1

I'm trying to create a new project using GCP's API and link it to a billing account.

I have a service account I use to authenticate to GCP, this service account is a part of project1.

This service account has the following permission on the organization level:

  • Billing Account User
  • Project Billing Manager

I also tried to give this service account Organization Administrator, which didn't help as it isn't a permissions issue.

Using the API I've created a new project - project 2, and I was able to enable Cloud Billing API and Deployment Manager API for project 2.

For some reason, when I'm trying to follow the API reference on how to enable billing for a GCP project, the request fails with 403 (Permission Denied).

Here is a sample request I'm trying to make:

curl --location --request PUT 'https://cloudbilling.googleapis.com/v1/projects/project2/billingInfo' --header 'Authorization: Bearer ya29.blablabla' --header 'Content-Type: application/json' --data-raw '{"billingAccountName": "billingAccounts/1234-9248-4321"}'

The reason this request fails is that for some reason it is trying to link project1 (where the service account resides) to this billing account instead of project2.

Here is the response I'm getting:

{ "error": { "code": 403, "message": "Cloud Billing API has not been used in project project1_number before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudbilling.googleapis.com/overview?project=project1_number then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.", "status": "PERMISSION_DENIED", "details": [ { "@type": "type.googleapis.com/google.rpc.Help", "links": [ { "description": "Google developers console API activation", "url": "https://console.developers.google.com/apis/api/cloudbilling.googleapis.com/overview?project=project1_number" } ] }, { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "reason": "SERVICE_DISABLED", "domain": "googleapis.com", "metadata": { "service": "cloudbilling.googleapis.com", "consumer": "projects/project1_number" } } ] } }

If I'm trying to enable the billing API for project1, I'm starting to get 400's with "Unexpected token" message.

Is there a way (using the API) to link project2 to my billing account using a service account that resides on project1?

John Hanley
  • 74,467
  • 6
  • 95
  • 159
RamenCoder
  • 358
  • 1
  • 2
  • 16

1 Answers1

1

You have two problems:

  1. The Billing API is not enabled.
  2. The service account does not have permission to access the Billing API.

To enable the Billing API, you must use an identity that has the role Service Usage Admin aka roles/serviceusage.serviceUsageAdmin

Use the Google Cloud Console GUI or use the CLI example:

gcloud services enable cloudbilling.googleapis.com

Is there a way (using the API) to link project2 to my billing account using a service account that resides on project1?

Using an API, No. Using the GUI, Yes. To allow a service account to access a Billing Account you must complete this task in the Billing Account GUI. For personal Google Cloud Accounts, you cannot add additional members (the limit is one identity).

Tip: If you are expecting to be able to access billing data, you will not be able to. Instead, enable Google Cloud Billing export to BigQuery and then execute queries to retrieve billing data.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Hey John, as I mentioned at the end of my question, I did enable the billing API which caused me to get 400's with "Invalid Token". I also mentioned that the service account is granted with "Organization Admin" at the organization level, in addition to the permissions you specified so I believe permissions is not the issue. I was able to work around this using the Cloud Billing API C# library, though I'm still not able to tell what is wrong with my API call. – RamenCoder Dec 24 '21 at 01:40
  • @ShacharAshkenazi - Your question says ""If I'm trying to enable the billing API ..*. See my point #1. Organization Admin had nothing to do with adding a member to a Billing account. See my point #2. Google Billing Accounts are not part of a Google Cloud Platform Project or Organization. They are managed independently. You link a project to a billing account. – John Hanley Dec 24 '21 at 02:51
  • Have you tried to impersonate your service account to work in different projects? https://cloud.google.com/iam/docs/impersonating-service-accounts#enabling-cross-project – Vicente Ayala Dec 24 '21 at 15:41
  • @JohnHanley As I said, I fixed both your points, but the problem stands as the main issue is that it tries to link the wrong project to my billing account. – RamenCoder Dec 25 '21 at 13:40
  • @ShacharAshkenazi - Is the service already a member of the billing account? Projects do not link billing accounts. Only billing accounts can link to projects. – John Hanley Dec 25 '21 at 13:57