Manual

The user performing the integration must have the following roles assigned:

1. Owner on your projects/folders to be onboarded 2. Organisation Administrator on your organisation Why this is needed? Owner role is used to assign IAM roles to the service account & external user. Organisation Administrator role is used to create a new billing project.

Below APIs must be enabled on your projects for OneLens to be able to read usage data on the respective services:

Vertex AI API (aiplatform.googleapis.com)
Cloud Functions API (cloudfunctions.googleapis.com)
Cloud SQL Admin API (sqladmin.googleapis.com)
Compute Engine API (compute.googleapis.com)
Kubernetes Engine API (container.googleapis.com)
Dataflow API (dataflow.googleapis.com)
Cloud Dataproc API (dataproc.googleapis.com)
Cloud Filestore API (file.googleapis.com)
Cloud Monitoring API (monitoring.googleapis.com)
Network Management API (networkmanagement.googleapis.com)
Recommender API (recommender.googleapis.com)
Google Cloud Memorystore for Redis API (redis.googleapis.com)
Service Usage API (serviceusage.googleapis.com)
Cloud Asset API (cloudasset.googleapis.com)
BigQuery API (bigquery.googleapis.com)

The above APIs must be enabled for each project to be onboarded.

For steps on how to enable APIs, please follow this link to Google’s documentation.

Create the Billing project and enable cost export

Login to the Google Cloud Platform console.
In the Project Picker menu on top, create a project with the name “OneLens Billing Project”.
Using the Project Picker menu on top, open the newly created project "OneLens Billing Project".
In the left menu, open BigQuery Studio.
In the BigQuery Explorer pane, click the 3 dots to the right of the billing project ID, and click Create dataset.
In the opened Create dataset menu, enter the following data:
- Under Dataset ID, enter “billing_export”.
- Under Location type, select Multi-region.
- Under Multi-region, select US (multiple regions in the United States)
  The dataset location is set to US (multiple regions in the United States) to export cost data retroactively from the start of the previous month during the initial setup.
  https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-availability
- Under Advanced options, make sure the Enable table expiry option is unchecked.
- By disabling the table expiry for the BigQuery dataset, we ensure that the Single Source of Truth for your cloud costs remains intact indefinitely, enabling deep historical analysis, accurate forecasting, and audit compliance. https://docs.cloud.google.com/billing/docs/how-to/export-data-bigquery
- Click Create data set.
Go to Billing on the left menu.
Under Cost management, select Billing export in the left menu.
Enable Detailed usage cost with the following options:
- Under Projects, select the billing project created (OneLens Billing Project).
- Under Dataset, select the dataset created (billing_export).
- Click Save.
Similarly, enable Pricing with the following options:
- Under Projects, select the billing project created (OneLens Billing Project).
- Under Dataset, select the dataset created (billing_export).
- Click Save.
  Pricing data includes custom pricing data for your resources, if you have custom contracts with Google.
  https://docs.cloud.google.com/billing/docs/how-to/export-data-bigquery-tables/pricing-data#pricing-data-schema
Using the search bar on top, search for and enable the Cloud Billing API on this project.

Create the Service Account and assign permissions on the Billing project

In the Project Picker menu on top, select the new billing project created just now (i.e., OneLens Billing Project)
Go to IAM and admin on the left bar.
Go to Service accounts and click on + Create service account.
- Enter the Service account name as “OneLens Reader SA”
- Service account ID should be automatically generated.
- Enter the Service account description as: SA used by OneLens with read-only roles for FinOps analysis.
- Click Create and continue.
Under Permissions, search for and select the following roles:
- BigQuery Data Viewer
- BigQuery Metadata Viewer
- BigQuery Job User
- BigQuery Read Session User
Click Continue
Click Done
On the left, under IAM and admin, select Service Accounts
Select the service account that was created just now (i.e., OneLens Reader SA).
Under the Principals with access tab, click + Grant access.
Under Add principals, enter the following values
- [email protected] (our backend Service Account)
- [email protected] (our external user email)
Under Assign Roles, add the following role:
- Service Account Token Creator
Click Save.

Assign Billing project roles to the External User

In the Project Picker menu on top, select the new billing project created just now (i.e., OneLens Billing Project)
Go to IAM and admin and click + Grant access.
Under Add principals, enter the value of the external user email ID provided to you by the OneLens team: [email protected]
Under Assign Roles, add the following roles and click Save:
- BigQuery Data Viewer
- BigQuery Metadata Viewer
- BigQuery Job User

Assign Organisation-level roles for Service Account and External User

Open the Project Picker menu and select your organisation.
Go to IAM and admin and click + Grant access.
Under Add principals, search for and select the service account that was created (i.e., OneLens Reader SA) and the external user email (i.e., [email protected])
Under Assign Roles, add the following roles and click Save:
- Organisation Viewer
- Cloud Asset Viewer
- Browser
- Billing Account Viewer

Assign Project/Folder-level roles to the Service Account

Open the Project Picker menu and select a project/folder to be onboarded.
Go to IAM and admin and click + Grant access.
Under Assign Roles, add the following roles:
- Vertex AI Viewer
- Cloud Functions Viewer
- Cloud SQL Viewer
- Compute Viewer
- Kubernetes Engine Viewer
- Dataflow Viewer
- Dataproc Viewer
- Cloud Filestore Viewer
- Monitoring Viewer
- Network Management Viewer
- Recommender Viewer
- Cloud Memorystore Redis Viewer
- Service Usage Viewer
- BigQuery Job User
- BigQuery Metadata Viewer
- BigQuery Resource Viewer
Click Save.
Repeat the above steps for all projects/folders to be onboarded.

Assign Project/Folder-level roles to the External User

Open the Project Picker menu and select a project/folder to be onboarded.
Go to IAM and admin and click + Grant access.
Under Add principals, enter and select the external user email (i.e., [email protected]).
Under Assign Roles, add the following roles:
- Viewer
- BigQuery Resource Viewer
- BigQuery Metadata Viewer
- BigQuery Job User
Click Save.
Repeat the above steps for all projects/folders to be onboarded.

You have now successfully integrated your Google Cloud Platform environment with OneLens.

Please share the following values to the OneLens team to facilitate the connection on our end:

Billing project ID
Service Account email ID
BigQuery dataset ID

PreviousAutomated using Terraform NextFrequently Asked Questions (FAQ)

Last updated 2 months ago

hashtagCreate the Billing project and enable cost export

hashtagCreate the Service Account and assign permissions on the Billing project

hashtagAssign Billing project roles to the External User

hashtagAssign Organisation-level roles for Service Account and External User

hashtagAssign Project/Folder-level roles to the Service Account

hashtagAssign Project/Folder-level roles to the External User