Reputation: 1148
AWS like account linking and consolidated billing on GCP
Say I have a business and multiple DBA (doing business as), on AWS I can create a org hierarchy of the business and DBAs. I can invite the DBA accounts into the business org and link them so the business org is the payer. This keeps the operations of DBA independent and isolated with the convenience of consolidated billing for the business. This can also make it easy to transfer ownership of the DBA if desired without effecting the operations.
I was looking to setup something similar on GCP but it seems like each org is tied to a domain and there is no way to invite one org into another to link and provide billing. Is this correct or are there ways to link and provide billing for one org on behalf of the other?
Upvotes: 0
Views: 673
Answers (2)
Reputation: 1148
While the answer from John tells what all might be possible, it didn't have details on how to do it. After a lot of searching online and experimenting I managed to do what I wanted. Below are the steps using the "business" and "dba" references in my question.
- Create a payment profile with primary contact say billing@businessdomain
- Make sure the account type is Business and not Individual. In my case, I some how ended up with an Individual account. It is not allowed to change the account type once created. Don't know why, but this was my first hurdle.
- With business account type, it is possible to invite other users.
- I wasn't sure how to create a business account and if I could use the same email for the business account type. From within GCP, I went ahead and did the billing setup. Based on my login user which had the individual payment profile, it defaulted the payment profile but allowed me to create a new profile. I picked account type as Business but all other details were same as what I had in the other personal account that got created. Luckily, it went ahead and created a business payment profile.
- Once I had the business payment profile, I could go ahead and invite user from my dba by specifying the email, say billing@dbadomain
- That email got an invitation and upon accepting it, was linked to the same payment profile. This is the key! This essentially allows payment profile associated with one domain (organization) can be used for the billing account of another domain (organization).
- At this point, I went ahead and even closed the payment profile with Individual account type and it seemed to have worked. I didn't have any transactions so far and so it's like it never need to exist. I wish it was possible to change the account type for such profiles.
With this setup, the dba organization and its operations are done isolated and if ever it needs to change ownership, it can add a different billing method and separate out from the business org completely.
Upvotes: 0
Reputation: 81434
Say I have a business and multiple DBA (doing business as), on AWS I can create an org hierarchy of the business and DBAs.
You can create a similar hierarchy on Google Cloud.
I can invite the DBA accounts into the business org and link them so the business org is the payer.
You can accomplish this with Google Cloud but in a different way. You cannot make one organization a branch/child of another organization, but you can add its members (identities) to another organization. The key to this is the members are not actually part of the organization. Identities are independent and added and removed easily.
This keeps the operations of DBA independent and isolated with the convenience of consolidated billing for the business.
Google Cloud supports one or more billing accounts. Bill accounts can be assigned to projects independently of organizations. I can make my billing account responsible for any Google project (oversimplification).
This can also make it easy to transfer ownership of the DBA if desired without affecting the operations.
Google does not have this flexibility without effort. In Google Cloud, I would not merge projects into an organization unless this objective was permanent. Instead, I would add the members required to access that project to IAM.
Projects independent of an organization can still participate in another organization and vice versa. Google Cloud Identity and Access Management (IAM) is very flexible. If I want [email protected] to have access to Project ABC, I can add his email address to IAM and grant roles. You can also add an entire domain of users *@example.com to Google IAM. There are many more options.
You can move projects around inside the organization, but you cannot move projects to a different organization yourself - this requires opening a support ticket with Google Cloud Support.
I was looking to set up something similar on GCP but it seems like each org is tied to a domain
Google Cloud is not tied to a domain name, Google G Suite is. If you plan to also use G Suite for multiple DBA, I would have separate Google accounts and not combine G Suite with my resources in Google Cloud. Note: G Suite supports multiple domains; for a single organization linking G Suite and Google Cloud is fine.
I find Google Cloud's method of organizations, folders, projects and IAM more flexible than AWS.
AWS and Google have powerful IAM systems. I know both very well, each has its positives and drawbacks.
Upvotes: 2
Related Questions
- how to share Google cloud bill between apps
- GCP - can billing be configured at the folder level?
- How to change gcp project billing to different billing organization?
- Link a GCP project to a billing account using a service account
- GCP billing account for customer
- How to create a team on a single GCP billing account, without providing a domain?
- Google Cloud Tiered Billing - Project v Billing Account
- GCP quota and billing at user level
- What's a strategy for implementing GCP billing on a per-user/per-run basis?
- Google cloud platform individual billing