Skip to content

Example: create projects in gcp managed by separate billing accounts

Notifications You must be signed in to change notification settings


Folders and files

Last commit message
Last commit date

Latest commit



6 Commits

Repository files navigation

Projects in GCP using Central Billing Accounts

Many organizations recognize the benefits of empowering their developers. In a cloud environment, that often means giving developers the ability to create and manage their own infrastructure.

Of course, developers can easily create their own individual or G-Suite GCP accounts. They can take advantage of the free trial that Google Cloud offers. That's great, and everything's hunky-dory until the credit runs out. What then?

In this post I describe a really simple way to set up and use centralized billing on GCP... even across external development accounts. Way better than trying to get me to fill out expense reports for infradev!


  • Organizations and account setup
  • Users and IAM roles
  • Terraform templates
  • Try it out

Organizations and account setup

Let's consider a common example with two separate organizations in the mix.

  1. A organization that's footing the bill for everything

  2. An individual developer's G-Suite organization,, where we'll be doing the development

In this example, we're assuming the developer organization is a full G-Suite account and not just an ordinary GCP account created using a single email.

It's easy for an individual developer to create a new G-Suite account and that turns out to be the more typical situation for this kind of cross billing example. I also really recommend using developer G-Suite accounts for cloud development in general since they'll have the same IAM capabilities and concerns as the account.

Users and IAM roles

Each developer will need accounts in both orgs to start with.

Take Sam for example. Sam's already an Owner of with as a login.

Sam works for BigCorp and is also where they live in some folder within the organization's GCP IAM.

In your billing org:

So the billing_account_user ( needs to be able to create billing accounts within the BigCorp org.

Sam will need to be assigned a BillingAccountCreator role within the org's IAM on GCP.

In your gsuite org:

It's no surprise, the gsuite_user ( needs to be an OrganizationAdministrator on that org.

The billing_account_user ( needs permissions on the org too. They need to be:

  • a BillingAccountAdministrator for the org
  • a ProjectCreator on the org
  • and I added them as an OrganizationAdministrator on for good measure

Terraform templates

I like to manage infrastructure using Terraform and keep all my templates and modules checked into GitHub.

The Terraform templates to create these projects are super simple. There's a provider, a resource for the managed project we want to create, and then a couple of role binding resources

provider "google" {
  region      = "${var.region}"

resource "google_project" "gsuite_project" {
  name       = "gsuite-project-0"
  project_id = "gsuite-project-0"

  org_id = "${var.gsuite_org_id}"
  billing_account = "${var.billing_account_id}"

resource "google_project_iam_binding" "gsuite_project_owner" {
  project = "gsuite-project-0"
  role    = "roles/owner"

  members = [

There's no need to get Terraform to slurp in data sources for the GCP orgs, folders, billing accounts, etc. In this example, we'll just create variables for them

variable "region" {
  default = "us-central1"

variable "billing_account_user" {}
variable "billing_folder_id" {}
variable "billing_account_id" {}

variable "gsuite_user" {}
variable "gsuite_org_id" {}

and look up the values from the cloud consoles for both our and accounts. We'll add these to terraform.tfvars

billing_account_user = ""
billing_folder_id = "234567890123" # my-billing-folder
billing_account_id = "aaaaaa-bbbbbb-cccccc" # my-billing-account

gsuite_user = ""
gsuite_org_id = "345678901234" #

Note that there's a terraform.tfvars.template included in the example repo but the actual *.tfvars files, with sensitive account details, are ignored by revision control so you'll have to copy the template and create your own terraform.tfvars.

Try it out

Example repo

You can clone and configure the example templates


Terraform's provider for GCP needs GCP credentials for your account. The easiest thing to do to get that working before trying to run Terraform is to make sure gcloud is working correctly.

You can do that by installing gcloud and running gcloud init to go through the oauth dance... that works. You'd need to export your GOOGLE_APPLICATION_CREDENTIALS as well... usual stuff.

However, as an easier alternative, use the cloud shell in the cloud console for your equivalent account. The gcloud config and applcation credentials are all already set up for you.

Side note: The cloud shell is really useful... check it out if you haven't!

Make sure you're driving terraform using credentials (your gcloud config) from the equivalent of your account and not your G-Suite org account.


Download Terraform from Terraform is a standalone binary so it's simple to install... even in your GCP Cloud Shell.

Init terraform's providers and state management

terraform init

Then check out what changes we're _plan_ning to make

terraform plan

If all looks good from there, then apply that plan to actually create our project

terraform apply

Check out the project we just created

gcloud beta billing projects list --billing-account=<billing_account_id>

Check out the same project from the Cloud Console for your G-Suite account.

Now you can use that account within your G-Suite account and any charges go straight to your BigCorp billing account.


When you're all done, you can clean up after yourself by removing the project and role bindings we created

terraform destroy

then deleting the billing account through the Cloud Console. You could (and should) totally manage the billing accounts themselves in the using Terraform templates as well, but that's another story.


No big corps or pink ponies were harmed in the production of this post.


Example: create projects in gcp managed by separate billing accounts






No releases published


No packages published