Billing accounts and IAM
Because billing accounts are a type of resource on Google Cloud, they have full integrations with Cloud IAM. There are several IAM roles that apply to billing accounts. The most permissive billing role is the Billing Account Creator. Creators exist at the organization level, and it can create new billing accounts. This role is usually reserved for a select few in the organization.
Below the Billing Account Creator are the Billing Account Administrator and the Project Billing Manager. Both of these roles can link and unlink billing accounts to a project. Administrator roles can be applied to the organization to grant access to all billing accounts, or to a specific billing account. In addition to associating billing accounts with projects, administrators are able to modify billing account settings such as payment methods and budgets.
Project billing manager roles are assigned at the project level. Both project billing managers and billing account administrators can exist at the organization level, but only project billing managers can exist at the project level. This role is useful when delegating project-specific billing management duties to a user. While project billing managers are able to link and unlink billing accounts to projects, they do not have any control over project resources.
Under the billing account administrator, users can be assigned the Billing Account User role. Users can link and unlink billing accounts with projects. This role is usually combined with Project Creator to allow new projects to be provisioned with an existing billing account. Billing account users cannot view or modify billing account information. This role can be granted at the organization level to allow linking any billing account to a project, or to a specific billing account to limit which accounts the user can link to projects.
Finally, the Billing Account Viewer role grants users view-only access to billing accounts. This role is generally given to financial teams for budgeting and auditing reasons. Like the billing account user role, this role can be granted at the organization level or the billing account level.