Access Roles and Permissions
You can start with an initial analysis to estimate how much Cloud Commitment Management can save you if you connect your GC account (see Connect a Google Cloud Billing Account). For the initial analysis, Cloud Commitment Management only needs read-only permissions (see Direct user access, read-only permissions for analysis) to your Google Cloud account. This lets the Cloud Commitment Management cost specialists review your cost and usage data so they can provide accurate analysis and insights. As part of this process, a service account will also be granted read-only permissions (see Service account read-only permissions for dashboard). This lets Cloud Commitment Management access billing and recommendation exports for your dashboards.
When you decide to onboard Cloud Commitment Management, you'll need to update the roles and permissions. For more information, see Direct user access with full management permissions.
Direct user access, read-only permissions for analysis
These roles and permissions are needed for Cloud Commitment Management cost specialists to analyze your environment.
Predefined IAM roles
|
•
|
Project level (in the project that has the Google Cloud BigQuery billing export): |
Custom analysis IAM role
|
•
|
bigquery.capacityCommitments.get |
|
•
|
bigquery.capacityCommitments.list |
|
•
|
cloudasset.assets.exportComputeCommitments |
|
•
|
cloudasset.assets.listComputeCommitments |
|
•
|
compute.commitments.get |
|
•
|
compute.commitments.list |
|
•
|
recommender.bigqueryCapacityCommitmentsInsights.get |
|
•
|
recommender.bigqueryCapacityCommitmentsInsights.list |
|
•
|
recommender.bigqueryCapacityCommitmentsRecommendations.get |
|
•
|
recommender.bigqueryCapacityCommitmentsRecommendations.list |
|
•
|
recommender.commitmentUtilizationInsights.get |
|
•
|
recommender.commitmentUtilizationInsights.list |
|
•
|
recommender.spendBasedCommitmentInsights.get |
|
•
|
recommender.spendBasedCommitmentInsights.list |
|
•
|
recommender.spendBasedCommitmentRecommendations.get |
|
•
|
recommender.spendBasedCommitmentRecommendations.list |
|
•
|
recommender.spendBasedCommitmentRecommenderConfig.get |
|
•
|
recommender.usageCommitmentRecommendations.get |
|
•
|
recommender.usageCommitmentRecommendations.list |
Service account read-only permissions for dashboard
These roles and permissions are needed for Cloud Commitment Management service account to ingest, process, and display your data on your dashboard.
Predefined IAM roles
|
•
|
Project level (in the project that has the Google Cloud BigQuery billing export): |
Custom service account IAM role
|
•
|
Project level (in the project that has the Google Cloud BigQuery billing export): |
|
•
|
monitoring.timeSeries.list |
|
•
|
cloudquotas.quotas.update |
|
•
|
serviceusage.services.get |
|
•
|
serviceusage.services.list |
|
•
|
serviceusage.quotas.get |
|
•
|
serviceusage.quotas.update |
|
•
|
bigquery.readsessions.create |
Direct user access with full management permissions
These roles and permissions are needed for Cloud Commitment Management cost specialists to manage your environment.
Predefined IAM roles
|
•
|
Billing account level (on the billing account to be managed): |
Custom full management IAM role
|
•
|
bigquery.capacityCommitments.create |
|
•
|
bigquery.capacityCommitments.delete |
|
•
|
bigquery.capacityCommitments.get |
|
•
|
bigquery.capacityCommitments.list |
|
•
|
bigquery.capacityCommitments.update |
|
•
|
cloudasset.assets.exportComputeCommitments |
|
•
|
cloudasset.assets.listComputeCommitments |
|
•
|
compute.commitments.create |
|
•
|
compute.commitments.get |
|
•
|
compute.commitments.list |
|
•
|
compute.commitments.update |
|
•
|
compute.commitments.updateReservations |
|
•
|
recommender.bigqueryCapacityCommitmentsInsights.get |
|
•
|
recommender.bigqueryCapacityCommitmentsInsights.list |
|
•
|
recommender.bigqueryCapacityCommitmentsInsights.update |
|
•
|
recommender.bigqueryCapacityCommitmentsRecommendations.get |
|
•
|
recommender.bigqueryCapacityCommitmentsRecommendations.list |
|
•
|
recommender.bigqueryCapacityCommitmentsRecommendations.update |
|
•
|
recommender.commitmentUtilizationInsights.get |
|
•
|
recommender.commitmentUtilizationInsights.list |
|
•
|
recommender.commitmentUtilizationInsights.update |
|
•
|
recommender.spendBasedCommitmentInsights.get |
|
•
|
recommender.spendBasedCommitmentInsights.list |
|
•
|
recommender.spendBasedCommitmentInsights.update |
|
•
|
recommender.spendBasedCommitmentRecommendations.get |
|
•
|
recommender.spendBasedCommitmentRecommendations.list |
|
•
|
recommender.spendBasedCommitmentRecommendations.update |
|
•
|
recommender.spendBasedCommitmentRecommenderConfig.get |
|
•
|
recommender.spendBasedCommitmentRecommenderConfig.update |
|
•
|
recommender.usageCommitmentRecommendations.get |
|
•
|
recommender.usageCommitmentRecommendations.list |
|
•
|
recommender.usageCommitmentRecommendations.update |
Enable Committed Use (CUD) Sharing
After you grant Cloud Commitment Management the roles and full permissions to manage your environment, enable CUD sharing.