Introduction and Layout

The purpose of this guide is to help walk you through the process of credentialing your organization's billing account so that Cloudability can start ingesting your Google Cloud Platform (GCP) billing data. If your organization has multiple GCP billing accounts, then this process must be repeated for each of those billing accounts.

The process, at a high-level,

1. Review prerequisites here
2. Migrate your existing account credential
   • Migrate your existing GCP token-based credential to a role-based credential
3. Add a new account credential
   
   • Create a new GCP role-based billing account credential
4. Run script
   • Cloudability uses your billing Table ID to generate a shell script that uses IAM to
     
     1. add a custom role to your billing project
     2. add Cloudability's Service Account as a member of your billing project with that custom role
5. Verify credentials
   • Verify that our Service Account has access to read your billing data

Migrate your Existing Account Credential

If you have existing GCP token-based credentials and would like to migrate them to role-based credentials, then edit the credential and click on Migrate Credential.

Follow the steps below to generate and download the shell script that contains the gcloud IAM commands.

1. Edit your credential. Click on Migrate Credential, and then Download Script.

2. Select Keep if your browser prompts you with a warning when downloading the shell script

Add a New Account Credential

The following steps will help you get started on creating a new GCP role-based credential for your billing account.

1. To create a new credential, go to Vendor Credentials, select the GCP tab, and click on the Add Credentials button

2. Enter in the billing Table ID, click Generate Setup Script, and then Download Script

3. Select Keep if your browser prompts you with a warning when downloading the shell script

Run Script

Follow the steps below to run the script via Cloud Shell within your cloud console. It does not matter from where, within the Cloud Shell, you run the script so long as you have the permissions listed in IAM Permissions.

1. Activate Cloud Shell and select Upload file. Choose the downloaded script from the file explorer and confirm.

2. Run the script from within the Cloud Shell.

NOTE: In the commands below, replace script-name with the full name and extension of the actual script.

You need to let Cloud Shell know that the script is executable. You can do this by running the following command in your Cloud Shell,

chmod +x script-name

Next, run the script in your Cloud Shell,

./script-name

3. Check for any errors.

Errors in the Cloud Shell are easy enough to spot. For example,

Please see our Troubleshooting section for help with these errors.

If the script is successful, you will see output similar to the following in your Cloud Shell.

Verify Credentials

1. Click Verify Credentials.

2. Your billing account is added and a green balloon notifies you of success.

3. Click the refresh icon to update status.

4. The green checkmark indicates that this billing account has been successfully credentialed.

Conclusion

You have now successfully added your billing account to Cloudability. We ingest data at regular intervals and your billing data will be available starting from the next ingest cycle. Upon the next ingest, we will also enumerate the projects associated with this billing account; return to the GCP credentials page to see the list of projects linked to the billing account.

Lastly, if your organization has additional GCP billing accounts that you would like to add then please repeat this process for each of those billing accounts.

Troubleshooting Errors

1. [Script] ERROR: (gcloud.iam.roles.create) FAILED_PRECONDITION: You can't create a role with role_id (CloudabilityRole_Billing) where there is an existing role with that role_id in a deleted state.

Context: This can occur when you run the script after deleting an existing role, from your billing project, with role_id CloudabilityRole_Billing. The role could be in a deleted state and the script cannot create a new role with that role_id. You can view the role's status -- Enabled, Disabled, Deleted -- in your cloud console.

Solution: Undelete the existing role with role_id CloudabilityRole_Billing, from your billing project, and re-run the script.

2. [Script] ERROR: (gcloud.iam.roles.create) Resource in project is the subject of a conflict.

Context: This can occur when you have an existing role, within your billing project, with role_id CloudabilityRole_Billing. The error indicates that the script is unable to create a new role with role_id CloudabilityRole_Billing because one already exists.

Solution: Ignore this error.

3. [UI] Truncation: Project ID, Dataset, or Table ID getting truncated.

Context: You enter your complete GCP Billing Table ID into Cloudability and notice that there are errors. Additionally, when you edit the credential, you notice that the Project ID, Dataset, or Table ID are truncated.

You might have retrieved or constructed your GCP Billing Table ID from the Billing Export page.

Solution: You need to grab your complete Table ID via the BigQuery page for your Billing Table.

Please review the prerequisites here.

The details provided on the Billing Export page differ from those on the BigQuery page for your Billing Table. Specifically, the Table ID on the BigQuery page is constructed using the Billing Project ID, while the Billing Export page lists the Billing Project Name. IDs are unique while Names are not.

For more details on GCP Projects, see here.