Billing in Google Cloud has its own IAM system that is separate from project-level permissions. You can have full Owner access on a project and still have no ability to view billing data, link a different billing account, or create budget alerts. This separation exists because financial access is a different concern from operational access, and mixing them creates governance problems. For the Associate Cloud Engineer exam, you need to know the billing roles, what each one permits, and how they interact with project roles.
There are four primary billing account roles to know. Billing Account Admin is the most powerful and covers everything: viewing billing data, managing payment methods, linking and unlinking projects, creating budget alerts, and managing other billing users. Think of it as the owner role but specifically for the billing account.
Billing Account User is a narrower role. The main thing it allows is associating a project with a billing account. This is the role you give to project owners or developers who need to create new projects and link them to the company billing account, without giving them full control over billing configuration.
Billing Account Viewer is read-only. Someone with this role can see billing data, invoices, and cost breakdowns but cannot make any changes. This is the appropriate role for finance team members or auditors who need visibility into spending without the ability to modify anything.
Project Billing Manager is a role that applies at the project level rather than the billing account level. It lets someone link or unlink a specific project from a billing account without having any broader billing account access. This is useful when a project owner needs billing management rights for their own project but should not have access to the billing account that serves other teams.
To associate a project with a billing account, you need one of two things. Either you need the Billing Account User role on the billing account plus the Project Creator or Project Billing Manager role on the project, or you need Billing Account Admin on the billing account. If you only have project Owner, you can link a project to a billing account you are already a Billing Account User on, but you cannot link it to a billing account where you have no role.
This trips people up on the Associate Cloud Engineer exam. A developer with Owner on a project cannot link that project to a billing account unless they also have a billing account role. The Owner role is not sufficient on its own.
Creating and modifying budget alerts requires the Billing Account Admin role. Billing Account Viewer and Billing Account User do not have this permission. This restriction makes sense because budget alerts represent a financial governance decision - setting the wrong thresholds or deleting existing alerts could lead to unexpected costs going unnoticed.
If the exam presents a scenario where someone has Billing Account User but cannot create a budget, the answer is that they need Billing Account Admin. If someone has Billing Account Admin but cannot deploy a Compute Engine VM, that is a project IAM issue, not a billing issue.
The most important concept in this topic is that billing permissions and project permissions are completely separate. You can grant someone full visibility into all billing data for a billing account without giving them any access to the resources in the projects on that account. Conversely, someone can have Compute Admin on a project with no ability to even view the billing charges that project generates.
This design supports the real-world separation between engineering teams (who manage resources) and finance or procurement teams (who manage spending and contracts). A cloud cost analyst can see exactly what is being spent and on what, without having any ability to create or delete resources.
The Associate Cloud Engineer exam presents billing role questions in scenario format. A common pattern: a person with Owner on a project wants to link it to a billing account but cannot. The diagnosis is that they need a billing account role, specifically Billing Account User or Billing Account Admin. The project Owner role alone is not enough.
Another common pattern: a finance analyst needs to see GCP cost reports but should not be able to touch any resources. The correct role is Billing Account Viewer, which gives read access to billing data without any project permissions.
A third pattern: a team lead needs to create budget alerts for their project but not have access to billing configuration for the rest of the organization. The answer is Billing Account Admin scoped to the specific billing account (GCP billing account roles apply to a whole billing account, not individual projects, so this one often comes down to whether a dedicated billing account exists per team).
My Associate Cloud Engineer course covers billing roles as part of the broader IAM section, with the context needed to distinguish billing account roles from project roles on the Associate Cloud Engineer exam.
