Onboarding Archera on GCP

This is the installation guide for Archera's GCP integration via Infrastructure Manager.

Archera supports one integration per billing account. If you have multiple billing accounts, you'll need to create multiple integrations — if you have many, reach out to Archera for assistance.

The first step is to create an Archera account if you don't already have one. Visit app.archera.ai/signup, then select GCP as the cloud you'd like to onboard and proceed with this guide.

Prerequisites

Before you start, please make sure you have:

• Permissions on the target GCP organization sufficient to create projects, link billing accounts, edit organization policies, and run Infrastructure Manager deployments — typically Organization Owner.

• Access to GCP Cloud Shell (or a local environment with the gcloud CLI installed). Cloud Shell can be opened by clicking the terminal icon in the top-right of the GCP Console.

• The Archera deployment script URL (provided on your Archera onboarding page). The URL is only valid for 7 days after Archera generates it — if more time has passed, request a fresh one from your Archera contact.

During this installation, please make sure to write down the following values. You'll enter them into the Archera portal at the final step:

Installation Steps

1. Start the integration on Archera's website

Open the Archera installation form. Navigate to app.archera.ai → Integration Settings → Google Cloud (GCP) → Create New Installation. Keep this tab open — you'll fill in the form with the values you collect in the following steps.

2. Organization & Project IDs

Make sure you are in the correct organization and project (use an existing project or create a new one) by clicking on the organization selector in the top left. Write down the Organization ID and Project ID.

3. Billing

Navigate to the Billing dashboard by searching in the top bar or the navigation bar on the left.

4. Billing Account ID

Write down the Billing Account ID of the billing account that you will be installing Archera on. If you do not see this page, you can find it by clicking the Billing account dropdown in the top left and selecting Manage billing accounts. Once you've recorded the ID, click on the correct billing account.

5. Billing Export

Navigate to the Billing Export subsection of the Billing dashboard.

6. Detailed Usage Cost, Pricing, and CUD Exports

Enable Detailed usage cost, Pricing, and Committed Use Discounts exports. Three distinct billing exports are needed for the Archera integration:

• Detailed usage cost (Billing) Export

• Pricing Export

• CUD (Committed Use Discounts) Export

All three exports must reside in the same project. Although the exports reside in one project, they provide visibility into all projects and resources running under your billing account. When initially configured, these exports will reside in BigQuery. The Billing and Pricing exports can reside in the same BigQuery dataset, but the CUD export must reside in a separate dataset.

7. Dataset IDs

Copy the Detailed usage cost export dataset ID, the Pricing export dataset ID, and the CUD export dataset ID. For each of the three exports, click the dataset link (e.g. billing_export) under Dataset name in the export settings panel — this opens the dataset details page, where the full dataset ID is shown at the top under the Details tab. Copy the entire dataset ID, e.g. project-001.export_dataset — the dataset ID will contain a project ID prefix.

8. Enter your values and copy the deployment link

Return to the Archera installation form you opened in Step 1. Enter the seven values you collected in Steps 2–7: Organization ID, Project ID, Billing Account ID, Billing Export Project ID, and the three dataset IDs (Billing, Pricing, CUD). Press Continue.

Archera will generate a Terraform deployment link based on your inputs. Copy the link — you'll paste it into GCP Cloud Shell in the next step to deploy the integration.

9. Deploying via Infrastructure Manager

Archera's onboarding process uses the GCP Infrastructure Manager service to deploy the required resources:

• API enablements in your billing project — Cloud Billing API (cloudbilling.googleapis.com), Consumer Procurement API (cloudcommerceconsumerprocurement.googleapis.com), and Recommender API (recommender.googleapis.com) — to allow Archera to access billing data, view CUD recommendations, and manage Marketplace procurement orders.

• An organization-level custom IAM role archera_application for the Archera service account, covering Compute Engine and BigQuery commitments and reservations, CUD recommendations, organization structure (folders and projects), monitoring, and service usage — plus (in full mode) the ability to place and manage procurement orders.

• A second organization-level custom IAM role archera_bq_export bound at the dataset level on your BigQuery billing, pricing, and CUD export datasets only — providing read access plus the ability for Archera to manage authorized dataset access on its own derived views.

• A project-level roles/bigquery.jobUser binding on your billing project so Archera can run queries against your billing data.

• Billing-account-level predefined roles bound directly to the billing account — roles/consumerprocurement.orderViewer and roles/billing.viewer (plus orderAdmin and billing.admin in full mode) — since procurement orders and CUD recommendations are scoped to billing accounts and can't always be controlled via organization-level roles.

• A GCS storage bucket (archerastorage_<billing_account_id>, US region, STANDARD storage class, uniform bucket-level access, public access prevented, objects auto-deleted after 7 days) to stage billing data exports.

• Permissions on the storage bucket for use by Archera's Storage Transfer Service account to copy the billing, pricing, and CUD data for analysis.

The Infrastructure Manager service requires a temporary service account with appropriate permissions to create and apply the required resources. The service account and its permissions will be removed automatically following deployment.

Paste the deployment link you copied in the previous step into GCP Cloud Shell. The link will look something like this:

Paste it into GCP Cloud Shell. The script will download and execute the deployment, generating a temporary service account along the way. The script URL will only be available for seven days.

Advanced users may download the deployment script and Terraform source from the GCS gs:// URL for inspection. The Terraform deployment configuration can be run directly in the Infrastructure Manager console using the GCS URL (not including the deploy.sh portion) as the source.

Deployment errors

The following error may occur when deploying the infrastructure configuration:

One or more users named in the policy do not belong to a permitted customer

Please ensure that no existing organization-level constraints restrict IAM policy bindings for external service accounts such as Archera's. If this is the case, Archera's service account [email protected] or customer ID C02c8qgso should be added to the constraint's allow list.

This error may occur due to the standard iam.managed.allowedPolicyMembers or iam.allowedPolicyMemberDomains organization constraints, or any custom organization policy referencing the iam.googleapis.com/AllowPolicy resource. See Restricting identities by domain for details.

• If the iam.managed.allowedPolicyMembers policy is set, add serviceAccount:[email protected] to the allowedMemberSubjects parameter. Refer to the GCP documentation for configuring iam.managed.allowedPolicyMembers.

• If the iam.allowedPolicyMemberDomains policy is set, add Archera's customer ID C02c8qgso to the allowedValues parameter. Refer to the GCP documentation for configuring iam.allowedPolicyMemberDomains.

10. Archera — Subscription

Search for "Archera" and subscribe to Archera - Subscription. Be sure to select the correct billing account corresponding to this install.

11. Sign up with Provider

Select "Sign up with provider". You will be redirected and asked to sign into a service called clazar.io — this is Archera's trusted partner for marketplace transactions.

12. Complete Registration with Archera

Fill in the required information to complete your registration with Archera, or log into your existing Archera account.

Summary of values collected

Use this table as a quick reference when filling out Archera's installation form:

Troubleshooting

Pricing or CUD table not found on verification

If verification fails with an error like Table 'cloud_pricing_export' not found in pricing dataset, the export table simply hasn't been backfilled yet. GCP can take 24–48 hours after exports are enabled to start populating these tables. Wait and retry — no configuration change is required.

Infrastructure Manager deployment fails with "blueprint fetch failed"

An error such as blueprint fetch failed: invalid path: stat /workspace/apply/content: no such file or directory is a transient Infrastructure Manager issue. The deployment is idempotent — safely re-run the deploy script. It typically succeeds on the second attempt.

Deployment script URL has expired

The script URL provided by Archera is valid for 7 days. If more time has passed, the URL will return a not-found error. Contact your Archera representative to generate a fresh URL.

"Not Installed" on the Archera GCP integration page

Running the GCP deployment script alone does not register the installation with Archera. You must also complete Step 8 (submitting your values in the Archera installation form) using the values collected in earlier steps. If the GCP integration page still reads Not Installed after running the deployment, Step 8 has likely been missed.

Appendix — APIs enabled and resources deployed

For reference, the deployment script will enable the following GCP APIs in the integration project (if not already enabled):

The Terraform configuration applied by Infrastructure Manager creates: an organization-level IAM role for Archera's application service account, a role binding from that role to Archera's service account, a Cloud Storage bucket for exported billing data, and Storage Transfer Service permissions so that Archera can copy billing, pricing, and CUD data for analysis. The temporary deployment service account created during this process is granted Owner, Role Administrator, Organization Administrator, Organization Role Administrator, and Billing Administrator roles, and is deleted automatically when the deployment completes.