How to Onboard a GCP Parent Billing Account
Learn how to onboard a Google Cloud Platform (GCP) parent billing account in CoreStack. This type of onboarding is generally used for Reseller's parent cloud billing account
Overview
In this section, we'll help guide you in onboarding a Google Cloud Platform (GCP) Parent Billing Account into CoreStack.
Pre-onboarding
GCP Projects can be onboarded as a parent billing account. Onboarding a parent billing account allows you to discover the cost information for a parent account and all linked GCP Projects.
However, before your GCP project can be onboarded into CoreStack there are certain prerequisites that need to be set up.
GCP Project Permissions
The following permissions must be configured in your GCP Project before onboarding.
API access:
- Enable API Access for Cloud Resource Manager API, Cloud Billing API, Security Command Center API in the API & Services – Library screen.
User account permissions:
A user account must be created with the following permissions:
- For Assessment: Project Viewer (Read only).
- For Assessment + Governance: Project Editor (View and Modify).
- Security Command Center Access: Either Security Center Admin or Security Center Admin Viewer role is required for security vulnerability and compliance.
- Operations Governance: Logging Admin & Pub/Sub Admin.
Service account permissions:
A service account must be created with the following permissions:
- For Assessment: Project Viewer (Read only).
- For Assessment + Governance: Project Editor (View and Modify).
- Security Command Center Access: Either Security Center Admin or Security Center Admin Viewer role is required for security vulnerability and compliance.
- Operations Governance: Logging Admin & Pub/Sub Admin.
Parent Billing Account Prerequisites:
- Schedule queries in the GCP BigQuery console.
- Create a Bucket for BigQuery data transfer (under the same GCP Project where BigQuery exists).
NOTE: If threats and advanced security health analytic policies are required then the Security Command Center premium tier needs to be enabled.
Retrieve Onboarding Information from the GCP Console
Based on the authentication protocol being used in CoreStack (refer to the options below for guidance), certain information must be retrieved from the GCP console.
OAuth2 Protocol:
The following values must be generated/copied from your GCP Project and configured in CoreStack:
Client ID & Client Secret:
- Login to the GCP console.
- Navigate to the Credentials screen.
- Click Create credentials and select OAuth client ID.
- Select Web application in the Application type field.
- Specify the following URI in the Authorized redirect URIs field by clicking the Add URI button:
https://corestack.io/
- Click theCreate button. The Client ID and Client Secret values will be displayed.
Scope:
The OAuth 2.0 scope information for a GCP project can be found here: https://www.googleapis.com/auth/cloud-platform.
Project ID:
The project ID is a unique identifier for a project and is used only within the console.
- Navigate to the Projects screen in the GCP console.
- The Project ID will be displayed next to your GCP project in the project list.
Redirect URI:
The following redirect URI that is configured while creating the Client ID and Client Secret must be used:
https://corestack.io/
Authorization Code:
The authorization code must be generated with user consent and required permissions.
- Construct a URL in the following format:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=<Client ID>&redirect_uri=<Redirect URI>&scope=https://www.googleapis.com/auth/cloud-platform&prompt=consent&access_type=offline
- Open a browser window in private mode (e.g. InPrivate, Incognito) and use it to access the above URL.
- Login using your GCP credentials.
- The page will be redirected to the Redirect URI, but the address bar will have the Authorization Code specified after
code=
.
Note:
The values retrieved in the earlier steps can be used instead of
<Client ID>
and<Redirect URI>
specified in the URL format.
Copy these details and provide them while onboarding your GCP Project into CoreStack when using the OAuth2 protocol option.
Service Account Protocol:
A service account must be created in your GCP Project. Then, you need to create a service account key and download it as a JSON file. Also, the Project ID must be retrieved from your GCP Project.
How to Download the Credentials File (JSON):
- Navigate to the Credentials screen.
- Click Create credentials and select Service account. The Create service account page appears.
- Provide the necessary details to create a service account: Name, ID, Description.
- Click the Create button.
- Click Select a role to select the required roles.
- Click the Continue button.
- Click Create key.
- Select JSON as the Key type.
- Click the Create button. A JSON key file will be downloaded.
- Click Done.
Project ID:
Refer to the steps in the Project ID topic in the previous OAuth2 Based section.
Provide the JSON and Project ID while onboarding the GCP Project in CoreStack when using the Service Account protocol option.
Additional Values from the Parent Billing Account:
In addition to the prerequisites explained earlier, there are a few additional values that must be generated/copied from your GCP Parent Billing Account and configured in CoreStack.
Bucket Name:
- Login to the GCP console.
- Navigate to the Storage - Browser screen.
- Click Create bucket. The Create bucket screen appears.
- Provide a unique value in the Name your bucket field along with the other details required to create the bucket.
- Click the Create button.
- Copy the value provided in the Name your bucket field.
Billing Account ID:
- Login to the GCP console.
- Navigate to the Manage Billing Accounts screen.
- Click My Projects. A list of projects will be displayed.
- Copy the Billing Account ID for the required projects.
Set Up Cloud Billing Data Export to BigQuery:
To enable Cloud Billing data export to BigQuery, refer to the GCP configuration guide.
Provide these details in CoreStack for your Parent Billing Account onboarding, along with either the OAuth2 or Service Account information explained above, based on your Authentication Protocol selection.
Schedule Queries in GCP
Navigate to the Schedule Query Page in GCP, then follow the below steps:
- Login to the GCP console.
- Navigate to the GCP BigQuery console.
- On the left menu, click Schedule Queries. The schedule queries list appears.
- Click Create Schedule Queries located at the top of the page.
- Copy each schedule query (Daily Schedule Query, Monthly Schedule Query and On-demand Schedule Query).
- For the Daily Schedule Query, schedule it on an hourly basis.
- For the Monthly Schedule Query, schedule it on the fifth of every month.
- For the On-demand Schedule Query, run the query in real time.
Note:
You need to insert your own dataset id and bucket name into the code snippets below.
Daily Schedule Query
DECLARE
unused STRING;
DECLARE
current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 0 MONTH);
DECLARE
cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
FROM
current_month_date);
DECLARE
cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
FROM
current_month_date);
EXPORT DATA
OPTIONS ( uri = CONCAT('gs://<your_bucket_name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
format='JSON',
overwrite=True) AS
SELECT
*, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
FROM
`<Your Complete Data setDataset ID>` as B
WHERE
B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
AND B.cost != 0.0
Monthly Schedule Query
DECLARE
unused STRING;
DECLARE
current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 1 MONTH);
DECLARE
cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
FROM
current_month_date);
DECLARE
cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
FROM
current_month_date);
EXPORT DATA
OPTIONS ( uri = CONCAT('gs://<your_bucket_name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
format='JSON',
overwrite=True) AS
SELECT
*, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
FROM
`<Your Complete Data setDataset ID>` as B
WHERE
B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
AND B.cost != 0.0
On-demand Schedule Query
DECLARE
unused STRING;
DECLARE
current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL <Change the Period> MONTH);
DECLARE
cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
FROM
current_month_date);
DECLARE
cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
FROM
current_month_date);
EXPORT DATA
OPTIONS ( uri = CONCAT('gs://<your_bucket_name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
format='JSON',
overwrite=True) AS
SELECT
*, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
FROM
`<Your Complete Data setDataset ID>` as B
WHERE
B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
AND B.cost != 0.0
Note:
In the Period column, you need to update the interval range from 1 to 3 and create a schedule 3 times.
Onboarding
The following steps need to be performed in CoreStack to onboard a GCP Parent Billing Account.
- Navigate to the Account Governance page from the left menu. Click the Add New button in the top right and select Single Account.
- Click Start Now.
- Select the GCP option in the Public Cloud field.
- Click the Get Started button.
- Select the required option in the Access Type field. The options are: Assessment and Assessment + Governance.
- Select the Parent Billing Account option in the Account Type field.
- Select the required option in the Authentication Protocol field. The options are: OAuth2 and Service Account.
- Add the Currency type.
- Click Next.
- Provide the necessary details explained in the Pre-onboarding section earlier based on the option selected in the Authentication Protocol field (Client ID, Client Secret, Scope, Project ID, Redirect URI, Authorization Code, Bucket Name, Billing Account ID, and Dataset ID OR Bucket Name, Billing Account ID, Dataset ID, Project ID, and Credentials File (JSON)).
- Click the Validate button.
- The Advanced Settings section will be displayed with additional fields (Name and Scope).
- Modify the pre-populated name of the account in the Name field, if required.
- Select the required option in the Scope field. The options are: Account, Private, and Tenant.
- Click the I'm Done button.
After all the previous steps are completed, your GCP Project will be onboarded successfully into CoreStack. Any relevant insights and information about the resources available in the GCP Project will be populated under each of the available cloud governance pillars in CoreStack.
View Report
This section provides details on how to track cost data for your GCP Parent Billing Account.
- Click Reports, then Cost, then GCP.
- In Cost Analytics, click GCP Parent Billing Account. The GCP Parent Billing Account report appears.
- Click Cost, then Posture.
-
Click Account View.
-
Select GCP Parent Billing Account View.
-
Click Apply & Close.
The costs related to the Parent Billing Account and organization appear.
Updated 6 months ago