Reputation: 372
Link a GCP project to a billing account using a service account
I'm trying to create a new project using GCP's API and link it to a billing account.
I have a service account I use to authenticate to GCP, this service account is a part of project1.
This service account has the following permission on the organization level:
- Billing Account User
- Project Billing Manager
I also tried to give this service account Organization Administrator, which didn't help as it isn't a permissions issue.
Using the API I've created a new project - project 2, and I was able to enable Cloud Billing API and Deployment Manager API for project 2.
For some reason, when I'm trying to follow the API reference on how to enable billing for a GCP project, the request fails with 403 (Permission Denied).
Here is a sample request I'm trying to make:
curl --location --request PUT 'https://cloudbilling.googleapis.com/v1/projects/project2/billingInfo' --header 'Authorization: Bearer ya29.blablabla' --header 'Content-Type: application/json' --data-raw '{"billingAccountName": "billingAccounts/1234-9248-4321"}'
The reason this request fails is that for some reason it is trying to link project1 (where the service account resides) to this billing account instead of project2.
Here is the response I'm getting:
{ "error": { "code": 403, "message": "Cloud Billing API has not been used in project project1_number before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudbilling.googleapis.com/overview?project=project1_number then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.", "status": "PERMISSION_DENIED", "details": [ { "@type": "type.googleapis.com/google.rpc.Help", "links": [ { "description": "Google developers console API activation", "url": "https://console.developers.google.com/apis/api/cloudbilling.googleapis.com/overview?project=project1_number" } ] }, { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "reason": "SERVICE_DISABLED", "domain": "googleapis.com", "metadata": { "service": "cloudbilling.googleapis.com", "consumer": "projects/project1_number" } } ] } }
If I'm trying to enable the billing API for project1, I'm starting to get 400's with "Unexpected token" message.
Is there a way (using the API) to link project2 to my billing account using a service account that resides on project1?
Upvotes: 1
Views: 1950
Answers (1)
Reputation: 81434
You have two problems:
- The Billing API is not enabled.
- The service account does not have permission to access the Billing API.
To enable the Billing API, you must use an identity that has the role Service Usage Admin aka roles/serviceusage.serviceUsageAdmin
Use the Google Cloud Console GUI or use the CLI example:
gcloud services enable cloudbilling.googleapis.com
Is there a way (using the API) to link project2 to my billing account using a service account that resides on project1?
Using an API, No. Using the GUI, Yes. To allow a service account to access a Billing Account you must complete this task in the Billing Account GUI. For personal Google Cloud Accounts, you cannot add additional members (the limit is one identity).
Tip: If you are expecting to be able to access billing data, you will not be able to. Instead, enable Google Cloud Billing export to BigQuery and then execute queries to retrieve billing data.
Upvotes: 1
Related Questions
- Billing account for project is not open GCP
- How do I link the billing account to project in google cloud
- How to change gcp project billing to different billing organization?
- GCP Service Account List Billing Accounts NodeJs
- GCP billing account for customer
- Is it possible to attach a Service account from another GCP project to a GCP Cloud Function?
- Project Billing Manager Vs Billing Account User GCP
- AWS like account linking and consolidated billing on GCP
- Adding service account to Cloud Function on GCP
- How to associate a pre-existing billing account with a new app engine project in Google cloud console?