Cloud Billing API 的存取權控管

Google Cloud 提供身分與存取權管理 (IAM),可讓您授予特定 Google Cloud 資源的存取權,但無法存取其他資源。IAM 可讓您採用最低權限安全原則,只將必要的資源存取權授予他人。

設定 IAM 允許政策之後,即可控管哪些使用者具備何種存取權限 (角色),可以存取哪些資源。允許政策會授予使用者特定角色,讓使用者擁有這些角色的權限。

本頁面說明 Cloud Billing API 適用的 IAM 角色。舉例來說,您可以使用 IAM 授予 Cloud 帳單帳戶的「帳單帳戶費用管理員」或「帳單帳戶檢視者」等角色。如需 IAM 及其功能的詳細說明,請參閱 IAM 說明文件。特別是「管理專案、資料夾和機構的存取權」和「管理其他資源的存取權」一節。

權限與角色

如要讓使用者在Google Cloud 控制台中查看 Cloud Billing 帳戶詳細資料,或讓 Cloud Billing API 方法傳回 Cloud Billing 帳戶資訊,使用者或呼叫者必須具備必要權限。

Cloud Billing Catalog API 的必要權限

使用 Cloud Billing Catalog API (服務清單和 SKU 清單) 時無須任何權限。這個 API 傳回的所有資料都是公開資料。

Cloud Billing Budget API 的必要權限

下表列出呼叫各項 Cloud Billing Budget API 方法所需的權限。此外,標準 IAM 帳單角色也會自動授予這些權限。

API 方法 所需權限 授予權限的 IAM 角色
GetBudget 如要取得預算詳細資料,呼叫方必須擁有預算 Cloud Billing 帳戶的 billing.budgets.get 權限。

如果是單一專案預算,呼叫者可以擁有專案的下列權限,而非帳單帳戶權限:resourcemanager.projects.getbilling.resourcebudgets.read

預算所屬 Cloud Billing 帳戶的「帳單帳戶管理員」、「帳單帳戶費用管理員」或「帳單帳戶檢視者」。

如果是單一專案預算,則為專案的專案擁有者、專案編輯者或專案檢視者。

ListBudgets 如要傳回套用至 Cloud Billing 帳戶的預算清單,呼叫者必須具備 Cloud Billing 帳戶的 billing.budgets.list 權限。

如果是單一專案預算,呼叫者可以擁有專案的下列權限,而非帳單帳戶權限:resourcemanager.projects.getbilling.resourcebudgets.read

預算所屬 Cloud Billing 帳戶的「帳單帳戶管理員」、「帳單帳戶費用管理員」或「帳單帳戶檢視者」。

如果是單一專案預算,則為專案的專案擁有者、專案編輯者或專案檢視者。

CreateBudget 如要建立新預算,呼叫方必須擁有預算所屬 Cloud Billing 帳戶的 billing.budgets.create 權限。

如果是單一專案預算,呼叫端可以擁有專案的下列權限,而不需具備帳單帳戶權限:resourcemanager.projects.getbilling.resourcebudgets.readbilling.resourcebudgets.write

預算所屬 Cloud Billing 帳戶的「帳單帳戶管理員」或「帳單帳戶費用管理員」。

如果是單一專案預算,則為專案的「專案擁有者」或「專案編輯者」。
UpdateBudget 如要更新現有預算,呼叫方必須擁有預算所屬 Cloud Billing 帳戶的 billing.budgets.update 權限。

如果是單一專案預算,呼叫端可以擁有專案的下列權限,而不需具備帳單帳戶權限:resourcemanager.projects.getbilling.resourcebudgets.readbilling.resourcebudgets.write

預算所屬 Cloud Billing 帳戶的「帳單帳戶管理員」或「帳單帳戶費用管理員」。

如果是單一專案預算,則為專案的「專案擁有者」或「專案編輯者」。
DeleteBudget 如要刪除現有預算,呼叫方必須擁有預算所屬 Cloud Billing 帳戶的 billing.budgets.delete 權限。

如果是單一專案預算,呼叫端可以擁有專案的下列權限,而不需具備帳單帳戶權限:resourcemanager.projects.getbilling.resourcebudgets.readbilling.resourcebudgets.write

預算所屬 Cloud Billing 帳戶的「帳單帳戶管理員」或「帳單帳戶費用管理員」。

如果是單一專案預算,則為專案的「專案擁有者」或「專案編輯者」。

Cloud Billing Account API 的必要權限

下表列出呼叫各項 Cloud Billing 帳戶 API 方法所需的權限,以及包含這些權限的 Cloud Billing IAM 角色。

API 方法 所需權限 包含權限的 IAM 角色
billingAccounts.create 方法用於建立新的 Cloud Billing 子帳戶。呼叫方必須擁有子帳戶上層 Cloud Billing 帳戶的 billing.accounts.update 權限。 帳單帳戶管理員
billingAccounts.get Cloud Billing 帳戶的 billing.accounts.get 權限。 帳單帳戶管理員、帳單帳戶費用管理員、 帳單帳戶檢視者或帳單帳戶使用者
billingAccounts.list 無,這個方法會傳回呼叫方有權存取的所有帳戶。 Cloud Billing 帳戶的「帳單帳戶管理員」、「帳單帳戶費用管理員」、「帳單帳戶檢視者」或「帳單帳戶使用者」,或是專案的「專案帳單管理員」。
billingAccounts.getIamPolicy Cloud Billing 帳戶的 billing.accounts.getIamPolicy 權限。 帳單帳戶管理員、帳單帳戶費用管理員、 帳單帳戶檢視者或帳單帳戶使用者
billingAccounts.setIamPolicy Cloud Billing 帳戶的 billing.accounts.setIamPolicy 權限。 帳單帳戶管理員
billingAccounts.testIamPermissions 無,這個方法可用來判斷呼叫方擁有的 Cloud Billing 帳戶權限。 不適用
billingAccounts.patch Cloud Billing 帳戶的 billing.accounts.update 權限。 帳單帳戶管理員
billingAccounts.projects.list Cloud Billing 帳戶的 billing.resourceAssociations.list 帳單帳戶管理員、帳單帳戶費用管理員或 帳單帳戶檢視者
projects.getBillingInfo resourcemanager.projects.get 專案。
詳情請參閱「專案存取權控管」。		 專案擁有者、專案編輯者或專案檢視者
projects.updateBillingInfo Cloud Billing 帳戶的 billing.resourceAssociations.create專案的 resourcemanager.projects.createBillingAssignment 帳單帳戶管理員或帳單帳戶使用者,以及專案帳單管理員

角色

您並非直接為使用者授予權限,而是指派「角色」給他們,每個角色可能具備一或多項權限。

針對同一項資源,您可以授予一或多個角色。

下表列出了您可以授予的角色,擁有這些角色的使用者即可存取 Cloud Billing API。此外,您也可以透過下表瞭解各個角色的作用和角色具備的權限。其中部分角色也包含其他 Google Cloud 服務的權限。

Role Permissions

(roles/billing.admin)

Provides access to see and manage all aspects of billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.close

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.getIamPolicy

billing.accounts.getPaymentInfo

billing.accounts.getPricing

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.accounts.move

billing.accounts.redeemPromotion

billing.accounts.removeFromOrganization

billing.accounts.reopen

billing.accounts.setIamPolicy

billing.accounts.update

billing.accounts.updatePaymentInfo

billing.accounts.updateUsageExportSpec

billing.anomalies.*

  • billing.anomalies.get
  • billing.anomalies.list
  • billing.anomalies.submitFeedback

billing.anomaliesConfigs.*

  • billing.anomaliesConfigs.get
  • billing.anomaliesConfigs.update

billing.billingAccountPrice.get

billing.billingAccountPrices.list

billing.billingAccountServices.*

  • billing.billingAccountServices.get
  • billing.billingAccountServices.list

billing.billingAccountSkuGroupSkus.*

  • billing.billingAccountSkuGroupSkus.get
  • billing.billingAccountSkuGroupSkus.list

billing.billingAccountSkuGroups.*

  • billing.billingAccountSkuGroups.get
  • billing.billingAccountSkuGroups.list

billing.billingAccountSkus.*

  • billing.billingAccountSkus.get
  • billing.billingAccountSkus.list

billing.budgets.*

  • billing.budgets.create
  • billing.budgets.delete
  • billing.budgets.get
  • billing.budgets.list
  • billing.budgets.update

billing.credits.list

billing.finOpsBenchmarkInformation.get

billing.finOpsHealthInformation.get

billing.resourceAssociations.*

  • billing.resourceAssociations.create
  • billing.resourceAssociations.delete
  • billing.resourceAssociations.list

billing.subscriptions.*

  • billing.subscriptions.create
  • billing.subscriptions.get
  • billing.subscriptions.list
  • billing.subscriptions.update

cloudasset.assets.searchAllResources

cloudnotifications.activities.list

cloudsupport.properties.get

cloudsupport.techCases.*

  • cloudsupport.techCases.create
  • cloudsupport.techCases.escalate
  • cloudsupport.techCases.get
  • cloudsupport.techCases.list
  • cloudsupport.techCases.update

commerceoffercatalog.*

  • commerceoffercatalog.agreements.get
  • commerceoffercatalog.agreements.list
  • commerceoffercatalog.documents.get
  • commerceoffercatalog.documents.list
  • commerceoffercatalog.offers.get

compute.commitments.*

  • compute.commitments.create
  • compute.commitments.get
  • compute.commitments.list
  • compute.commitments.update
  • compute.commitments.updateReservations

consumerprocurement.accounts.*

  • consumerprocurement.accounts.create
  • consumerprocurement.accounts.delete
  • consumerprocurement.accounts.get
  • consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.grant

consumerprocurement.consents.list

consumerprocurement.consents.revoke

consumerprocurement.events.*

  • consumerprocurement.events.get
  • consumerprocurement.events.list

consumerprocurement.licensePools.*

  • consumerprocurement.licensePools.assign
  • consumerprocurement.licensePools.enumerateLicensedUsers
  • consumerprocurement.licensePools.get
  • consumerprocurement.licensePools.unassign
  • consumerprocurement.licensePools.update

consumerprocurement.orderAttributions.*

  • consumerprocurement.orderAttributions.get
  • consumerprocurement.orderAttributions.list
  • consumerprocurement.orderAttributions.update

consumerprocurement.orders.*

  • consumerprocurement.orders.cancel
  • consumerprocurement.orders.get
  • consumerprocurement.orders.list
  • consumerprocurement.orders.modify
  • consumerprocurement.orders.place

dataprocessing.datasources.get

dataprocessing.datasources.list

dataprocessing.groupcontrols.get

dataprocessing.groupcontrols.list

logging.logEntries.list

logging.logServiceIndexes.list

logging.logServices.list

logging.logs.list

logging.privateLogEntries.list

recommender.cloudsqlIdleInstanceRecommendations.get

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.get

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.commitmentUtilizationInsights.*

  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.commitmentUtilizationInsights.update

recommender.computeAddressIdleResourceRecommendations.get

recommender.computeAddressIdleResourceRecommendations.list

recommender.computeDiskIdleResourceRecommendations.get

recommender.computeDiskIdleResourceRecommendations.list

recommender.computeImageIdleResourceRecommendations.get

recommender.computeImageIdleResourceRecommendations.list

recommender.computeInstanceGroupManagerMachineTypeRecommendations.get

recommender.computeInstanceGroupManagerMachineTypeRecommendations.list

recommender.computeInstanceIdleResourceRecommendations.get

recommender.computeInstanceIdleResourceRecommendations.list

recommender.computeInstanceMachineTypeRecommendations.get

recommender.computeInstanceMachineTypeRecommendations.list

recommender.costInsights.*

  • recommender.costInsights.get
  • recommender.costInsights.list
  • recommender.costInsights.update

recommender.costRecommendations.*

  • recommender.costRecommendations.listAll
  • recommender.costRecommendations.summarizeAll

recommender.resourcemanagerProjectUtilizationRecommendations.get

recommender.resourcemanagerProjectUtilizationRecommendations.list

recommender.spendBasedCommitmentInsights.*

  • recommender.spendBasedCommitmentInsights.get
  • recommender.spendBasedCommitmentInsights.list
  • recommender.spendBasedCommitmentInsights.update

recommender.spendBasedCommitmentRecommendations.*

  • recommender.spendBasedCommitmentRecommendations.get
  • recommender.spendBasedCommitmentRecommendations.list
  • recommender.spendBasedCommitmentRecommendations.update

recommender.spendBasedCommitmentRecommenderConfig.*

  • recommender.spendBasedCommitmentRecommenderConfig.get
  • recommender.spendBasedCommitmentRecommenderConfig.update

recommender.usageCommitmentRecommendations.*

  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list
  • recommender.usageCommitmentRecommendations.update

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

resourcemanager.projects.get

resourcemanager.projects.list

(roles/billing.carbonViewer)

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.list

(roles/billing.costsManager)

Manage budgets for a billing account, and view, analyze, and export cost information of a billing account.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.accounts.updateUsageExportSpec

billing.anomalies.get

billing.anomalies.list

billing.anomaliesConfigs.*

  • billing.anomaliesConfigs.get
  • billing.anomaliesConfigs.update

billing.budgets.*

  • billing.budgets.create
  • billing.budgets.delete
  • billing.budgets.get
  • billing.budgets.list
  • billing.budgets.update

billing.resourceAssociations.list

recommender.costInsights.*

  • recommender.costInsights.get
  • recommender.costInsights.list
  • recommender.costInsights.update

(roles/billing.creator)

Provides access to create billing accounts.

Lowest-level resources where you can grant this role:

  • Organization

billing.accounts.create

resourcemanager.organizations.get

(roles/billing.projectCostsManager)

When granted in conjunction with cost view permissions on projects, provides access to billing information scoped to the projects to which the user has cost access.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.getIamPolicy

billing.accounts.getSpendingInformationScoped

billing.costRecommendations.listScoped

(roles/billing.projectManager)

When granted in conjunction with the Billing Account User role, provides access to assign a project's billing account or disable its billing.

Lowest-level resources where you can grant this role:

  • Project

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

(roles/billing.user)

When granted in conjunction with the Project Owner role or Project Billing Manager role, provides access to associate projects with billing accounts.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getIamPolicy

billing.accounts.list

billing.accounts.redeemPromotion

billing.credits.list

billing.resourceAssociations.create

(roles/billing.viewer)

View billing account cost and pricing information, transactions, and billing and commitment recommendations.

Lowest-level resources where you can grant this role:

  • Billing Account

billing.accounts.get

billing.accounts.getCarbonInformation

billing.accounts.getIamPolicy

billing.accounts.getPaymentInfo

billing.accounts.getPricing

billing.accounts.getSpendingInformation

billing.accounts.getUsageExportSpec

billing.accounts.list

billing.anomalies.get

billing.anomalies.list

billing.anomaliesConfigs.get

billing.billingAccountPrice.get

billing.billingAccountPrices.list

billing.billingAccountServices.*

  • billing.billingAccountServices.get
  • billing.billingAccountServices.list

billing.billingAccountSkuGroupSkus.*

  • billing.billingAccountSkuGroupSkus.get
  • billing.billingAccountSkuGroupSkus.list

billing.billingAccountSkuGroups.*

  • billing.billingAccountSkuGroups.get
  • billing.billingAccountSkuGroups.list

billing.billingAccountSkus.*

  • billing.billingAccountSkus.get
  • billing.billingAccountSkus.list

billing.budgets.get

billing.budgets.list

billing.credits.list

billing.finOpsBenchmarkInformation.get

billing.finOpsHealthInformation.get

billing.resourceAssociations.list

billing.subscriptions.get

billing.subscriptions.list

commerceoffercatalog.*

  • commerceoffercatalog.agreements.get
  • commerceoffercatalog.agreements.list
  • commerceoffercatalog.documents.get
  • commerceoffercatalog.documents.list
  • commerceoffercatalog.offers.get

consumerprocurement.accounts.get

consumerprocurement.accounts.list

consumerprocurement.consents.check

consumerprocurement.consents.list

consumerprocurement.orderAttributions.get

consumerprocurement.orderAttributions.list

consumerprocurement.orders.get

consumerprocurement.orders.list

dataprocessing.datasources.get

dataprocessing.datasources.list

dataprocessing.groupcontrols.get

dataprocessing.groupcontrols.list

recommender.commitmentUtilizationInsights.get

recommender.commitmentUtilizationInsights.list

recommender.costInsights.get

recommender.costInsights.list

recommender.costRecommendations.*

  • recommender.costRecommendations.listAll
  • recommender.costRecommendations.summarizeAll

recommender.spendBasedCommitmentInsights.get

recommender.spendBasedCommitmentInsights.list

recommender.spendBasedCommitmentRecommendations.get

recommender.spendBasedCommitmentRecommendations.list

recommender.spendBasedCommitmentRecommenderConfig.get

recommender.usageCommitmentRecommendations.get

recommender.usageCommitmentRecommendations.list

請注意,roles/billing.adminroles/billing.costsManagerroles/billing.viewerroles/billing.projectManager 角色也具備其他 Google Cloud 服務的權限。