Which of the following best summarizes the difference between direct downloads and subscription services?

You can configure billing on Google Cloud in a variety of ways to meet different needs. This section introduces the core concepts for your organization and for billing, and discusses how to use them effectively.

Resource Overview

What is a resource?

In the context of Google Cloud, a resource can refer to the service-level resources that are used to process your workloads (VMs, DBs, and so on) as well as to the account-level resources that sit above the services, such as projects, folders, and the organization.

What is resource management?

Resource management is focused on how you should configure and grant access to the various cloud resources for your company/team, specifically the setup and organization of the account-level resources that sit above the service-level resources. Account-level resources are the resources involved in setting up and administering your Google Cloud account.

Resource Hierarchy

Google Cloud resources are organized hierarchically. This hierarchy allows you to map your organization's operational structure to Google Cloud, and to manage access control and permissions for groups of related resources. The resource hierarchy provides logical attach points for access management policies (Identity and Access Management) and Organization policies.

Both IAM and Organization policies are inherited through the hierarchy, and the effective policy at each node of the hierarchy is the result of policies directly applied at the node and policies inherited from its ancestors.

The following diagram shows an example resource hierarchy illustrating the core account-level resources involved in administering your Google Cloud account.

Domain

• Your company Domain is the primary identity of your organization and establishes your company's identity with Google services, including Google Cloud.
• You use the domain to manage the users in your organization.
  • At the domain level, you define which users should be associated with your organization when using Google Cloud.
  • Domain is also where you can universally administer policy for your users and devices (for example, enable 2-factor authentication, reset passwords for any users in your organization).
• The Domain is linked to either a Google Workspace or Cloud Identity account.
• The Google Workspace or Cloud Identity account is associated with exactly one Organization.
• You manage the domain-level functionality using the Google Admin Console (admin.google.com).

For more information on the hierarchy of resources, see the Resource Manager documentation.

Organization

• An Organization is the root node of the Google Cloud hierarchy of resources.
• All Google Cloud resources that belong to an Organization are grouped under the Organization node, allowing you to define settings, permissions, and policies for all projects, folders, resources, and Cloud Billing accounts it parents.
• An Organization is associated with exactly one Domain (established with either a Google Workspace or Cloud Identity account), and is created automatically when you set up your domain in Google Cloud.
• Using an Organization, you can centrally manage your Google Cloud resources and your users' access to those resources. This includes:
  • Proactive management: reorganize resources as needed (for example, restructuring or spinning up a new division may require new projects and folders).
  • Reactive management: an Organization resource provides a safety net to regain access to lost resources (for example, if one of your team members loses their access or leaves the company).
• The various roles and resources that are related to Google Cloud (including the organization, projects, folders, resources, and Cloud Billing accounts) are managed within the Google Cloud console.

For more information on organizations, see the following documentation:

Folders

• Folders are a grouping mechanism and can contain projects, other folders, or a combination of both.
• To use folders, you must have an Organization node.
• Folders and projects are all mapped under the Organization node.
• Folders can be used to group resources that share common IAM policies.
• While a folder can contain multiple folders or resources, a given folder or resource can have exactly one parent.

For more details about using folders, see Creating and Managing Folders.

Projects

• All service-level resources are parented by projects, the base-level organizing entity in Google Cloud.
• Projects are required to use service-level resources (such as Compute Engine virtual machines (VMs), Pub/Sub topics, Cloud Storage buckets, and so on).
• You can use projects to represent logical projects, teams, environments, or other collections that map to a business function or structure.
• Projects form the basis for enabling services, APIs, and IAM permissions.
• Any given resource can only exist in one project.

For more details about projects, see the following documentation:

• Creating and Managing Projects
• Moving a project
• Migrating projects

Resources

• Google Cloud service-level resources are the fundamental components that make up all Google Cloud services, such as Compute Engine virtual machines (VMs), Pub/Sub topics, Cloud Storage buckets, and so on.
• For billing and access control purposes, resources exist at the lowest level of a hierarchy that also includes projects and an organization.

Labels

• Labels help you categorize your Google Cloud resources (such as Compute Engine instances).
• A label is a key-value pair.
• You can attach labels to each resource, then filter the resources based on their labels.
• Labels are great for cost tracking at a granular-level. Information about labels is forwarded to the billing system, so you can analyze your charges by label.

For more details about using labels, see Creating and Managing Labels.

Cloud Billing account & payments profile

Overview

A Cloud Billing account is set up in Google Cloud and is used to define who pays for a given set of Google Cloud resources and Google Maps Platform APIs. Access control to a Cloud Billing account is established by IAM roles. A Cloud Billing account is connected to a Google payments profile. Your Google payments profile includes a payment instrument to which costs are charged.

Cloud Billing account types

There are two types of Cloud Billing accounts:

• Self-serve (or Online) account

  • Payment instrument is a credit or debit card or ACH direct debit, depending on availability in each country or region.
  • Costs are charged automatically to the payment instrument connected to Cloud Billing account.
  • You can sign up for self-serve accounts online.
  • The documents generated for self-serve accounts include statements, payment receipts, and tax invoices, and are accessible in the Google Cloud console.

• Invoiced (or Offline) account

  • Payment instrument can be check or wire transfer.
  • Invoices are sent by mail or electronically.
  • Invoices are also accessible in the Google Cloud console, as are payment receipts.
  • You must be eligible for invoiced billing. Learn more about invoiced billing eligibility.

Payments profile types

When you create your payments profile, you'll be asked to specify the profile type. This information must be accurate for tax and identity verification. This setting can't be changed. When you are setting up your payments profile, make sure to choose the type that best fits how you plan to use your profile.

There are two types of payments profiles:

• Individual

  • You're using your account for your own personal payments.
  • If you register your payments profile as an individual, then only you can manage the profile. You won't be able to add or remove users, or change permissions on the profile.

• Business

  • You're paying on behalf of a business, organization, partnership, or educational institution.
  • You use Google payments center to pay for Play apps and games, and Google services like Google Ads, Google Cloud, and Fi phone service.
  • A business profile allows you to add other users to the Google payments profile you manage, so that more than one person can access or manage a payments profile.
  • All users added to a business profile can see the payment information on that profile.

Charging cycle

The charging cycle on your Cloud Billing account determines how and when you pay for your Google Cloud services and your use of Google Maps Platform APIs.

For self-serve Cloud Billing accounts, your Google Cloud costs are charged automatically in one of two ways:

• Monthly billing: Costs are charged on a regular monthly cycle.
• Threshold billing: Costs are charged when your account has accrued a specific amount.

For self-serve Cloud Billing accounts, your charging cycle is automatically assigned when you create the account. You do not get to choose your charging cycle and you cannot change the charging cycle.

For invoiced Cloud Billing accounts, you typically receive one invoice per month and the amount of time you have to pay your invoice (your payment terms) is determined by the agreement you made with Google.

• Find your charging cycle
• Learn more about threshold billing

A Cloud Billing account includes one or more contacts that are defined on the Google Payments profile that is connected to the Cloud Billing account. These contacts are people who are designated to receive billing information specific to the payment instrument on file (for example, when a credit card needs to be updated). To access and manage this list of contacts, you can use the Payments console or you can use the Google Cloud console.

Subaccounts are intended for resellers. If you are a reseller, you can use subaccounts to represent your customers' charges for the purpose of chargebacks.

Cloud Billing subaccounts allow you to group charges from projects together on a separate section of your invoice. A billing subaccount is a Cloud Billing account that is owned by a reseller's parent Cloud Billing account. The usage charges for all billing subacccounts are paid for by the reseller's parent Cloud Billing account. Note that the parent Cloud Billing account must be on invoiced billing.

A subaccount behaves like a Cloud Billing account in most ways: it can have projects linked to it, Cloud Billing data exports can be configured on it, and it can have IAM roles defined on it. Any charges made to projects linked to the subaccount are grouped and subtotalled on the invoice, and the effect on resource management is that access control policy can be entirely segregated on the subaccount to allow for customer separation and management.

The Cloud Billing Account API provides the ability to create and manage subaccounts. Use the API to connect to your existing systems and provision new customers or chargeback groups programmatically.

Relationships between organizations, projects, Cloud Billing accounts, and payments profiles

Two types of relationships govern the interactions between organizations, Cloud Billing accounts, and projects: ownership and payment linkage.

• Ownership refers to IAM permission inheritance.
• Payment linkages define which Cloud Billing account pays for a given project.

The following diagram shows the relationship of ownership and payment linkages for a sample organization.

In the diagram, the organization has ownership over Projects 1, 2, and 3, meaning that it is the IAM permissions parent of the three projects.

The Cloud Billing account is linked to Projects 1, 2, and 3, meaning that it pays for costs incurred by the three projects.

The Cloud Billing account is also linked to a Google payments profile, which stores information like name, address, and payment methods.

In this example, any users who are granted IAM billing roles on the organization also have those roles on the Cloud Billing account or the projects.

For more information on granting IAM billing roles, see Overview of Cloud Billing access control.

Roles Overview

What are roles?

Roles grant one or more privileges to a user that allow performing a common business function.

How do roles work in Google Cloud?

Google Cloud offers IAM to manage access control to your Google Cloud resources. IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies. To assign permissions to a user, you use IAM policies to grant specific role(s) to a user. Roles have one or more permissions bundled within them, controlling user access to resources.

You can set an IAM policy (roles) at the organization level, the folder level, the project level, or (in some cases) on the service-level resource.

Policies are inherited through the hierarchy. The effective policy at each node of the hierarchy is the result of policies directly applied at the node and policies inherited from its ancestors. If you set a policy at the Organization level, it is inherited by all its child folders and projects. If you set a policy at the project level, it is inherited by all its child resources. You can enforce granular permissions at different levels in the resource hierarchy to ensure that the right individuals have the ability to spend within Google Cloud.

Best Practices for Roles

• Assign key roles to more than one person (reasonable redundancy)
• Document who your admins are and communicate those names to people in your organization
• Keep role assignments up to date

Important Roles

The following diagram represents the Google Cloud resource hierarchy in complete form, and calls out the important high-access roles at each level:

picture_as_pdf A Guide to Financial Governance in the Cloud

video_library Video library: Google Cloud Cost Management. Learn best practices for monitoring and managing your costs.

If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.