Setting up a Google Cloud service account for billing data monitoring

This topic describes the steps to set up a valid service account that Turbonomic will use to connect to your Google Cloud environment and monitor billing data. Without this data, Turbonomic cannot discover any cost data used for analysis.

Task overview

To set up a service account, perform the following tasks in Google Cloud:

  1. Create a service account for billing data monitoring.

  2. Create a custom role and then assign the role to the service account.

  3. Add the Billing Account Viewer role to the service account.

Creating a service account for billing data monitoring

Create a service account and generate a key file for the account. The key file is required when adding a Google Cloud Billing target in the Turbonomic user interface.

For seamless monitoring of your Google Cloud resources, create the service account in a project that does not typically hit the rate limits enforced by Google Cloud, such as a non-production project.

Note:

You can use the existing service account that you set up for workload monitoring, or create a new one specifically for billing data monitoring. Skip to the next task if you plan to use your existing service account.

  1. In the project that will host the new service account, open a gcloud CLI session.

  2. Create a service account.

    gcloud iam service-accounts create <SERVICE_ACCOUNT_NAME>

    Where:

    <SERVICE_ACCOUNT_NAME> is the internal name of the new service account. The name must be between 6 and 30 characters in length.

  3. Record the following information for later use.

    • <SERVICE_ACCOUNT_NAME>

    • <PROJECT_ID>

      Note:

      <PROJECT_ID> identifies the project that hosts the service account. This information is needed if you need to review or edit the service account later.

  4. Generate a key file for the service account.

    gcloud iam service-accounts keys create <KEY_FILE_NAME> \
      --iam-account=<SERVICE_ACCOUNT_NAME>@<PROJECT_ID>.iam.gserviceaccount.com

    Where:

    • <KEY_FILE_NAME> is your preferred name for the key file.

    • <SERVICE_ACCOUNT_NAME> is the name of the service account that you created.

    • <PROJECT_ID> is the project that hosts the service account.

  5. Download the key file to your local machine. You will use the key file later when you add a Google Cloud target in the Turbonomic user interface.

    cloudshell download <KEY_FILE_NAME>

    Where:

    <KEY_FILE_NAME> is the key file name that you specified in the previous step.

Creating and assigning a custom role for billing data monitoring

This custom role is required and must be created in the project that stores billing data. The role specifies the permissions that Turbonomic needs to discover and monitor billing data.

  1. Create a custom role.

    gcloud iam roles create <ROLE_ID_BILL> --project=<PROJECT_ID_BILL> \
      --title='Turbonomic Billing Data Viewer Role' \
      --description='Minimum permissions to view \
      billed cost and pricing in the Google Cloud project' \
      --permissions="bigquery.jobs.create,\
    bigquery.tables.get,\
    bigquery.tables.getData,\
    bigquery.tables.list,\
    billing.accounts.get,\
    billing.resourceAssociations.list,\
    compute.commitments.list,\
    compute.diskTypes.list,\
    compute.machineTypes.list,\
    compute.regions.list,\
    compute.zones.list" --stage=ALPHA

    Where:

    • <ROLE_ID_BILL> is your preferred ID for the custom role.

    • <PROJECT_ID_BILL> is the project that stores billing data.

  2. Assign the custom role to the service account.

    gcloud projects add-iam-policy-binding <PROJECT_ID_BILL> \
      --member=serviceAccount:<SERVICE_ACCOUNT_NAME>@<PROJECT_ID>.iam.gserviceaccount.com --role=<ROLE_NAME_BILL>

    Where:

    • <PROJECT_ID_BILL> is the project that stores billing data.

    • <SERVICE_ACCOUNT_NAME> is the name of the service account that you created.

    • <PROJECT_ID> is the project that hosts the service account.

    • <ROLE_NAME_BILL> is the complete path for the role name, expressed as follows:

      projects/<PROJECT_ID_BILL>/roles/<ROLE_ID_BILL>

      Note:

      <ROLE_ID_BILL> was created in a previous step.

Adding the billing account viewer role to the service account

  1. Add the predefined Billing Account Viewer role to the service account.

    gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> \
      --member=serviceAccount:<SERVICE_ACCOUNT_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
      --role=roles/billing.viewer

    Where:

    • <ORGANIZATION_ID> is your Google Cloud organization.

    • <SERVICE_ACCOUNT_NAME> is the name of the service account that you created.

    • <PROJECT_ID> is the project that hosts the service account.

Next step

In the Turbonomic user interface, add a Google Cloud Billing target. For details, see this topic.