GC Access Roles and Permissions
You can start with an initial analysis to estimate how much Eco can save you if you connect your GC account. For the initial analysis, Eco only needs read-only permissions to your Google Cloud account. This lets the Eco cost specialists review your cost and usage data so they can provide accurate analysis and insights. As part of this process, a service account will also be granted read-only permissions. This lets Eco access billing and recommendation exports for your dashboards.
When you decide to onboard Cloud Commitment Management, you'll need to update the roles and permissions.
Direct user access, read-only permissions for analysis
These roles and permissions are needed for Eco Google Cloud cost specialists to analyze your environment.
Predefined IAM roles
- Organization level
- Project level (in the project that has Google Cloud BigQuery billing export)
Custom analysis IAM role
- Organization level
- bigquery.capacityCommitments.get
- bigquery.capacityCommitments.list
- bigquery.jobs.listAll
- bigquery.reservationAssignments.list
- bigquery.reservationGroups.list
- bigquery.reservations.list
- billing.accounts.getPricing
- cloudasset.assets.exportComputeCommitments
- cloudasset.assets.listComputeCommitments
- compute.commitments.get
- compute.commitments.list
- compute.instances.get
- compute.instances.list
- recommender.bigqueryCapacityCommitmentsInsights.get
- recommender.bigqueryCapacityCommitmentsInsights.list
- recommender.bigqueryCapacityCommitmentsRecommendations.get
- recommender.bigqueryCapacityCommitmentsRecommendations.list
- recommender.commitmentUtilizationInsights.get
- recommender.commitmentUtilizationInsights.list
- recommender.spendBasedCommitmentInsights.get
- recommender.spendBasedCommitmentInsights.list
- recommender.spendBasedCommitmentRecommendations.get
- recommender.spendBasedCommitmentRecommendations.list
- recommender.spendBasedCommitmentRecommenderConfig.get
- recommender.usageCommitmentRecommendations.get
- recommender.usageCommitmentRecommendations.list
Service account read-only permissions for dashboard
These roles and permissions are needed for the Cloud Commitment Management service account to collet and display your data. This helps us determine your savings potential and gives you clear insight into your account through a unified dashboard.
Predefined IAM roles
- Project level (in the project that has the Google Cloud BigQuery billing export)
Custom service account IAM role
- Project level (in the project that has the Google Cloud BigQuery billing export)
- monitoring.timeSeries.list
- cloudquotas.quotas.get
- cloudquotas.quotas.update
- serviceusage.services.get
- serviceusage.services.list
- serviceusage.quotas.get
- serviceusage.quotas.update
- bigquery.jobs.create
- bigquery.readsessions.create
Direct user access with full management permissions
These roles and permissions are needed for Cloud Commitment Management cost specialists to accurately assess and manage your environment.
Predefined IAM roles
- Organization level
- Billing account level (on the billing account to be managed)
- Project level (in the project that has the Google Cloud BigQuery billing export)
Custom full management IAM role
- Organization level
- bigquery.capacityCommitments.create
- bigquery.capacityCommitments.delete
- bigquery.capacityCommitments.get
- bigquery.capacityCommitments.list
- bigquery.capacityCommitments.update
- cloudasset.assets.exportComputeCommitments
- cloudasset.assets.listComputeCommitments
- compute.commitments.create
- compute.commitments.get
- compute.commitments.list
- compute.commitments.update
- compute.commitments.updateReservations
- recommender.bigqueryCapacityCommitmentsInsights.get
- recommender.bigqueryCapacityCommitmentsInsights.list
- recommender.bigqueryCapacityCommitmentsInsights.update
- recommender.bigqueryCapacityCommitmentsRecommendations.get
- recommender.bigqueryCapacityCommitmentsRecommendations.list
- recommender.bigqueryCapacityCommitmentsRecommendations.update
- recommender.commitmentUtilizationInsights.get
- recommender.commitmentUtilizationInsights.list
- recommender.commitmentUtilizationInsights.update
- recommender.spendBasedCommitmentInsights.get
- recommender.spendBasedCommitmentInsights.list
- recommender.spendBasedCommitmentInsights.update
- recommender.spendBasedCommitmentRecommendations.get
- recommender.spendBasedCommitmentRecommendations.list
- recommender.spendBasedCommitmentRecommendations.update
- recommender.spendBasedCommitmentRecommenderConfig.get
- recommender.spendBasedCommitmentRecommenderConfig.update
- recommender.usageCommitmentRecommendations.get
- recommender.usageCommitmentRecommendations.list
- recommender.usageCommitmentRecommendations.update
Enable committed use discount (CUD) sharing
After you grant Eco the roles and full permissions to manage your environment, enable CUD sharing.
Programmatic Management Permissions (Beta)
These roles and permissions are required for the Cloud Commitment Management service account to programmatically manage your environment. They can be used in place of the direct user access permissions listed above to support a fully programmatic management model.
This capability is currently in beta and may evolve over time. These permissions should be applied only after you have agreed to active management of your account.
Prerequisite
Enable the Cloud Commerce Consumer Procurement API in your organization.
Organization Level
For resource-based committed use discounts:
- compute.commitments.create
- compute.commitments.list
- compute.reservations.create
- compute.commitments.update
For spend-based committed use discounts:
- roles/consumerprocurement.orderAdmin
- Consumer Procurement Order Administrator (roles/consumerprocurement.orderAdmin) allows creation and management of procurement orders for Marketplace commitments