While learning GCP billing a bit thoroughly, I have a scenario with GCP Billing, and I am not able to understand how this is addressed, so please clarify.
I have a user (admin_user) who has created a billing account. This admin user adds another user (normal_user) with BillingAccountUser role for that billing account.
Now this normal_user creates his own project and generates some ML workload which adds up a huge bill (keeping alerts aside for now) by end of the month, and the billing account gets the invoice which is obvious. Now the admin_user cannot see the normal_user's project as he is the only owner of that. If normal_user leaves the company, no one would have access to the project he created and generated the bill, and presumably billing reports may not be able to show the workload details and drilldown for that project.
So how safely to avoid/prevent this scenario while assigning the BillingAccountUser role? Any way to allow normal_user to add only organization projects to this billing account where he should not have right to create a project in the organization but manage that to add to the billing account, yet he can create his own projects and play around without actually not able to add them to this billing account?
If you grant a user Billing Account User and that user also has Project Creator, then that user will be able to attach the billing account to a new project.
To prevent the user from being able to attach a billing account to a project, grant the user Billing Account Viewer instead.
Only trusted users should have any form of access to the billing account.
Any way to allow normal_user to add only organization projects to this billing account where he should not have right to create a project in the organization but manage that to add to the billing account, yet he can create his own projects and play around without actually not able to add them to this billing account?
No. Billing accounts are not part of a project or organization. They are separate accounts and are managed independently. Billing accounts are linked to projects - they are not managed or controlled by a project. If you have the correct permissions, you can link any project to a billing account.
Normally, restrictions like this would be part of constraints. However, Google Cloud does not yet offer a constraint for billing accounts.
Organization policy constraints
If a user created a personal account and linked it to a business billing account, that would be a misuse of corporate assets. I recommend that only certain officers/managers of a company have access to a billing account. Everyone else should complete a form, or similar, and request a project be linked to a billing account.
One item that can improve the security of billing accounts, is to only add user accounts that you control. If a user mismanaged an account, you could take control of his identity (corporate email address). If you use Gmail accounts, you do not have that ability.