Archera for GCP
Last updated: February 6, 2026
IAM Permissions and Resources Reference
Overview
When you connect your GCP environment to Archera, a set of IAM permissions and resources are provisioned to allow Archera to access your billing data, monitor commitments, and deliver optimization recommendations. If you enable full procurement capabilities, Archera can also place and manage marketplace orders on your behalf.
This article describes every permission and resource that Archera assumes in your environment, why each is needed, and how they are scoped.
Archera supports two access modes:
• Visibility Only: Read-only access for monitoring, analytics, and recommendations.
• Full Access (default): Read access plus the ability to place, modify, and cancel commitment purchases through the GCP Marketplace on your behalf.
All resources are provisioned using Terraform, either directly or through GCP Infrastructure Manager. The permissions described below are the same regardless of the installation method you choose.
Archera Service Account
Archera authenticates to your GCP environment using a service account managed by Archera:
application@archera.iam.gserviceaccount.com
This service account lives in Archera’s GCP project, not yours. During onboarding, your Terraform configuration grants this service account a custom IAM role at the organization level, along with specific predefined roles at the billing account level. Archera does not create any service accounts inside your organization.
Note: If your organization uses iam.managed.allowedPolicyMembers or iam.allowedPolicyMemberDomains constraints, you may need to add Archera’s service account or customer ID (C02c8qgso) to your allow list. See the Troubleshooting section at the end of this article.
Deployment Service Account (Temporary)
If you install via GCP Infrastructure Manager, a separate temporary service account is created in your project to run the Terraform deployment. This account requires broad permissions (Owner, Organization Administrator, Billing Admin) to provision resources, but it can and should be deleted after the deployment completes. It is not used by Archera for ongoing operations.
API Enablement
The following APIs are enabled in your billing project to allow Archera to access billing information, view recommendations, and manage procurement orders:
Role | Purpose |
Cloud Billing API — allows Archera to access billing account information and metadata. | |
Consumer Procurement API — enables Archera to view and manage GCP Marketplace procurement orders. | |
Recommender API — enables Archera to view and manage CUD recommendations. |
Custom IAM Role
A custom organization-level IAM role named archera_application is created and bound to the Archera service account. This role contains all the specific permissions listed below, scoped to the minimum required for Archera’s functionality.
All permissions in this role are read-only unless explicitly noted as write permissions. Write permissions are only included when Visibility Only mode is disabled.
BigQuery Reservations and Commitments
These permissions allow Archera to view your BigQuery reservation and capacity commitment details for optimization recommendations.
Permission |
bigquery.bireservations.get |
bigquery.capacityCommitments.list |
bigquery.reservationAssignments.list |
bigquery.reservations.get |
bigquery.reservations.list |
Compute Engine Commitments and Reservations
These permissions enable Archera to monitor your Compute Engine committed use discounts (CUDs) and VM reservations to identify savings opportunities.
Permission |
compute.commitments.get |
compute.commitments.list |
compute.reservations.get |
compute.reservations.list |
Consumer Procurement Orders
These permissions allow Archera to view and, in Full Access mode, manage GCP Marketplace orders for commitments purchased through Archera.
Read permissions (always granted):
Permission |
consumerprocurement.orderAttributions.get |
consumerprocurement.orderAttributions.list |
consumerprocurement.orders.get |
consumerprocurement.orders.list |
Write permissions (Full Access mode only):
Permission | Purpose |
consumerprocurement.orderAttributions.update | Update order attribution metadata |
consumerprocurement.orders.cancel | Cancel pending or active orders |
consumerprocurement.orders.modify | Modify existing order parameters |
consumerprocurement.orders.place | Place new procurement orders |
Write permissions allow Archera to execute automated purchasing of recommended commitments on your behalf. They are only included when Full Access mode is enabled.
Note: Additional procurement roles are also applied at the billing account level. See the Billing Account IAM Permissions section below.
Resource Manager
These permissions enable Archera to understand your GCP organization structure (folders and projects) to properly attribute costs and commitments. They do not permit any modifications to your organization, folders, or projects.
Permission |
resourcemanager.folders.get |
resourcemanager.folders.list |
resourcemanager.organizations.get |
resourcemanager.projects.get |
resourcemanager.projects.list |
Spend-Based CUD Recommendations
These permissions allow Archera to access Google’s spend-based commitment recommendations and insights.
Read permissions (always granted):
Permission |
recommender.spendBasedCommitmentRecommendations.get |
recommender.spendBasedCommitmentRecommendations.list |
recommender.spendBasedCommitmentInsights.get |
recommender.spendBasedCommitmentInsights.list |
recommender.spendBasedCommitmentRecommenderConfig.get |
Write permissions (Full Access mode only):
Permission |
recommender.spendBasedCommitmentRecommendations.update |
recommender.spendBasedCommitmentInsights.update |
recommender.spendBasedCommitmentRecommenderConfig.update |
Resource-Based CUD Recommendations
These permissions serve the same purpose as above, but for resource-based (usage-based) commitment recommendations.
Read permissions (always granted):
Permission |
recommender.usageCommitmentRecommendations.get |
recommender.usageCommitmentRecommendations.list |
recommender.commitmentUtilizationInsights.get |
recommender.commitmentUtilizationInsights.list |
Write permissions (Full Access mode only):
Permission |
recommender.usageCommitmentRecommendations.update |
recommender.commitmentUtilizationInsights.update |
Monitoring and Service Usage
These permissions allow Archera to access monitoring data and service usage information required for CUD recommendation analysis.
Permission |
monitoring.timeSeries.list |
serviceusage.consumerpolicy.analyze |
serviceusage.consumerpolicy.get |
serviceusage.contentsecuritypolicy.get |
serviceusage.effectivemcppolicy.get |
serviceusage.effectivepolicy.get |
serviceusage.groups.list |
serviceusage.groups.listExpandedMembers |
serviceusage.groups.listMembers |
serviceusage.mcppolicy.get |
serviceusage.operations.get |
serviceusage.quotas.get |
serviceusage.services.get |
serviceusage.services.list |
serviceusage.services.use |
serviceusage.values.test |
Billing Account IAM Permissions
In addition to the custom organization-level role, Archera requires predefined roles applied directly at the billing account level. This is necessary because billing accounts may exist outside the organization resource hierarchy, and organization-level custom roles cannot be applied to them.
Read access (always granted):
Role | Purpose |
roles/consumerprocurement.orderViewer | Allows Archera to list and view procurement orders associated with the billing account. |
roles/billing.viewer | Allows Archera to view CUD recommendations scoped to the billing account. |
Write access (Full Access mode only):
Role | Purpose |
roles/consumerprocurement.orderAdmin | Allows Archera to place, modify, and cancel procurement orders on the billing account. |
roles/billing.admin | Allows Archera to manage CUD recommendations for the billing account. |
Note: The roles/billing.admin role is broader than ideal, but it is required because no narrower predefined role covers CUD recommendation writes at the billing account level. This role is only granted when Full Access mode is enabled.
Cloud Storage Bucket
A GCS bucket is created for temporary staging of billing and pricing data exports before transfer to Archera’s infrastructure.
Bucket name | archerastorage_{billing_account_id} |
Location | US |
Storage class | STANDARD |
Object lifecycle | Automatically deleted after 7 days (enforced by a GCS lifecycle rule) |
Access control | Uniform bucket-level access; public access prevented |
The following IAM bindings are applied at the bucket level only:
Role | Purpose |
roles/storage.legacyBucketOwner | Granted to the Archera service account. Allows Archera to manage the lifecycle of the staging bucket it creates. Scoped to this bucket only. |
roles/storage.legacyBucketReader | Granted to the Storage Transfer Service. Allows reading bucket metadata for data transfers. |
roles/storage.objectViewer | Granted to the Storage Transfer Service. Allows reading objects in the bucket for data transfers. |
BigQuery Permissions
Archera requires access to your BigQuery billing export datasets (detailed usage cost, pricing, and optionally CUD exports) to analyze your spending and generate recommendations.
Project-Level Permission
Role | Purpose |
roles/bigquery.jobUser | Allows Archera to execute BigQuery queries against your billing data. Applied to the billing project only. |
Dataset-Level Permissions
Role | Purpose |
roles/bigquery.dataViewer | Grants read-only access to each billing export dataset you specify during onboarding (e.g., billing_export, billing_export_cud). |
These bindings are scoped to the specific datasets you configure. Archera does not have access to any other datasets in your project.
Security Summary
Archera’s integration is designed around the principle of least privilege:
• A custom IAM role is used at the organization level rather than broad predefined roles, ensuring only the specific permissions listed above are granted.
• BigQuery access is scoped to individual datasets containing billing exports, not your entire project.
• The Cloud Storage bucket is used only for temporary staging with a 7-day automatic deletion lifecycle rule.
• All write permissions are optional and only included when you enable Full Access mode for automated procurement.
• The deployment service account (used with Infrastructure Manager) is temporary and can be deleted after installation.
• Archera’s application service account is managed externally — no service accounts are created inside your organization.
Troubleshooting
Organization Policy Constraints
If your organization enforces IAM policy member restrictions, the deployment may fail with the error: One or more users named in the policy do not belong to a permitted customer.
To resolve this:
• If the iam.managed.allowedPolicyMembers policy is set, add serviceAccount:application@archera.iam.gserviceaccount.com to the allowedMemberSubjects list.
• If the iam.allowedPolicyMemberDomains policy is set, add Archera’s customer ID C02c8qgso to the allowedValues list.
For details, see Google’s documentation on restricting identities by domain.
Questions or Concerns
If you have questions about any of the permissions described in this article or need help with your deployment, contact your Archera representative or reach out to support@archera.ai.