使用服务帐号将 GCP 项目关联到结算帐号

Question

I'm trying to create a new project using GCP's API and link it to a billing account.

I have a service account I use to authenticate to GCP, this service account is a part of project1 .

This service account has the following permission on the organization level:

• Billing Account User
• Project Billing Manager

I also tried to give this service account Organization Administrator , which didn't help as it isn't a permissions issue.

Using the API I've created a new project - project 2 , and I was able to enable Cloud Billing API and Deployment Manager API for project 2 .

For some reason, when I'm trying to follow the API reference on how to enable billing for a GCP project, the request fails with 403 (Permission Denied).

Here is a sample request I'm trying to make:

curl --location --request PUT 'https://cloudbilling.googleapis.com/v1/projects/project2/billingInfo' --header 'Authorization: Bearer ya29.blablabla' --header 'Content-Type: application/json' --data-raw '{"billingAccountName": "billingAccounts/1234-9248-4321"}'

The reason this request fails is that for some reason it is trying to link project1 (where the service account resides) to this billing account instead of project2 .

Here is the response I'm getting:

{ "error": { "code": 403, "message": "Cloud Billing API has not been used in project project1_number before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudbilling.googleapis.com/overview?project=project1_number then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.", "status": "PERMISSION_DENIED", "details": [ { "@type": "type.googleapis.com/google.rpc.Help", "links": [ { "description": "Google developers console API activation", "url": "https://console.developers.google.com/apis/api/cloudbilling.googleapis.com/overview?project=project1_number" } ] }, { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "reason": "SERVICE_DISABLED", "domain": "googleapis.com", "metadata": { "service": "cloudbilling.googleapis.com", "consumer": "projects/project1_number" } } ] } }

If I'm trying to enable the billing API for project1 , I'm starting to get 400's with "Unexpected token" message.

Is there a way (using the API) to link project2 to my billing account using a service account that resides on project1 ?

Answer 1

You have two problems:

1. The Billing API is not enabled.
2. The service account does not have permission to access the Billing API.

To enable the Billing API, you must use an identity that has the role Service Usage Admin aka roles/serviceusage.serviceUsageAdmin

Use the Google Cloud Console GUI or use the CLI example:

gcloud services enable cloudbilling.googleapis.com

Is there a way (using the API) to link project2 to my billing account using a service account that resides on project1?

Using an API, No. Using the GUI, Yes. To allow a service account to access a Billing Account you must complete this task in the Billing Account GUI. For personal Google Cloud Accounts, you cannot add additional members (the limit is one identity).

Tip: If you are expecting to be able to access billing data, you will not be able to. Instead, enable Google Cloud Billing export to BigQuery and then execute queries to retrieve billing data.