# Manual {% hint style="info" %} The user performing the integration must have the following roles assigned: 1\. **Owner** on your projects/folders to be onboarded\ 2\. **Organisation Administrator** on your organisation\ \ **Why this is needed?**\ Owner role is used to assign IAM roles to the service account & external user. Organisation Administrator role is used to create a new billing project. {% endhint %} {% hint style="warning" %} Below APIs must be enabled on your projects for OneLens to be able to read usage data on the respective services: 1. `Vertex AI API` *(aiplatform.googleapis.com)* 2. `Cloud Functions API` *(cloudfunctions.googleapis.com)* 3. `Cloud SQL Admin API` *(sqladmin.googleapis.com)* 4. `Compute Engine API` *(compute.googleapis.com)* 5. `Kubernetes Engine API` *(container.googleapis.com)* 6. `Dataflow API` *(dataflow\.googleapis.com)* 7. `Cloud Dataproc API` *(dataproc.googleapis.com)* 8. `Cloud Filestore API` *(file.googleapis.com)* 9. `Cloud Monitoring API` *(monitoring.googleapis.com)* 10. `Network Management API` *(networkmanagement.googleapis.com)* 11. `Recommender API` *(recommender.googleapis.com)* 12. `Google Cloud Memorystore for Redis API` *(redis.googleapis.com)* 13. `Service Usage API` *(serviceusage.googleapis.com)* 14. `Cloud Asset API` *(cloudasset.googleapis.com)* 15. `BigQuery API` *(bigquery.googleapis.com)* \ The above APIs must be enabled for ***each*** project to be onboarded. For steps on how to enable APIs, please follow this link to Google’s [documentation](https://cloud.google.com/apis/docs/getting-started#enabling_apis). {% endhint %} {% stepper %} {% step %} ### Create the Billing project and enable cost export * Login to the Google Cloud Platform console. * In the `Project Picker` menu on top, create a project with the name “*OneLens Billing Project*”.

* Using the `Project Picker` menu on top, open the newly created project "*OneLens Billing Project*". * In the left menu, open `BigQuery Studio`. * In the `BigQuery Explorer` pane, click the `3 dots` to the right of the billing project ID, and click `Create dataset`.

* In the opened `Create dataset` menu, enter the following data: * Under `Dataset ID`, enter “*billing\_export*”. * Under `Location type`, select *Multi-region*. * Under `Multi-region`, select *US (multiple regions in the United States)*

The dataset location is set to US (multiple regions in the United States) to export cost data retroactively from the start of the previous month during the initial setup.

https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-availability

* Under `Advanced options`, make sure the `Enable table expiry` option is *unchecked*.

By disabling the table expiry for the BigQuery dataset, we ensure that the Single Source of Truth for your cloud costs remains intact indefinitely, enabling deep historical analysis, accurate forecasting, and audit compliance.

https://docs.cloud.google.com/billing/docs/how-to/export-data-bigquery

* Click `Create data set`. * Go to `Billing` on the left menu. * Under `Cost management`, select `Billing export` in the left menu. * Enable `Detailed usage cost` with the following options: * Under `Projects`, select the billing project created (*OneLens Billing Project)*. * Under `Dataset`, select the dataset created (*billing\_export*). * Click `Save`.

* Similarly, enable `Pricing` with the following options: * Under `Projects`, select the billing project created (*OneLens Billing Project*). * Under `Dataset`, select the dataset created (*billing\_export*). * Click `Save`.

Pricing data includes custom pricing data for your resources, if you have custom contracts with Google.

https://docs.cloud.google.com/billing/docs/how-to/export-data-bigquery-tables/pricing-data#pricing-data-schema

* Using the search bar on top, search for and enable the `Cloud Billing API` on this project.

{% endstep %} {% step %} ### Create the Service Account and assign permissions on the Billing project * In the `Project Picker` menu on top, select the new billing project created just now (i.e., *OneLens Billing Project*) * Go to `IAM and admin` on the left bar. * Go to `Service accounts` and click on `+ Create service account`. * Enter the `Service account name` as “*OneLens Reader SA*” * `Service account ID` should be automatically generated. * Enter the `Service account description` as: *SA used by OneLens with read-only roles for FinOps analysis*. * Click `Create and continue`.

* Under `Permissions`, search for and select the following roles: * `BigQuery Data Viewer` * `BigQuery Metadata Viewer` * `BigQuery Job User` * `BigQuery Read Session User` * Click `Continue`

* Click `Done` * On the left, under `IAM and admin`, select `Service Accounts` * Select the service account that was created just now (i.e., *OneLens Reader SA*). * Under the `Principals with access` tab, click `+ Grant access`. * Under `Add principals`, enter the following values * `onelens-customer-sa@astuto-prod-mum.iam.gserviceaccount.com` (our backend Service Account) * `onelens.finops@astuto.ai` (our external user email) * Under `Assign Roles`, add the following role: * `Service Account Token Creator` * Click `Save`.

{% endstep %} {% step %} ### Assign Billing project roles to the External User * In the `Project Picker` menu on top, select the new billing project created just now (i.e., *OneLens Billing Project*) * Go to `IAM and admin` and click `+ Grant access`. * Under `Add principals`, enter the value of the `external user email ID` provided to you by the OneLens team: `onelens.finops@astuto.ai` * Under Assign Roles, add the following roles and click Save: * `BigQuery Data Viewer` * `BigQuery Metadata Viewer` * `BigQuery Job User`

{% endstep %} {% step %} ### Assign Organisation-level roles for Service Account and External User * Open the `Project Picker` menu and select your `organisation`. * Go to `IAM and admin` and click `+ Grant access`. * Under `Add principals`, search for and select the `service account` that was created (i.e., *OneLens Reader SA*) and the external user email (i.e., `onelens.finops@astuto.ai`) * Under `Assign Roles`, add the following roles and click `Save`: * `Organisation Viewer` * `Cloud Asset Viewer` * `Browser` * `Billing Account Viewer`

{% endstep %} {% step %} ### Assign Project/Folder-level roles to the Service Account * Open the `Project Picker` menu and select a `project/folder` to be onboarded. * Go to `IAM and admin` and click `+ Grant access`. * Under `Assign Roles`, add the following roles: * `Vertex AI Viewer` * `Cloud Functions Viewer` * `Cloud SQL Viewer` * `Compute Viewer` * `Kubernetes Engine Viewer` * `Dataflow Viewer` * `Dataproc Viewer` * `Cloud Filestore Viewer` * `Monitoring Viewer` * `Network Management Viewer` * `Recommender Viewer` * `Cloud Memorystore Redis Viewer` * `Service Usage Viewer` * `BigQuery Job User` * `BigQuery Metadata Viewer` * `BigQuery Resource Viewer` * Click `Save`.

Repeat the above steps for all projects/folders to be onboarded.

{% endstep %} {% step %} ### Assign Project/Folder-level roles to the External User * Open the `Project Picker` menu and select a `project/folder` to be onboarded. * Go to `IAM and admin` and click `+ Grant access`. * Under `Add principals`, enter and select the external user email (i.e., `onelens.finops@astuto.ai`). * Under `Assign Roles`, add the following roles: * `Viewer` * `BigQuery Resource Viewer` * `BigQuery Metadata Viewer` * `BigQuery Job User` * Click `Save`.

Repeat the above steps for all projects/folders to be onboarded.

{% endstep %} {% endstepper %} {% hint style="success" %} **You have now ****successfully**** integrated your Google Cloud Platform environment with OneLens.** \ **Please share the following values to the OneLens team to facilitate the connection on our end:** * *Billing project ID* * *Service Account email ID* * *BigQuery dataset ID* {% endhint %}