Configure GCP Partner Customers using Sub Billing Accounts

CloudHealth recommends creating a partner-owned service account to access customer billing information. You can reuse the same service account for all your partner customers.

1. Enter the following command in gcloud to create a partner-owned custom role to access billing information in the master billing export. Replace <insert project id> with the ID of your project that contains the master billing export.

   gcloud iam roles create billingcollectionrole --project <insert project id> \
     --title "Used for Billing Collection" --description \
     "Used to collect billing data out of BigQuery" --permissions \
   resourcemanager.projects.get,bigquery.datasets.get,bigquery.jobs.create,bigquery.tables.get,bigquery.tables.getData \
     --stage GA
   

2. Enter the following command to create a partner-owned service account to collect billing information from the master billing export. Replace <insert project id> with the ID of your project that contains the master billing export.

   gcloud iam service-accounts create billingserviceaccount
   --project <insert project id>
   

3. Enter the following command to create a private key for the newly created service account and to save the key to the $HOME directory of your instance. Replace <insert project id> with the ID of your project that contains the billing export.

   gcloud iam service-accounts keys create \
   --iam-account billingserviceaccount@<insert project id>.iam.gserviceaccount.com sakey
   .json
   

4. Enter the following command to download the service account key to your local machine.

   cloudshell download sakey.json
   

5. Enter the following command to assign the custom role to the new service account to allow the service account to access customer billing data. Replace <insert project id> with the ID of your project that contains the billing export.

   gcloud projects add-iam-policy-binding <insert project id> --member serviceAccount:billingserviceaccount@<insert project id>.iam.gserviceaccount.com \
   --role projects/<insert project id>/roles/billingcollectionrole
   

1. Enter the following command to get the organization id of the Partner

   gcloud organizations list
   

2. Enter the following command to assign the service account you created in Step 1 as an IAM member in the partner organization. Replace <insert project id> with the ID of the partner-owned project that the service account was created in, and <insert org id> with the ID of the partner organization.

   gcloud organizations add-iam-policy-binding <insert org id> --member user:billingserviceaccount@<insert project id>.iam.gserviceaccount.com \
   --member serviceAccount:billingserviceaccount@<insert project id>.iam.gserviceaccount.com \
   --role organizations/<insert org id>/roles/billingcollectionrole
   

CloudHealth requires your service account role to be enabled with certain permissions to properly access and report your BigQuery data. These permissions are not included in the default Viewer role in the Google Console. If you have assigned your service account a Viewer role, you cannot view your BigQuery data in CloudHealth and must change your service account role to a custom role.

Enable BigQuery to allow CloudHealth to gather data from your BigQuery dataset. You only need to enable BigQuery with CloudHealth once for all partner customers.

1. If you haven’t enabled BigQuery in the Google Console yet, enter the following command to create a BigQuery dataset. Replace <insert project id> with the ID of your project that contains the billing export. If you have already enabled BigQuery in the Google Console, skip this step.

bq mk <insert project id>:billing

2. Enter the following command to enable BigQuery API. Replace <insert project id> with the ID of your project that contains the billing export.

gcloud services enable bigquery-json.googleapis.com --project <insert   project id>

Enter the following command to enable APIs to allow CloudHealth to collect billing data from partner-owned projects. You only need to enable APIs for partner-owned projects once for all partner customers. Replace <insert project id> with the ID of your project that contains the billing export.

gcloud services enable cloudresourcemanager.googleapis.com --project <insert project id>

BigQuery must be enabled for billing export in the Google Console before you can enable BigQuery in the CloudHealth Platform. Complete these instructions to do so.

To configure the BigQuery Billing Export, use the dataset (billing) that was created previously in Step 2.

1. In the Google Cloud Console, and switch to a project associated with your Partner Master Billing Account. Copy the Project ID from the Project info section, and paste it in a text document.

2. From the left menu, select Billing, and select your Master billing account.

3. From the Billing navigation menu, select Billing export. Copy the Dataset name, and paste it in the text document.

Once you enable Billing export to BigQuery, ensure your GCP BigQuery table is not empty. To verify whether the table contains cost data, select BigQuery from the left Navigation menu. Within BigQuery Explorer, click the BigQuery table name and select the Preview tab. For the successful configuration of the GCP accounts, the GCP BigQuery table must include the cost data.

The CloudHealth platform supports enabling either the Standard usage cost data or the Detailed usage cost data. The Standard usage cost data option will contain the BigQuery table name gcp_billing_export_v1_<billing account ID>, this is selected by default in the CloudHealth Platform. If you enable the Detailed usage cost data option, you must update the database table name to gcp_billing_export_resource_v1_<BILLING_ACCOUNT_ID> via API. Though the Detailed usage cost data provides additional fields, note that CloudHealth does not report on any new data from the resource table.

CloudHealth recommends creating a customer-owned service account to collect customer asset and rightsizing information. You must create a new service account and custom role for each customer you manage.

This step creates a custom role and IAM member at the organization level and assigns them to the service account. When new projects are added to the billing account, the organization-level role and IAM member are automatically inherited by the new projects.

1. Enter the following command to get the organization id.

   gcloud organizations list
   

2. Enter the following gcloud command to create a customer-owned custom role to access customer asset and rightsizing information. Replace <insert org id> with the ID of the customer organization.

gcloud iam roles create projectcollectionrole --organization <insert 
org id> \
--title "Used For Project Level Collection" --description \
"Used to collect Project level data" --permissions \
resourcemanager.projects.get,compute.disks.get,compute.disks.list,com
pute.images.get,compute.images.list,compute.instances.get,compute.ins
tances.list,compute.projects.get,compute.regions.get,compute.regions.
list,storage.buckets.get,storage.buckets.list,dataproc.clusters.list,
compute.addresses.list,container.clusters.list,compute.snapshots.get,
compute.snapshots.list,compute.zones.get,compute.zones.list,recommend
er.computeInstanceMachineTypeRecommendations.get,recommender.computeI
nstanceMachineTypeRecommendations.list,recommender.computeInstanceMac
hineTypeRecommendations.update,recommender.locations.get,recommender.
locations.list \
--stage GA

3. Enter the following command to create a customer service account for customer asset and rightsizing information. Replace <insert project id> with the ID of a customer-owned project.

 gcloud iam service-accounts create projectserviceaccount  
--project <insert project id> 

4. Enter the following command to create a private key for the newly created service account and to save the key to the $HOME directory of your instance. Replace <insert project id> with the ID of a customer-owned project.

   gcloud iam service-accounts keys create \ 
   --iam-account projectserviceaccount@<insert project id>.iam.gserviceaccount.com psakey.json 
   

5. Enter the following command to download the service account key to your local machine.

   cloudshell download psakey.json
   

6. Enter the following command to assign the custom role to the new service account to allow the service account to access customer asset and rightsizing data. Replace <insert project id> with the ID of a customer-owned project and <insert org id> with the ID of the customer organization.

gcloud projects add-iam-policy-binding <insert project id> --member 
serviceAccount:projectserviceaccount@<insert 
project id>.iam.gserviceaccount.com \
--role organizations/<insert org id>/roles/projectcollectionrole

7. Enter the following command to assign the service account as an IAM member in the customer organization. Replace <insert project id> with the ID of a customer-owned project and <insert org id> with the ID of the customer organization.

gcloud organizations add-iam-policy-binding <insert org id> --member 
user:projectserviceaccount@<insert project id>.iam.gserviceaccount.com \
--member serviceAccount:projectserviceaccount@<insert project id>.iam.gserviceaccount.com \
--role organizations/<insert org id>/roles/projectcollectionrole

Enter the following gcloud command to enable APIs to allow CloudHealth to collect asset and rightsizing data from customer-owned projects.

You must repeat this step for each partner customer.

for project in $(gcloud projects list --format="value(projectId)")
do
if [[ $(gcloud beta billing projects describe $project --format="value(billingEnabled)") = "True" ]];
then
echo "ProjectId: $project - Enabling APIs..."
gcloud services enable compute.googleapis.com \
cloudresourcemanager.googleapis.com \
storage-component.googleapis.com \
recommender.googleapis.com \
container.googleapis.com \
dataproc.googleapis.com \
--project $project
fi;
done

• This gcloud command only enables the APIs for existing projects. If you create new projects in the future, you must manually enable the above APIs for the new projects.
• Allow about 32 hours for the platform to collect and process the data from GCP to project the costs.

Configure the customer billing account in the CloudHealth Platform.

You must repeat this step for each partner customer you manage.

1. Log in to the CloudHealth Platform and navigate to the customer tenant. From the left menu, select Setup > Accounts > GCP Billing. Then click Add Account.

2. Enter a friendly name for the billing account, the sub billing account ID, and the BigQuery information from Step 4 (Project ID and Dataset name).

3. By default, the BigQuery table field is filled with the BigQuery table associated with the customer Billing Account ID. As this is a partner customer sub-billing account, you must replace this autogenerated table with the partner's master billing account's BigQuery table. You cannot modify the autogenerated table name in the Platform, and as such, you must complete this step later via API.

4. In the Service Account section, select Choose file and upload the JSON private key of the partner-owned billing service account created in Step 1.

When you use a JSON key, CloudHealth verifies that the project ID in the JSON key matches the ID of the project to which you are attaching the credentials.

5. Select the Enable a separate service account for projects linked to this billing account. (Optional) checkbox. Select Choose file and upload the JSON private key for the customer owned project service account created in Step 5. The Service Email is derived from the uploaded JSON key.

This option should be used if you want to use different service accounts for billing data collection and asset metadata collection.

6. Click Save Account.

7. The partner customer sub-billing account must now be linked to the master billing account's BigQuery table. This task can only be done using the CloudHealth API. Run the Modify Existing GCP Billing Account endpoint and update the bq_billing_table parameter for the correct table name.

CloudHealth validates new Google Service Accounts and derived projects every 4 hours. You can view derived projects by going to Setup > Accounts > GCP Project. Projects you enable in the CloudHealth Platform will change status from Not Configured to Green, Yellow, Red, or Pending. See Status of Google Project to learn more about what each status represents.