Google Cloud Billing Sources
For Google Cloud, the billing source is the billing account. You'll need to create a billing account within Google Cloud and attach it to your Google Cloud service account before you can add it as a billing source in Kion.
Managing Google Cloud accounts in Kion requires both a billing account and a service account.
Set Up the Service Account
1. Create a Google Cloud project for the service account.
In the following sections, you create a service account and upload its information to Kion. Before you do that, you must create a dedicated Google Cloud project to house the service account. If you've already created a Google Cloud project for the Kion deployment, you can add the service account to that project instead of creating a new one. The service account must be located in its own Google Cloud project.
Google Cloud projects are different from Kion projects. Google Cloud projects are equivalent to Kion accounts.
- Log in to the Google Cloud console.
- In the top ribbon, click Select a project.
- Click New Project.
- Enter a Project name.
- Select the Organization and Location (parent organization or folder) from the dropdown menu.
- Set and take note of the Project ID. You will need this ID later.
- Click Create.
2. Enable the APIs for the resource manager and cloud billing.
- Log in to the Google Cloud console.
- In the top ribbon, select the project you created for your service account.
- In the left navigation menu, click APIs & Services.
- Click Enable APIs and Services.
- Search for and select Cloud Resource Manager API.
- Click Enable.
- Navigate to the APIs & Services page.
- Search for and select Cloud Billing API.
- Select Enable APIs and Services.
- Navigate to the API Library.
- Search for and select Identity and Access Management (IAM) API.
- Click Enable.
3. Create a service account and service account key within Google Cloud.
A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs. You can read more about service accounts in Google's service account documentation.
- Log in to the Google Cloud console.
- In the top ribbon, select the project you created for your service account.
- In the left navigation menu, click IAM & Admin > Service Accounts.
- If prompted, select the card for the project you created.
- Click Create Service Account.
- Enter a Service Account Name.
- Click Create and Continue.
- Skip the Grant the service account access to project section by clicking Continue.
- (Optional) You grant other users access to this service account. You can add a user's Google email address, Google Groups email address, service account address, or G Suite domain. For more information, see the Google documentation on Managing Service Account Impersonation.
- Click Done.
If you already have a billing account, you will be prompted to choose one to link to the project during this process. If you haven't set up a billing account yet, we go over the process later in this guide.
4. Create a service account key.
- Log in to the Google Cloud console.
- In the top ribbon, select the project you created for your service account.
- In the list of service accounts for your project, click the ellipsis menu under Actions and select Manage Keys.
- Select Add Key > Create New Key.
- Set the Key Type to JSON.
- Click Create. The SAK JSON file downloads to your computer. Save this file to a safe location.
Grant the Service Account Permissions
1. Assign org-wide permissions to your service account.
In addition to the roles you just assigned to the project housing the service account, you need to assign the service account permissions at the organization level.
There are two approaches you can take when granting permissions. You can grant the service account high-level permissions, which ensures the necessary permissions are in place for all current and future Kion features, or you can grant minimal permissions, which may require permission modifications when new features are released.
Follow one of the following guides to grant permissions to your service account.
To grant the service account standard Permissions (Recommended):
- Log in to the Google Cloud console.
- In the top ribbon, select your organization.
- In the left navigation menu, click IAM & Admin > IAM.
- Click Add.
- Enter the email of the service account.
- To grant the service account access to all current and future Kion features, we recommend adding the following roles:
- Billing > Billing Account Viewer. This permission gives Kion access to read the billing account information. This must be done at the organization level.
- Basic > Owner. If you use Google Cloud folders, you can alternatively set this role on the folders you want Kion to manage.
- If you plan to use Kion to create new Google Cloud projects, you must also add Project Creator and Folder Viewer permissions.
- Click Save.
To grant the service account minimal permissions:
- Log in to the Google Cloud console.
- In the top ribbon, select your organization.
- In the left navigation menu, click IAM & Admin > IAM.
- Click Add.
- Enter the email of the service account.
- To grant the minimal permissions (which will require modifying permission when Kion adds Google Cloud capabilities), add the following roles:
- Billing > Billing Account Viewer. This permission gives Kion access to read the billing account information. This must be done at the organization level.
- Resource Manager > Project IAM Admin. This permission gives Kion access to manage permissions on Google Cloud projects. If you use Google Cloud folders, you can alternatively set this role on the folders you want Kion to manage.
- Roles > Organization Role Administrator. This permission gives Kion access to manage Google Cloud IAM roles for an organization. If you use Google Cloud folders, you can alternatively set this role on the folders you want Kion to manage along with the role Resource Manager > Folder IAM Admin.
- Resource Manager > Folder Viewer. This permission gives Kion access to view Google folders. If you use Google Cloud folders, you can alternatively set this role on the folders you want Kion to manage instead.
- If you plan to use Kion to create new Google Cloud projects, you must also add Project Creator and Folder Viewer permissions.
- Click Save.
2. Assign BigQuery Permissions.
If the BigQuery financial export is not present in one of the Google Cloud projects under the organization or folders you specified above, assign the service account permissions at the project level where BigQuery is located.
To assign BigQuery permissions:
- Log in to the Google Cloud console.
- In the top ribbon, select your project containing BigQuery.
- In the left navigation menu, click IAM & Admin > IAM.
- Click Add.
- Enter the email of the service account.
- Add the following roles:
- BigQuery > BigQuery User
- BigQuery > BigQuery Data Viewer
- Click Save.
Set Up the Billing Account
1. Create a billing account within Google Cloud and attach it to the service account.
If you have an existing billing account, you can link that account instead of creating a new one. After step 3, select Link a Billing Account and follow the prompts.
To add a billing account and attach it to the service account:
- Log in to the Google Cloud console. For this process, you must log in as a user with the Billing Account Creator role.
- In the top ribbon, select the project you created for your service account.
- In the left navigation menu, click Billing.
- Click Manage Billing Accounts.
- Click Add Billing Account.
- Select your organization from the dropdown menu.
- Enter an account name.
- Select your country.
- Click Continue.
- Enter your account information. Please note that your selections here may be used for tax and identity verification. For more information, see Google's Create, Modify, or Close Your Billing Account article.
- Click Submit and Enable Billing. By default, the person who creates the billing account is made a Billing Account Administrator for the billing account.
- From the home screen, in the left navigation menu, click Billing.
- Select your organization from the dropdown menu and click the My Projects tab.
- Click the ellipsis menu under Actions and select Change Billing.
- Choose the new billing account from the list.
- Click Set Account.
2. Set up billing data export to BigQuery.
Create a BigQuery dataset and enable the export of data to BigQuery to send Google Cloud information to Kion.
To set up billing data export to BigQuery:
- Log in to the Google Cloud console.
- In the top ribbon, select the project you created for your service account.
- Navigate to Big Data > BigQuery.
- In the Explorer menu, select your project.
- Click the ellipses menu next to the project ID and select Create Dataset.
- Enter a Dataset ID. For example,
kionbillingdata
. - Select a multiple region location identifier as the Data location. Do not select an individual region.
- Click Create dataset.
- In the left navigation menu, click Billing.
- Click Go to Linked Billing Account.
- In the billing navigation menu on the left, select Billing export.
- Under the Standard usage cost section, click Edit settings.
- Select your project.
- Select the dataset you created.
The BigQuery API is required to export data to BigQuery. If the project you selected doesn't have the BigQuery API enabled, you will be prompted to enable it. Click Enable BigQuery API to enable the API. - Click Save.
- Under the Detailed usage cost section, click Edit settings.
- Select your project.
- Select the dataset you created.
- Click Save.
3. Enable the OAuth for federation.
- Log in to the Google Cloud console.
- In the top ribbon, select the project you created for your service account.
- In the left navigation menu, click APIs & Services.
- Click OAuth consent screen.
- Select Internal and click Create.
- On the app registration screen, enter the app name, user support email, and developer contact information email.
- Click Save and Continue.
4. Generate OAuth access keys to support federation.
- Log in to the Google Cloud console.
- In the top ribbon, select the project you created for your service account.
- In the left navigation menu, click APIs & Services.
- Click Credentials.
- Click Create Credentials > OAuth client ID.
- From the Application type dropdown, select Web application.
- Enter an application name.
- In the Authorized Redirect URIs section, click Add URI and enter:
https://Kion.example.com/api/v3/account/link-google-callback
. - Change "kion.example.com" to the URL of your Kion instance.
- Click Create.
- Store the client ID and client secret for use in the Kion application.
Add the Billing Source to Kion
1. Add the service account to Kion.
- Log in to Kion.
- Navigate to Accounts > Google Cloud Service Accounts.
- Click Add New.
- Enter a Name and Description for the service account.
- Select Enable IAM Federation.
- Enter the OAuth Client ID and OAuth Client Secret you created above. This allows federation into Google Cloud accounts.
- Upload the Google Cloud service access key by clicking Upload and selecting the JSON file you saved earlier.
- Click Create Google Cloud Service Account.
2. Add the billing account to Kion as a billing source.
- Log in to Kion.
- Navigate to Accounts > Billing Sources.
- Click Add New.
- For Account Type, select Google Cloud.
- Enter a Billing Source Name.
- Choose a Billing Start Date. This is the earliest month Kion will try to fetch financial data for the billing source.
- Select the Service Account that will be used to access the billing data.
- Leave the Input Type dropdown set to Auto-fill. This allows the form to query information from the Google API as you fill in the remainder of the form.
- In the Google Cloud Billing Account dropdown, select the Google Cloud billing account that this billing source will represent.
- If you are using the manual input method, enter the Google Cloud Billing Account ID for the Google Cloud billing account you want to add. You can find it in the Google Cloud console by selecting the project, clicking Billing in the left navigation menu, clicking Go to Linked Billing Account. The billing account ID is listed after the billing account name.
- In the Big Data Billing Export Project ID dropdown, select the Google Cloud project where the billing account selected above is exporting financial data to BigQuery.
- If using the manual input method, enter the Big Data Billing Export Project ID. You can find it in the Google Cloud console by clicking the dropdown in the blue ribbon. The project ID is displayed next to the name of the project housing your service account. This may be a variation of your project name with a unique identifier on it.
- In the Big Query Billing Export Dataset ID dropdown, select the BigQuery dataset ID where the billing account selected above is exporting its financial data.
- If the table where the billing account is exporting data is unusually named (usually gcp_billing_export_v1_{BILLING ACCOUNT NUMBER}), override the default table name by checking the Override the Default Table Name checkbox.
- If using the manual input method, enter the Big Data Billing Export Dataset Name. You can find it in the Google Cloud console by selecting the project, and navigating to Big Data > BigQuery. The name of your project is shown in the left navigation menu, and the dataset name will display below.
- Ensure the This Billing Source Supports Google Cloud Project Creation option is enabled.
- Click Test Billing Source. If you receive an error message, verify your credentials and permissions.
- Click Create Billing Source.