Configuring GCP Accounts at the Organization Level

Create a custom role in the Google Console that you can later assign to your service account.2w

1. Log in to the Google Console and select the organization associated with the billing account.

2. In the left menu, go to IAM & admin > Roles and select Create Role.

   

3. Give your custom role a unique name in the Title field.

4. Select Add Permissions.

   

5. Download Least Privileged Custom Role YAML file. Select, at minimum, the permissions specified in the YAML file.

   

Without these permissions, CloudHealth is unable to provide reports and recommendations on how to save costs. You can assign additional permissions beyond the above list as needed.

6. Click Add.
7. Click Create.

1. Open a text document, such as TextEdit or NotePad, so that you can store specific parameters that you need to provide in the CloudHealth Platform.

2. Log in to the Google Cloud Console, and select a project assigned to the billing account you want to add to CloudHealth.

CloudHealth is connecting to your Google billing account via the selected project, do not select a project that might be deleted in the future.

3. From the left menu, go to Billing and open the billing account associated with the project, and then click Account management. Copy the billing account ID into the text document.

4. From the left menu, click IAM & Admin > Service Accounts.

5. On the Service accounts page, click Create Service Account.

6. In the Service account details section, name the Service account, add a description, and click Create and Continue.

7. In the Grant this service account access to project section, select the custom role you created from the Role dropdown, and then click Continue.

8. Click Done to finish creating the service account. The newly created account is listed on the Service accounts page.
9. Find and copy the complete email address of the newly created service account, including the @suffix. Copy this service account ID in the text document.
10. In the Actions column, click More Options icon, and select Manage keys.

13. Click Add Key > Create New Key.
14. CloudHealth supports only JSON key type. Click Create. The key is downloaded to your computer.

Checkpoint: At this point, you have the following information in the text document.

• Billing Account ID
• Service Account ID
• Private Key

1. Select the organization associated with the billing account.

   

2. From the left menu, select IAM and Admin and click Add.

   

3. In the Members field, paste the ID of the service account you created. From the Role dropdown, select the custom role you created. Click Add.

   

Enable APIs that allow CloudHealth to gather cost and tagging information.

1. In the Google Cloud Console, select a project associated with your billing account. From the left menu, select APIs & Services > Dashboards.

2. Search for and locate the following APIs. Then click Enable APIs and Services on the landing page of each API.

   • Compute Engine API
   • Cloud Billing API
   • Cloud Storage API
   • Cloud Resource Manager API
   • Google Cloud Storage JSON API
   • BigQuery API
   • Recommender API
   • Kubernetes Engine API
   • Cloud Dataproc API

4. Repeat steps 1-3 for all projects.

CloudHealth requires your service account role to be enabled with certain permissions to properly access and report on your BigQuery data. These permissions are not included in the default Viewer role in the Google Console. If you have assigned your service account a Viewer role, you cannot view your BigQuery data in CloudHealth and must change your service account role to a custom role.

BigQuery is Google's enterprise data warehouse. BigQuery provides billing data that contains more information on customer datasets and is easier to use for custom reporting than daily CSV exports.

BigQuery must be enabled for billing export in the Google Console before you can enable BigQuery in the CloudHealth Platform. Complete these instructions to do so.

1. In the Google Cloud Console, and switch to a project associated with your billing account. Copy the Project ID from the Project info section, and paste it in the text document.

2. From the left menu, select Billing, and select your billing account.

3. From the left menu, select Billing export. Copy the Dataset name, and paste it in the text document.

Once you enable Billing export to CloudHealth, ensure your GCP BigQuery table is not empty. To verify whether the table contains cost data, click the BigQuery table name from the left navigation and select the Preview tab. For the successful configuration of the GCP accounts, the GCP BigQuery table must include the cost data.

The CloudHealth platform supports enabling both Standard usage cost and Detailed usage cost. The Standard option with the database table name gcp_billing_export_v1_<billing account ID> is selected by default. If you enable the Detailed option, you must update the database table name to gcp_billing_export_resource_v1_<BILLING_ACCOUNT_ID> via API. Though the Detailed table provides additional fields, note that CloudHealth does not report on any new data from the resource table.

You need to configure only the billing account. CloudHealth discovers all derived projects associated with the billing account that have incurred costs.

1. Log in to the CloudHealth platform and from the left menu, select Setup > Accounts > GCP Billing. Then click Add Account.

2. Enter all the information from the text document into the appropriate fields.

3. In Service Account section, select Choose file and upload the JSON private key.

When you use a JSON key, CloudHealth verifies that the project ID in the JSON key matches the ID of the project to which you are attaching the credentials.

4. If you want to use different service accounts to collect billing statements, select the Enable a separate service account for projects linked to this billing account. (Optional) checkbox. Select Choose file and upload the JSON private key for the derived projects.

This option should be used if you want to use different service accounts for billing data collection and asset metadata collection.

5. Click Save Account.

CloudHealth validates new Google Service Accounts and derived projects every 4 hours. You can view derived projects by going to Setup > Accounts > GCP Project. Projects you enable in the CloudHealth Platform change status from Not Configured to Green, Yellow, Red, or Pending.

The newly configured GCP billing accounts will be onboarded automatically, and within 48 hrs, you will see the cost data in the CloudHealth platform.