DigiUsher - Connecting a GCP account

Overview

To onboard your GCP environment to DigiUsher, a service account with read-only access to billing, resource, and metrics data is required. This document describes exactly what permissions are requested, why each is needed, and what credentials to provide.

Summary of Access Required

Component	Details
Identity	GCP Service Account (`digiusher-finops`) — no Console login, API-only
Authentication	JSON key (does not expire by default)
Access level	Read-only — all roles are viewer/reader roles
Scope	Organization-wide (recommended) or limited to specific projects
Billing	Billing Viewer on a single billing account
Data access	BigQuery billing export dataset only — no access to other datasets

Capability	What It Provides
Billing data	Cost analytics, chargeback/showback, budgeting, forecasting, anomaly detection
Resource inventory	Asset discovery, idle resource detection, tag-based cost allocation
Optimization recommendations	VM rightsizing, CUD/reservation analysis, idle resource cleanup
Utilization metrics	CPU, memory, network, disk usage for rightsizing analysis

DigiUsher cannot create, modify, or delete any of your GCP resources.

Use Terraform for the fastest setup

We strongly recommend the DigiUsher Terraform configuration for the most efficient and reliable setup. It automates the entire process in ~5 minutes and supports three scenarios: full organization, limited/POC, and existing billing export.

Terraform Repository: https://github.com/digiusher/digiusher-iac/

If your organization's policies require manual resource provisioning, follow the steps below.

Prerequisites

Information to Gather

Item	How to Find
Organization ID	`gcloud organizations list` or Console: IAM & Admin > Settings
Billing Account ID	`gcloud billing accounts list` or Console: Billing > Overview
Project ID	A project to host the service account and BigQuery dataset. Can be an existing project or a new one.

Roles Required by the Person Performing Setup

Role	Why
Organization Administrator	To grant org-level IAM roles (or Project Owner for limited/POC setup)
Billing Account Administrator	To grant billing viewer role and enable billing export

Network & Email Access (For Regulated Environments)

If your organization restricts outbound internet access or email domains, ensure the following are in place before starting:

Domain allowlist: Add *.digiusher.com to your network/firewall allowlist so that users in your organization can access the DigiUsher platform from their browsers.
Email allowlist: Add digiusher.com as an approved sender domain in your email security gateway. DigiUsher sends onboarding confirmations, alerts, and reports from @digiusher.com addresses.

Option A: Terraform (Recommended)

Our Terraform configuration automates the entire setup in ~5 minutes.

git clone https://github.com/digiusher/digiusher-iac.git
cd digiusher-iac/gcp

Recommended for production environments. Grants organization-wide read-only access.

cp terraform.tfvars.org-level.example terraform.tfvars
# Edit terraform.tfvars with your Organization ID, Billing Account ID, and Project ID

terraform init
terraform plan
terraform apply

Restricts access to specific projects instead of the entire organization.

cp terraform.tfvars.limited.example terraform.tfvars
# Edit terraform.tfvars — set target_project_ids to your project list

terraform init
terraform plan
terraform apply

Use this if you already have a BigQuery billing export dataset.

cp terraform.tfvars.existing-export.example terraform.tfvars
# Edit terraform.tfvars — set billing_export_dataset_id to your existing dataset

terraform init
terraform plan
terraform apply

After Terraform Apply

Enable Billing Export

This step cannot be automated — there is no API or Terraform resource for billing export configuration. See Enable Billing Export to BigQuery in Manual Setup below.

Extract the Service Account Key

terraform output -raw service_account_key | base64 -d > digiusher-key.json

Connect in DigiUsher

Enter the credentials into the DigiUsher platform (see Connect in DigiUsher below).

See the digiusher-iac README for full Terraform documentation including parameters, feature flags, and troubleshooting.

Option B: Manual Setup

Follow these steps if you prefer to set up via the GCP Console or gcloud CLI.

Enable APIs

Navigate to APIs & Services > Library in the GCP Console and enable each API, or run:

gcloud services enable \
  bigquery.googleapis.com \
  cloudbilling.googleapis.com \
  cloudresourcemanager.googleapis.com \
  iam.googleapis.com \
  cloudasset.googleapis.com \
  recommender.googleapis.com \
  compute.googleapis.com \
  sqladmin.googleapis.com \
  monitoring.googleapis.com \
  --project=<PROJECT_ID>

Create Service Account and Key

2a. Create the Service Account

Go to IAM & Admin > Service Accounts > Create Service Account
Service account ID: digiusher-finops
Display name: DigiUsher FinOps Platform
Description: Read-only service account for DigiUsher cloud cost management
Click Create and Continue, then Done (no need to grant roles here — we do that in Step 4)

gcloud iam service-accounts create digiusher-finops \
  --display-name="DigiUsher FinOps Platform" \
  --description="Read-only service account for DigiUsher cloud cost management" \
  --project=<PROJECT_ID>

2b. Create and Download JSON Key

Click on the service account > Keys > Add Key > Create new key > JSON > Create
The key will be downloaded as a .json file

gcloud iam service-accounts keys create digiusher-key.json \
  --iam-account=digiusher-finops@<PROJECT_ID>.iam.gserviceaccount.com

Important

Store this key securely. You will enter it into the DigiUsher platform in the final step.

Create BigQuery Dataset

Skip this step if you already have a billing export dataset.

Go to BigQuery > Create Dataset
Dataset ID: digiusher_billing_export
Data location: US or EU (must be multi-region for billing data backfill)

bq mk --location=US --dataset <PROJECT_ID>:digiusher_billing_export

Important

Dataset location is immutable. Use US or EU multi-region for automatic backfill of the previous month's data.

Grant IAM Roles

Grant the following roles to the service account: digiusher-finops@<PROJECT_ID>.iam.gserviceaccount.com

4a. Billing Account Level

Go to Billing > Account Management > IAM
Click Grant Access
Principal: digiusher-finops@<PROJECT_ID>.iam.gserviceaccount.com
Role: Billing Account Viewer
Click Save

gcloud billing accounts add-iam-policy-binding <BILLING_ACCOUNT_ID> \
  --member="serviceAccount:digiusher-finops@<PROJECT_ID>.iam.gserviceaccount.com" \
  --role="roles/billing.viewer"

4b. Organization Level

Go to IAM & Admin > IAM, select your Organization from the project picker at the top
Click Grant Access
Principal: digiusher-finops@<PROJECT_ID>.iam.gserviceaccount.com
Add each of the following roles (click Add Another Role to add multiple):

Role	Purpose
`Browser`	Browse org/folder/project hierarchy
`Tag Viewer`	Read tags for chargeback/showback
`Cloud Asset Viewer`	Resource inventory across projects
`Recommender Viewer`	Cost optimization recommendations
`Compute Viewer`	View CUDs, reservations, and Compute resources
`Cloud SQL Viewer`	View Cloud SQL details and commitments
`BigQuery Resource Viewer`	View BigQuery resource metadata for recommendations
`Monitoring Viewer`	Read utilization metrics

Click Save

SA="serviceAccount:digiusher-finops@<PROJECT_ID>.iam.gserviceaccount.com"
ORG_ID="<ORGANIZATION_ID>"

for role in \
  roles/browser \
  roles/resourcemanager.tagViewer \
  roles/cloudasset.viewer \
  roles/recommender.viewer \
  roles/compute.viewer \
  roles/cloudsql.viewer \
  roles/bigquery.resourceViewer \
  roles/monitoring.viewer; do
  gcloud organizations add-iam-policy-binding "$ORG_ID" \
    --member="$SA" --role="$role"
done

Scoped alternative

If you prefer to limit access to specific projects instead of the entire organization, assign these roles on each project individually instead of at the organization level.

4c. Project Level (billing export project)

Go to IAM & Admin > IAM on the project hosting the BigQuery dataset
Grant Access with the following roles:

Role	Purpose
`BigQuery Job User`	Execute billing queries
`BigQuery Read Session User`	Efficient parallel data reads via Storage Read API
`Service Usage Consumer`	Required for Cloud Asset API calls

SA="serviceAccount:digiusher-finops@<PROJECT_ID>.iam.gserviceaccount.com"

gcloud projects add-iam-policy-binding <PROJECT_ID> \
  --member="$SA" --role="roles/bigquery.jobUser"

gcloud projects add-iam-policy-binding <PROJECT_ID> \
  --member="$SA" --role="roles/bigquery.readSessionUser"

gcloud projects add-iam-policy-binding <PROJECT_ID> \
  --member="$SA" --role="roles/serviceusage.serviceUsageConsumer"

4d. BigQuery Dataset Level

Go to BigQuery, click on the dataset digiusher_billing_export > Sharing > Permissions > Add Principal
Principal: digiusher-finops@<PROJECT_ID>.iam.gserviceaccount.com
Role: BigQuery Data Viewer
Click Save

# Get current policy
bq show --format=prettyjson <PROJECT_ID>:digiusher_billing_export > /tmp/dataset_policy.json

# Add the access entry for the service account (role: READER) to the "access" array
# Then update:
bq update --source /tmp/dataset_policy.json <PROJECT_ID>:digiusher_billing_export

Tip

The Console approach is simpler for dataset-level permissions.

Enable Billing Export to BigQuery

This step cannot be automated

There is no API or Terraform resource for billing export configuration. This must be done through the GCP Console.

Go to GCP Console > Billing > Billing export
If you have multiple billing accounts, select the correct one
Under Detailed usage cost, click Edit settings
- Select the project and dataset (digiusher_billing_export)
- Click Save
Under Pricing, click Edit settings
- Select the same project and dataset
- Click Save

Once enabled, you should see a new table in your BigQuery dataset: GCP BigQuery billing tables

Data begins flowing within 24-48 hours. Multi-region datasets (US/EU) automatically backfill the previous month.

Connect in DigiUsher

After completing either Option A or B, enter the following into the DigiUsher platform to complete the connection:

Field	Where to Find
Service Account Key (JSON)	The `digiusher-key.json` file
Project ID	Project hosting the service account and dataset
Organization ID	Your GCP Organization ID
Billing Account ID	Your GCP Billing Account ID
BigQuery Dataset ID	`digiusher_billing_export` (or your custom dataset name)
BigQuery Dataset Location	`US` or `EU`

GCP connection form

Verification Checklist

Security

What DigiUsher CAN Access (Read-Only)

Billing data and cost information via BigQuery
Resource metadata (names, types, regions, labels, tags)
Utilization metrics (CPU, memory, network, disk) via Cloud Monitoring
Optimization recommendations from Google's Recommender API
CUD and reservation information
Organization, folder, and project hierarchy

What DigiUsher CANNOT Do

Create, modify, or delete any GCP resources
Access application data, databases, or storage contents
Modify IAM policies or permissions
Read secrets, credentials, or encryption keys
Access network traffic or logs content
Make purchases or modify billing settings
Access BigQuery datasets other than the billing export dataset

Scope Controls

Set target_project_ids (Terraform) to restrict access to specific projects instead of the entire organization
BigQuery access is always scoped to the billing export dataset only, regardless of org-wide access
Billing Viewer is scoped to a single billing account

Monitoring

Monitor service account activity in GCP Console > IAM & Admin > Audit Logs, filtering by principal digiusher-finops@<PROJECT_ID>.iam.gserviceaccount.com.

Credential Rotation

Terraform: terraform apply -replace="google_service_account_key.digiusher"
Manual: Service account > Keys > Add Key (create new), then delete the old key. Enter the new key into the DigiUsher platform.

Revocation

Terraform: terraform destroy — removes the service account, all IAM bindings, and invalidates the key.
Manual: Delete the digiusher-finops service account in IAM & Admin > Service Accounts. This instantly invalidates the key and all associated IAM bindings.
APIs are intentionally not disabled on revocation to avoid breaking your existing workloads.

Troubleshooting

Cannot find Organization ID

gcloud organizations list

If empty, your GCP account may not have an organization. Organizations require Google Workspace or Cloud Identity. Contact your GCP admin.

"Permission denied" when assigning roles

You need Organization Administrator for org-level roles and Billing Account Administrator for billing roles. Verify your roles:

gcloud organizations get-iam-policy <ORG_ID> \
  --flatten="bindings[].members" \
  --filter="bindings.members:user:<YOUR_EMAIL>" \
  --format="table(bindings.role)"

BigQuery dataset already exists

Use your existing dataset — just make sure it's in a multi-region location (US or EU) and grant BigQuery Data Viewer to the service account on that dataset.

No billing data after 48 hours

Verify billing export shows "Enabled" in Billing > Billing export
Confirm dataset location is multi-region (US or EU)
Ensure Detailed usage cost is enabled (not just Standard)
Check that the correct billing account is selected

"API not enabled" errors

Ensure all APIs from Step 1 are enabled. API propagation can take a few minutes.

Need Help?

If you encounter any issues not covered above, contact us at support@digiusher.com and we'll help you get set up.

Connecting a GCP account

On this page