This document teaches you how to set up your various Google Cloud resources to avoid common issues and enable best practices for access control and cost management. The guide walks through design decisions and configuration options that help set you up for success in administering your cloud resources.
Goals of this guide
- Provide a conceptual overview of the various resources involved with billing.
- Show you how to set up your Cloud Billing resources efficiently and for ease of management, to align your strategic priorities with cloud usage and maintain a well-functioning account.
- Help you avoid the most common billing-related issues faced by Google Cloud customers.
- Teach you about best practices when configuring resource access permissions to ensure redundancy and security.
- Provide step-by-step instructions to help you set up your financial governance tools for greater clarity, accountability, and control.
Overview
This guide is organized into two main sections. The first section provides you with a conceptual overview of the various resources and roles involved with managing Google Cloud billing. The second section walks you through the steps necessary to configure your Google Cloud resources optimized for your billing needs.
Section 1: Concepts
- Resource Overview and Hierarchy: A high-level visual representation of the various Google Cloud resources that impact your billing and how they relate to one another.
- Roles Overview: A summary of the access roles, organized by resource, that are directly relevant to your billing set up.
Section 2: Setup Guide
- A step-by-step configuration walkthrough covering Google Cloud onboarding topics relevant to your billing setup, including guidance for customization based on your organization's needs.
Cloud Billing Concepts
Before working through the setup guide section, familiarize yourself with these concepts. Understanding the key concepts will help you with configuration decisions for your cloud environment. If you need additional information, see the overview of Cloud Billing concepts .
Resource Overview
What is a resource?
In the context of Google Cloud, resource can refer to the service-level resources that are used to process your workloads (for example, virtual machines) as well as to the account-level resources that sit above the services, such as projects, folders, and the organization.
What is resource management?
Resource management is focused on how you should configure and grant access to the various Google Cloud resources for your company or team, specifically the setup and organization of the account-level resources that sit above the service-level resources. Account-level resources are the resources involved in setting up and administering your Google Cloud account. This document provides prescriptive advice on configuring your account-level resources and the roles necessary to manage them to maintain a well-functioning account.
Resource Hierarchy
Google Cloud resources are organized hierarchically. This hierarchy lets you map your organization's operational structure to Google Cloud, and to manage access control and permissions for groups of related resources. The following diagram shows an example resource hierarchy illustrating the core account-level resources involved in administering your Google Cloud account.
-
The domain is the mechanism to manage the users in your organization and is directly related to the organization resource.
-
The organization resource represents an entire organization (for example, a company) and is the top-level node of the hierarchy. The organization resource provides central visibility and control over all Google Cloud resources further down in the hierarchy.
-
Next in the hierarchy are folders . You can use folders to isolate requirements for different departments and teams in the parent organization. You can similarly use folders to separate production resources from development resources.
-
At the bottom of the hierarchy are projects . Projects contain the service-level resources (such as computing, storage, and networking resources) that process your workloads and constitute your apps.
-
Resources can be further categorized using labels . You can label the service-level resources (for example, virtual machines), as well as your account-level resources (for example, projects).
-
Cloud Billing accounts are linked to and pay for projects.
-
Cloud Billing accounts are connected to a Google payments profile . The payments profile is a Google-level resource and you pay for Google services (such as AdWords and Google Cloud) using the payment methods that are attached to that profile.
You can enforce granular permissions at different levels in the resource hierarchy to ensure that the right individuals have the correct access and permissions within your organization.
The structure you define is flexible and allows you to adapt to evolving requirements. If you're just beginning your Google Cloud journey, adopt the simplest structure that satisfies your initial requirements. See the Resource Manager overview for full details.
Roles Overview
What are roles?
Roles grant one or more privileges to a user that allow performing a common business function.
How do roles work in Google Cloud?
Google Cloud offers Identity and Access Management (IAM) to manage access control to your Google Cloud resources. IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies. To assign permissions to a user, you use IAM policies to grant specific roles to a user. Roles have one or more permissions bundled within them, controlling user access to resources.
You can set an IAM policy (roles) at the organization level , the folder level , the project level , or (in some cases) on the service-level resource. Resources inherit the policies of the parent node. If you set a policy at the Organization level, it's inherited by all its child folders and projects. If you set a policy at the project level, it's inherited by all its child resources.
The diagram below represents the Google Cloud resource hierarchy in complete form, and calls out the important high-access roles at each level:
The Super Admin can grant the Organization Admin role (or any other role) and recover accounts at the Domain level.
The Super Admin is usually someone who manages accesses at a high level, like a Domain Administrator.
The Organization Admin can administer any resource and grant any role within the Organization.
The Organization Admin is usually someone who manages access control, like an IT Administrator.
The Folder Administrator can create and edit the IAM policy of folders. They decide how roles are inherited by projects in the folders.
The Folder Administrator manages finer access control, and is typically a department head or team manager.
The Project Creator role lets you create projects and inherently lets resources be spun up on Google Cloud and incur usage.
Project Creators in your organization might be team leads or service accounts (for automation).
The Project Owner & User role lets you to see costs and usage in projects and label resources.
Project owners and users in your organization might be team leads or developers.
The Billing Account Admin can enable Billing Export, view cost and spend, set budgets and alerts, and link or unlink projects.
The Billing Admins in your organization may be someone more finance-minded.
Billing Users can link projects to Cloud Billing accounts, but can't unlink them. The role is usually issued broadly in concert with the Project Creator role.
Trusted Project Creators in your Organization typically need this role.
The payments profile Admin can view and manage payment methods, make payments, view invoices, and see Google payments accounts.
The Google payments profile Admins in your organization are typically part of your Finance or Accounting teams.
Setup Guide
Each section in the setup guide provides information about decision points, offers best-practice recommendations, describes important roles, and provides a configuration checklist. Information about potential issues is also provided, with the ultimate goal of helping you configure your Google Cloud resources optimized for your billing needs. The guidelines help to ensure your setup is best protected against the most common access and billing issues faced by Google Cloud customers.
Before you begin
Before working through the setup guide, familiarize yourself with the Cloud Billing concepts . Understanding the key concepts will help you with configuration decisions for your cloud environment. Watch the following video to learn more.
Best Practices: Google Cloud Resource Organization and Access Management (Cloud Next '19)
There are a variety of different ways that you can organize your resources and set up access controls when using Google Cloud. To ensure your team can continuously access and manage these resources effectively requires following some essential best practices. In this session, you'll learn each of the Google Cloud resources available and receive a best practices checklist that you can use to prevent you from running into some of the most common and problematic account configuration issues that customers experience.
The setup guide contains the following sections:
- Domain and Organization
- Cloud Billing Accounts
- Google payments Profiles and Accounts
- Projects, Folders, and Labels
Domain and Organization
The Domain and Organization sit at the top of the resource hierarchy. Together, the Google Cloud Domain and Organization let you centrally administer all of your users and Google Cloud resources.
-
The Domain lets you manage the users in your organization.
-
The Organization lets you manage your Google Cloud resources and which users have what type of access to those resources.
Domain and Identity
Your company Domain is the primary identity of your organization and establishes your company's identity with Google services, including Google Cloud. The Domain is linked to either a Google Workspace or Cloud Identity account.
Identity is used for authentication and access management of your users to Google Cloud resources. When first starting out with Google Cloud, it's important to decide how you want to manage your user authentication and identity. We offer flexible ways to manage access with Google Workspace and Cloud Identity.
Key Decision: Cloud Identity and Google Workspace
For user authentication and identity, should you use Cloud Identity or Google Workspace?
The Organization resource is closely associated with a Google Workspace or Cloud Identity account. You acquire an Organization resource only if you're also a Google Workspace or Cloud Identity customer. Each Google Workspace or Cloud Identity account can have exactly one Organization. Once an Organization resource is created for a domain, all Google Cloud projects created by members of the account domain will, by default, belong to the Organization resource.
Google Cloud uses Google Accounts for authentication and access management. Google recommends using fully managed corporate Google accounts for increased visibility, auditing, and control over access to Google Cloud resources.
| Cloud Identity |
|---|
| Cloud Identity
provides free, managed Google Accounts that you can
use with Google services including Google Cloud. Using Cloud Identity
accounts for each of your users, you can manage all users across your
entire domain from the Google Admin console. Use case: You don't need Google Workspace features like Drive or Gmail and only need the account management features offered by integrating your domain. Recommend: Obtain an Organization for free by using Cloud Identity . |
| Google Workspace |
|---|
| If you're a Google Workspace administrator, you can manage all of your
users and settings through the Google Workspace Admin Console. By
default, all new users are assigned a Google Workspace license. If you have
a subset of developers who don't require Google Workspace licenses, you can
add Cloud Identity
accounts instead. Use case: You want to take advantage of Google Workspace features like Drive or Gmail in addition to the account management features of Google Workspace. Recommend: Obtain an Organization by signing up for Google Workspace . |
Important Roles
The Super Admin can grant the Organization Admin role (or any other role) and recover accounts at the Domain level.
The Super Admin is usually someone who manages accesses at a high level, like a Domain Administrator.
Checklist
- For Cloud Identity:
- Review the Cloud Identity Overview and get started at the Cloud Identity Signup page.
- Follow the Signup Process to manage the Cloud Identity account.
- Make sure that the admin@yourdomain.com account has an email address that can receive mail, because Cloud Identity will use that address to communicate with the Cloud Identity Admin.
- Follow the domain verification process. We also have a video walkthrough .
- For Google Workspace customers, Cloud Identity is included. If you have non-Google Workspace users in your domain that want to access Google Cloud:
Organizations
An Organization is the root node of the Google Cloud hierarchy of resources. An Organization is associated with exactly one Domain . All resources that belong to an Organization are grouped under the Organization node, which provides insight into and access control over every resource in the Organization.
Best Practice: Configure an Organization
Google Cloud users aren't required to have an Organization resource . However, if you need to manage more than one user account, we strongly recommend configuring an Organization . The Organization resource provides many benefits , including: IAM policy inheritance and resource access recovery.
For more information, see Creating and managing Organizations .
Important Roles
The Organization Admin can administer any resource and grant any role within the Organization.
The Organization Admin is usually someone who manages access control, like an IT Administrator.
Checklist
Once migrated, if an owner of a project or billing account loses access to their account or leaves the company, ownership of the project or billing account can be recovered by the Organization Admin.
Cloud Billing Accounts
Billing accounts pay for projects. A project and its service-level resources are always paid for by a single billing account. A billing account operates in a single currency and is linked to a Google payments profile .
A billing account can be linked to one or more projects. Project usage is tracked and charged to the linked billing account. Projects that are not linked to a billing account can't use Google Cloud or Google Maps Platform services. This is true even if you only use services that are free .
Key Decision: One Billing Account or Multiple Billing Accounts?
We recommend creating one central Cloud Billing account that lives in your Organization. For most customers, adding additional billing accounts creates unneeded extra overhead, making them more difficult to track and manage. And multiple billing accounts might not behave in the way you expect with Committed Use Discounts or might cause issues with any promotional credits.
You may need multiple Cloud Billing accounts if you have any of these requirements:
- You need to split charges for legal or accounting reasons.
- You need to pay in multiple currencies.
Key Decision: Pay with Credit or Debit Card or Use Invoiced Billing?
When you first set up a Cloud Billing account using the Google Cloud console , by default, you create a self-serve billing account, connected to a credit or debit card as the payment instrument.
If you have a dedicated Finance or Accounting team, or if you anticipate a large amount of spend when you first start on Google Cloud, you might be better off using invoiced billing . To learn if your organization is eligible for invoiced billing, contact Cloud Billing Support . You must be a billing administrator of your organization's current billing account to apply.
Important Roles
The Billing Account Admin can:
- Manage payment instruments
- Enable Billing Export
- View costs and spend and set budget alerts
- Link and unlink projects
- Manage other user roles tied to the Billing Account
This role is typically filled by someone with financial control at your company, for example, a business lead that owns the P&L or a technical team member with budget management responsibility.
Importantly, because this role is required to contact Billing Support, you shouldn't use a service account or mailing list as a billing administrator.
Billing Users can:
- Link projects to billing accounts, but can't unlink them
- View costs
This role is usually issued broadly in concert with the Project Creator role. Trusted Project Creators in your organization typically need this role so they can link their projects to a billing account.
Checklist
- First identify your main Billing Accounts and the projects you want to link to those billing accounts. Learn how to view projects linked to a billing account .
- Link or move existing projects onto your main Billing Accounts .
- View your old Billing Accounts to verify that they no longer have any linked projects.
- After moving all your projects onto your main Billing Accounts, wait two days for the charges to stop on your old Billing Accounts.
- After two days, settle any existing balances on the old billing accounts, and then close the old Billing Accounts .
- Create a FinOps administration project to use for billing APIs and project-dependent billing tools.
Key Concepts: Billing Export, Billing Reports, and Invoices
Your usage is reported from your Projects to your Billing Accounts and your usage data is made available to you in a variety of ways, all of which can be used to help you understand the full picture of your spend.
- Your invoice tells you what you owe.
- Billing reports tell you why and where your costs came from.
To answer cost questions, we recommend looking at billing reports first.
Billing Export outputs your daily usage estimates to a dataset or
file you specify. You can use it to run analysis on your usage data. Billing Export to BigQuery
includes an invoice.month
field so you can match your exported data to your invoices.
- Late-reported usage might cause your data to not map directly to your invoice; that is, some product usage at the very end of a month may be charged to the next month's invoice.
- Exported billing data doesn't include any tax accrued or credits issued to a billing account.
- You can use Looker Studio to visualize your spend over time .
Billing Reports uses the same data that Billing Export uses, and displays an interactive chart that plots usage costs for all projects linked to a billing account. Use billing reports to get an at-a-glance overview of your usage costs and discover and analyze trends.
- You access billing reports in the Google Cloud console.
- If you have multiple billing accounts, the billing report displays usage costs for one billing account at a time, not aggregated across all billing accounts.
- Depending on your level of access, your view of usage costs may be limited to viewing the costs of certain projects, rather than all of the projects linked to a billing account.
Invoices represent the canonical amount you're billed for each month and provide an exact breakdown of what usage you were billed for. Review your invoice PDF or CSV line items each month and review the Google payments center for credit memos and invoice payments history.
Google payments Profiles and Accounts
Your business is represented by a Google payments profile , and you pay for Google services using the payment methods that are attached to that profile. The payments profile is a Google-level resource managed at payments.google.com and is linked to a Cloud Billing account .
Warning:The payments profile is not a Google Cloud resource. It's managed with separate roles and permissions and is not governed by your Google Cloud organization; your IAM roles don't apply. For Google payments profiles, you can add and remove users or change permissions in the Google payments center.
Key Decision: Use One or Multiple Google payments profiles?
Similar to Cloud Billing accounts, for administrative purposes, fewer payments profiles are generally recommended. For most customers, creating additional payments profiles adds more overhead and exposure to potential issues.
You might want to create multiple payments profiles if:
- You want separate personal and business payments profiles tied to your Google Account.
- You want to manage payments profiles for more than one business or organization.
- You want payments profiles in multiple countries. You might have to create a new profile when changing countries.
Your Cloud Billing accounts need to be linked to an appropriate Google payments profile.
Important Roles
The payments profile Admin can:
- View and manage payment methods for the payments profile at large
- Make payments
- View payment accounts and invoices
- Modify payments profile account settings
- See the other Google services associated with the payments profile.
The Google payments profile Admins in your organization are typically part of your Finance or Accounting teams.
The payments profile Read access user can:
- View the payments profile
- View subscriptions and services
- View invoices
Assign Read access to users who just need to receive email notifications (for invoices).
Checklist
- Add a backup payment method as a safety net, in case the primary method is declined.
- Regularly review your cost and payment history .
- Each month, review your invoice carefully, and look for anomalies and unexpected changes.
- Regularly check for any unapplied credits and payments to ensure that your monthly payments and credits are correctly applied to your invoices. For help, reach out to our collections team to apply any unmatched credits you might have.
Projects, Folders, and Labels
Projects, folders, and labels help you create logical groupings of resources that support your management and cost attribution requirements.
Overview
Projects are:
- Required to use resources (such as Compute Engine virtual machines, Pub/Sub topics, and Cloud Storage buckets)
- The base-level organizing entity in Google Cloud – all service-level resources are parented by projects
- Used to form the basis for enabling services, APIs, and IAM permissions
Folders are:
- A grouping mechanism for projects and can contain both projects and other folders
- Used to group resources that share common IAM policies
- Mapped under an Organization node (you must have an Organization node to use folders)
Labels are:
- Used to categorize your Google Cloud resources (such as Compute Engine instances)
- Key-value pairs you attach to resources, letting you filter resources based on their labels
- Great for cost tracking at a granular-level because they're forwarded to the billing system so you can analyze your charges by label
Key Decision: Folders and Projects Strategy
Projects are required. Folders are optional, but recommended.
Why use projects? Projects are the basic organizing entity in Google Cloud. Projects are required to use service-level resources, such as Compute Engine and Cloud Storage. Service-level resources inherit project settings and permissions. You might need to create multiple projects, depending on the number of products or services you're running on Google Cloud. You'll want to define a meaningful naming strategy for your projects so you can easily identify them. For more details about projects, see Creating and managing projects .
Why use folders? Folders group projects, centrally applying consistent policies and permissions across them. You might want to group your resources together logically using folders, depending on the number of people and teams you have who will be using Google Cloud, and the number of products and services you'll be running on Google Cloud. For example, you could set up separate folders for development, staging, and production projects for a service. Or, you might choose to spread the projects and services across folders that reflect different environments. You could use folders to organize your projects by departments within your company. One benefit of using folders is you can enforce different IAM policies on each folder. For more details about using folders, see Creating and managing folders .
Why use labels? Labels annotate resources within and across projects. Depending on your cost tracking requirements, you might want to apply labels to resources to identify them by what they are, what they do, or what team they're related to. For example, you might label all of your Compute Engine instances that are HTTP servers, or label all of the components that are related to your database service. For more details about using labels, see Creating and Managing Labels .
Important Roles
The Project Creator role lets you create Projects and inherently lets resources be spun up on Google Cloud and incur usage.
Project Creators in your organization might be team leads or service accounts (for automation).
The Project Owner and User role lets you see costs and usage in a project and label resources.
Project owners and users in your organization might be team leads or developers.
The Folder Administrator can create and edit the IAM policy of folders. They decide how roles are inherited by Projects in the folders.
The Folder Administrator manages finer access control, and is typically a department head or team manager.
Checklist
Learn More
Cloud OnAir: Getting Started with Google Cloud Cost Management
To maximize the move to Google Cloud, organizations need a clear understanding of their Google Cloud costs. During this webinar, we'll share best practices for how to get started with managing your Google Cloud costs and usage. We'll demo how to set up billing accounts, organizations, projects, basic permissions, and budgets. We'll also introduce Billing reports to help you understand your current cost trends and forecast your spend at month-end so that you can prevent budget overruns.
Organizing Your Resources for Cost Management on Google Cloud (Cloud Next '19)
How much do all of my front-end servers cost? How many resources are used in my staging environment? How do I understand and optimize my spending across departments? Google Cloud tools such as organizations, folders, projects, and labels help you create logical groupings of resources that support your management and cost attribution requirements at scale. In this session, you'll learn how to use these tools to take control of your costs, whether you're a solo developer or a multinational corporation.
Establishing Financial Governance Controls on Google Cloud (Cloud Next '19)
Planning for cloud spend is a critical step in understanding if you're in control. During this session, you'll learn how to put proactive and reactive financial governance controls in place, including budgets, quotas, and permissions. In addition, we'll demo how to use programmatic budget notifications to take automated actions to throttle or cap your cloud usage and costs.
Creating Interactive Cost and KPI Dashboards Using BigQuery (Cloud Next '19)
Want more granular insight into your cloud costs, usage, and overall spend per KPI? During this session, you'll learn how to export billing data using BigQuery, write advanced billing and KPI-related queries, share custom views with internal stakeholders, and build detailed dashboards in Looker Studio and Elastic to better understand your cost drivers. PerimeterX will join us on stage to speak to exactly how they use this functionality as a customer to tie their Google Cloud costs to key business metrics.
Monitoring and Controlling Your Google Cloud Costs (Cloud Next '19)
Managing Google Cloud usage and cost trends is easier than you think. In this session, you'll learn how to quickly view your Google Cloud costs, forecast your month-end bill, and provide an overview of some of the controls you can put in place to prevent budget overruns. In addition, we'll provide a live demo of how to set up custom dashboards to further analyze your billing data.
Saving Even More Money on Compute Engine (Cloud Next '19)
In the time since Next '18's Saving More Money on Compute Engine , a lot has changed, but customers like you are still looking to control costs and get the most capability out of every cloud dollar. In this talk, you'll learn about the latest products and techniques for optimizing your usage to get the most compute for the lowest bill.
