Access roles and permissions

You can start with an initial analysis to estimate how much Cloud Commitment Management can save you if you connect your GC account. For the initial analysis, Cloud Commitment Management only needs read-only permissions to your Google Cloud account. This lets the Cloud Commitment Management cost specialists review your cost and usage data so they can provide accurate analysis and insights. As part of this process, a service account will also be granted read-only permissions. This lets Cloud Commitment Management access billing and recommendation exports for your dashboards.

When you decide to onboard Cloud Commitment Management, you'll need to update the roles and permissions.

Direct user access, read-only permissions for analysis

These roles and permissions are needed for Cloud Commitment Management cost specialists to analyze your environment.

Predefined IAM roles

• Organization level:

  • roles/browser
  • roles/billing.viewer

• Project level (in the project that has the Google Cloud BigQuery billing export):

  • roles/bigquery.dataViewer

Custom analysis IAM role

• Organization level:
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.jobs.listAll
  • cloudasset.assets.exportComputeCommitments
  • cloudasset.assets.listComputeCommitments
  • compute.commitments.get
  • compute.commitments.list
  • compute.instances.get
  • compute.instances.list
  • recommender.bigqueryCapacityCommitmentsInsights.get
  • recommender.bigqueryCapacityCommitmentsInsights.list
  • recommender.bigqueryCapacityCommitmentsRecommendations.get
  • recommender.bigqueryCapacityCommitmentsRecommendations.list
  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.spendBasedCommitmentInsights.get
  • recommender.spendBasedCommitmentInsights.list
  • recommender.spendBasedCommitmentRecommendations.get
  • recommender.spendBasedCommitmentRecommendations.list
  • recommender.spendBasedCommitmentRecommenderConfig.get
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list

Service account read-only permissions for dashboard

These roles and permissions are needed for Cloud Commitment Management service account to ingest, process, and display your data on your dashboard.

Predefined IAM roles

• Project level (in the project that has the Google Cloud BigQuery billing export):
  • roles/bigquery.dataViewer
  • roles/bigquery.jobUser
  • roles/bigquery.readSessionUser

Custom service account IAM role

• Project level (in the project that has the Google Cloud BigQuery billing export):
  • monitoring.timeSeries.list
  • cloudquotas.quotas.get
  • cloudquotas.quotas.update
  • serviceusage.services.get
  • serviceusage.services.list
  • serviceusage.quotas.get
  • serviceusage.quotas.update
  • bigquery.jobs.create
  • bigquery.readsessions.create

Direct user access with full management permissions

These roles and permissions are needed for Cloud Commitment Management cost specialists to manage your environment.

Predefined IAM roles

• Organization level:

  • roles/viewer
  • roles/browser
  • roles/project.creator

• Billing account level (on the billing account to be managed):

  • roles/consumerprocurement.orderAdmin

Custom full management IAM role

• Organization level:
  • bigquery.capacityCommitments.create
  • bigquery.capacityCommitments.delete
  • bigquery.capacityCommitments.get
  • bigquery.capacityCommitments.list
  • bigquery.capacityCommitments.update
  • cloudasset.assets.exportComputeCommitments
  • cloudasset.assets.listComputeCommitments
  • compute.commitments.create
  • compute.commitments.get
  • compute.commitments.list
  • compute.commitments.update
  • compute.commitments.updateReservations
  • recommender.bigqueryCapacityCommitmentsInsights.get
  • recommender.bigqueryCapacityCommitmentsInsights.list
  • recommender.bigqueryCapacityCommitmentsInsights.update
  • recommender.bigqueryCapacityCommitmentsRecommendations.get
  • recommender.bigqueryCapacityCommitmentsRecommendations.list
  • recommender.bigqueryCapacityCommitmentsRecommendations.update
  • recommender.commitmentUtilizationInsights.get
  • recommender.commitmentUtilizationInsights.list
  • recommender.commitmentUtilizationInsights.update
  • recommender.spendBasedCommitmentInsights.get
  • recommender.spendBasedCommitmentInsights.list
  • recommender.spendBasedCommitmentInsights.update
  • recommender.spendBasedCommitmentRecommendations.get
  • recommender.spendBasedCommitmentRecommendations.list
  • recommender.spendBasedCommitmentRecommendations.update
  • recommender.spendBasedCommitmentRecommenderConfig.get
  • recommender.spendBasedCommitmentRecommenderConfig.update
  • recommender.usageCommitmentRecommendations.get
  • recommender.usageCommitmentRecommendations.list
  • recommender.usageCommitmentRecommendations.update

Enable committed use (CUD) sharing

After you grant Cloud Commitment Management the roles and full permissions to manage your environment, enable CUD sharing.