.logEntries.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.privateLogEntries.list

recommender.cloudsqlIdleInstanceRecommendations.get

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.get

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.commitmentUtilizationInsights.*

  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.commitmentUtilizationInsights.update

recommender.computeAddressIdleResourceRecommendations.get

recommender.computeAddressIdleResourceRecommendations.list

recommender.computeDiskIdleResourceRecommendations.get

recommender.computeDiskIdleResourceRecommendations.list

recommender.computeImageIdleResourceRecommendations.get

recommender.computeImageIdleResourceRecommendations.list

recommender.computeInstanceGroupManagerMachineTypeRecommendations.get

recommender.computeInstanceGroupManagerMachineTypeRecommendations.list

recommender.computeInstanceIdleResourceRecommendations.get

recommender.computeInstanceIdleResourceRecommendations.list

recommender.computeInstanceMachineTypeRecommendations.get

recommender.computeInstanceMachineTypeRecommendations.list

recommender.costInsights.*

  • recommender.costInsights.get
  • recommender.costInsights.list
  • recommender.costInsights.update

recommender.costRecommendations.*

  • recommender.costRecommendations.listAll
  • recommender.costRecommendations.summarizeAll

recommender.resourcemanagerProjectUtilizationRecommendations.get

recommender.resourcemanagerProjectUtilizationRecommendations.list

recommender.spendBasedCommitmentInsights.*

  • recommender.spendBasedCommitmentInsights.get
  • recommender.spendBasedCommitmentInsights.list
  • recommender.spendBasedCommitmentInsights.update

recommender.spendBasedCommitmentRecommendations.*

  • recommender.spendBasedCommitmentRecommendations.get
  • recommender.spendBasedCommitmentRecommendations.list
  • recommender.spendBasedCommitmentRecommendations.update

recommender.spendBasedCommitmentRecommenderConfig.*

  • recommender.spendBasedCommitmentRecommenderConfig.get
  • recommender.spendBasedCommitmentRecommenderConfig.update

recommender.usageCommitmentRecommendations.*

  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list
  • recommender.usageCommitmentRecommendations.update

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

resourcemanager.projects.get

resourcemanager.projects.list

(roles/billing.costsManager)

Manage budgets for a billing account, and view, analyze, and export cost information of a billing account.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.accounts.updateUsageExportSpec

billing.anomalies.get

billing.anomalies.list

billing.anomaliesConfigs.*

  • billing.anomaliesConfigs.get
  • billing.anomaliesConfigs.update

billing.budgets.*

  • billing.budgets.create
  • billing.budgets.delete
  • billing.budgets.get
  • billing.budgets.list
  • billing.budgets.update

billing.resourceAssociations.list

recommender.costInsights.*

  • recommender.costInsights.get
  • recommender.costInsights.list
  • recommender.costInsights.update

(roles/billing.creator)

Provides access to create billing accounts.

Lowest-level resources where you can grant this role:

  • Organization

billing.accounts.create

resourcemanager.organizations.get

(roles/billing.projectManager)

When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

(roles/billing.user)

When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

(roles/billing.viewer)

View billing account cost and pricing information, transactions, and billing and commitment recommendations.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.getIamPolicy

billing.accounts.getPaymentInfo

billing.accounts.getPricing

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.anomalies.get

billing.anomalies.list

billing.anomaliesConfigs.get

billing.billingAccountPrice.get

billing.billingAccountPrices.list

billing.billingAccountServices.*

  • billing.billingAccountServices.get
  • billing.billingAccountServices.list

billing.billingAccountSkuGroupSkus.*

  • billing.billingAccountSkuGroupSkus.get
  • billing.billingAccountSkuGroupSkus.list

billing.billingAccountSkuGroups.*

  • billing.billingAccountSkuGroups.get
  • billing.billingAccountSkuGroups.list

billing.billingAccountSkus.*

  • billing.billingAccountSkus.get
  • billing.billingAccountSkus.list

billing.budgets.get

billing.budgets.list

billing.credits.list

billing.finOpsBenchmarkInformation.get

billing.finOpsHealthInformation.get

billing.resourceAssociations.list

billing.subscriptions.get

billing.subscriptions.list

commerceoffercatalog.*

  • commerceoffercatalog.agreements.get
  • commerceoffercatalog.agreements.list
  • commerceoffercatalog.documents.get
  • commerceoffercatalog.documents.list
  • commerceoffercatalog.offers.get

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

dataprocessing.datasources.get

dataprocessing.datasources.list

dataprocessing.groupcontrols.get

dataprocessing.groupcontrols.list

recommender.commitmentUtilizationInsights.get

recommender.commitmentUtilizationInsights.list

recommender.costInsights.get

recommender.costInsights.list

recommender.costRecommendations.*

  • recommender.costRecommendations.listAll
  • recommender.costRecommendations.summarizeAll

recommender.spendBasedCommitmentInsights.get

recommender.spendBasedCommitmentInsights.list

recommender.spendBasedCommitmentRecommendations.get

recommender.spendBasedCommitmentRecommendations.list

recommender.spendBasedCommitmentRecommenderConfig.get

recommender.usageCommitmentRecommendations.get

recommender.usageCommitmentRecommendations.list

请注意,roles/billing.adminroles/billing.costsManagerroles/billing.viewerroles/billing.projectManager 角色还包括对其他 Google Cloud 服务的权限。