GCP 服务帐户列表计费帐户 NodeJs

Question

我们正在尝试检索 GCP 中的结算帐户列表，为此，我们正在使用服务帐户。我们写的代码如下：

async function listBillingAccounts(project)
{
    let keys = JSON.parse(Buffer.from(process.env.SERVICE_ACCOUNT_BASE64_JSON, "base64").toString("ascii"));
    const client = new CloudBillingClient({credentials : keys});
    if (project !== undefined)
    {
        const [accounts] = await client.listBillingAccounts({ project, });
        console.log(accounts);
    }
    else
    {
        const [accounts] = await client.listBillingAccounts({});
        console.log(accounts);
    }
    console.info(`found ${accounts.length} billing accounts:`);
    for (const account of accounts) {
        console.info(`${account.displayName}:`);
        console.info(`\topen: ${account.open}`);
        console.info(`\tparentBillingAccount: ${account.masterBillingAccount}`);
    }
}

SERVICE_ACCOUNT_BASE64_JSON 包含服务帐户信息：

{
    "type": "service_account",
    "project_id": "xxxx",
    "private_key_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "private_key": "-----BEGIN PRIVATE KEY----------END PRIVATE KEY-----\n",
    "client_email": "xxxxx@xxxxx",
    "client_id": "xxxxxxxxxxxxxxxxxxxxx",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/xxxxx"
}

无论我们是否指定项目名称，accounts 结果总是一个空数组。你知道会发生什么吗？我们会询问 IAM 团队，服务帐号是否具有所需的权限，并且他们确认它具有：

https://www.googleapis.com/auth/cloud-billing.readonly --> Billing Account Usage Commitment Recommender Viewer 对吗？

Answer 1

结果为空，因为服务帐号无权查看结算帐号。

您必须将服务帐号电子邮件地址作为授权用户添加到每个结算帐号，并拥有结算帐号查看者 (roles/billing.viewer) 角色。 角色已添加到结算帐户。

Overview of Cloud Billing access control