Onboarding Archera on GCP

This is the installation guide for Archera's GCP integration via Infrastructure Manager.

Archera supports one integration per billing account. If you have multiple billing accounts, you'll need to create multiple integrations — if you have many, reach out to Archera for assistance.

The first step is to create an Archera account if you don't already have one. Visit app.archera.ai/signup, then select GCP as the cloud you'd like to onboard and proceed with this guide.

This guide is also a worksheet. As you work through the steps, jot down the seven values listed below — Organization ID, Project ID, Billing Account ID, Billing Export Project ID, and the three dataset IDs (Billing, Pricing, CUD). You'll enter all of them into the Archera installation form in Step 8. The Summary of values collected table at the end of the guide shows an example of what each one looks like.

Prerequisites

Before you start, please make sure you have:

  • Permissions on the target GCP organization sufficient to create projects, link billing accounts, edit organization policies, and run Infrastructure Manager deployments — typically Organization Owner.

  • Access to GCP Cloud Shell (or a local environment with the gcloud CLI installed). Cloud Shell can be opened by clicking the terminal icon in the top-right of the GCP Console.

  • The Archera deployment script URL (provided on your Archera onboarding page). The URL is only valid for 7 days after Archera generates it — if more time has passed, request a fresh one from your Archera contact.

During this installation, please make sure to write down the following values. You'll enter them into the Archera portal at the final step:

Value
Description

Organization ID

Your GCP organization identifier

Project ID

Hosts required resources and default datasets

Billing Account ID

The account this integration is associated with

Billing Export Project ID

Project containing the billing, pricing, and CUD exports

Billing Export Dataset ID

BigQuery dataset with the Billing export table

Pricing Export Dataset ID

BigQuery dataset with the Pricing export (can match billing)

CUD Export Dataset ID

BigQuery dataset with the CUD export (must be different)

Installation Steps

1. Start the integration on Archera's website

Open the Archera installation form. Navigate to app.archera.aiIntegration SettingsGoogle Cloud (GCP)Create New Installation. Keep this tab open — you'll fill in the form with the values you collect in the following steps.

This step requires an Archera account. Please register at app.archera.ai. Sign up and reach out if you have any questions.

2. Organization & Project IDs

Best practice: Create a new dedicated project for the integration unless you already have pricing, billing, and CUD exports configured (see steps 4–5). We recommend creating a new project (e.g. archera-integration) to host the billing exports and Archera-deployed resources.

This project is not the scope of what Archera will see — Archera reports on every project under your billing account, regardless of which project hosts the exports. Keeping the integration in its own project just makes permissions, costs, and lifecycle easier to manage.

Make sure you are in the correct organization and project (use an existing project or create a new one) by clicking on the organization selector in the top left. Write down the Organization ID and Project ID.

GCP organization selector showing Organization ID and Project ID

3. Billing

Navigate to the Billing dashboard by searching in the top bar or the navigation bar on the left.

4. Billing Account ID

Write down the Billing Account ID of the billing account that you will be installing Archera on. If you do not see this page, you can find it by clicking the Billing account dropdown in the top left and selecting Manage billing accounts. Once you've recorded the ID, click on the correct billing account.

GCP Billing dashboard with the Billing account ID column highlighted

5. Billing Export

Navigate to the Billing Export subsection of the Billing dashboard.

6. Detailed Usage Cost, Pricing, and CUD Exports

Enable Detailed usage cost, Pricing, and Committed Use Discounts exports. Three distinct billing exports are needed for the Archera integration:

  • Detailed usage cost (Billing) Export

  • Pricing Export

  • CUD (Committed Use Discounts) Export

All three exports must reside in the same project. Although the exports reside in one project, they provide visibility into all projects and resources running under your billing account. When initially configured, these exports will reside in BigQuery. The Billing and Pricing exports can reside in the same BigQuery dataset, but the CUD export must reside in a separate dataset.

Detailed usage cost, Pricing, and Committed Use Discounts exports all enabled in the GCP Billing Export settings

7. Dataset IDs

Copy the Detailed usage cost export dataset ID, the Pricing export dataset ID, and the CUD export dataset ID. For each of the three exports, click the dataset link (e.g. billing_export) under Dataset name in the export settings panel — this opens the dataset details page, where the full dataset ID is shown at the top under the Details tab. Copy the entire dataset ID, e.g. project-001.export_dataset — the dataset ID will contain a project ID prefix.

Detailed usage cost panel with the dataset name link highlighted
BigQuery dataset details page showing the full Dataset ID at the top

Return to the Archera installation form you opened in Step 1. Enter the seven values you collected in Steps 2–7: Organization ID, Project ID, Billing Account ID, Billing Export Project ID, and the three dataset IDs (Billing, Pricing, CUD). Press Continue.

Archera will generate a Terraform deployment link based on your inputs. Copy the link — you'll paste it into GCP Cloud Shell in the next step to deploy the integration.

9. Deploying via Infrastructure Manager

Archera's onboarding process uses the GCP Infrastructure Manager service to deploy the required resources:

  • API enablements in your billing project — Cloud Billing API (cloudbilling.googleapis.com), Consumer Procurement API (cloudcommerceconsumerprocurement.googleapis.com), and Recommender API (recommender.googleapis.com) — to allow Archera to access billing data, view CUD recommendations, and manage Marketplace procurement orders.

  • An organization-level custom IAM role archera_application for the Archera service account, covering Compute Engine and BigQuery commitments and reservations, CUD recommendations, organization structure (folders and projects), monitoring, and service usage — plus (in full mode) the ability to place and manage procurement orders.

  • A second organization-level custom IAM role archera_bq_export bound at the dataset level on your BigQuery billing, pricing, and CUD export datasets only — providing read access plus the ability for Archera to manage authorized dataset access on its own derived views.

  • A project-level roles/bigquery.jobUser binding on your billing project so Archera can run queries against your billing data.

  • Billing-account-level predefined roles bound directly to the billing account — roles/consumerprocurement.orderViewer and roles/billing.viewer (plus orderAdmin and billing.admin in full mode) — since procurement orders and CUD recommendations are scoped to billing accounts and can't always be controlled via organization-level roles.

  • A GCS storage bucket (archerastorage_<billing_account_id>, US region, STANDARD storage class, uniform bucket-level access, public access prevented, objects auto-deleted after 7 days) to stage billing data exports.

  • Permissions on the storage bucket for use by Archera's Storage Transfer Service account to copy the billing, pricing, and CUD data for analysis.

Visibility-only mode (optional). By default, the deployment grants Archera full access — read permissions plus the ability to place, modify, and cancel commitment orders on your behalf. If you'd prefer read-only access (Archera surfaces recommendations but never executes purchases), you can run the Terraform in visibility-only mode: download the Terraform source from the GCS URL referenced below (see the Advanced users note at the bottom of this step), set visibility_only = true in locals.tf, then deploy via the Infrastructure Manager console.

The Infrastructure Manager service requires a temporary service account with appropriate permissions to create and apply the required resources. The service account and its permissions will be removed automatically following deployment.

Paste the deployment link you copied in the previous step into GCP Cloud Shell. The link will look something like this:

Paste it into GCP Cloud Shell. The script will download and execute the deployment, generating a temporary service account along the way. The script URL will only be available for seven days.

Advanced users may download the deployment script and Terraform source from the GCS gs:// URL for inspection. The Terraform deployment configuration can be run directly in the Infrastructure Manager console using the GCS URL (not including the deploy.sh portion) as the source.

Deployment errors

The following error may occur when deploying the infrastructure configuration:

One or more users named in the policy do not belong to a permitted customer

Please ensure that no existing organization-level constraints restrict IAM policy bindings for external service accounts such as Archera's. If this is the case, Archera's service account [email protected] or customer ID C02c8qgso should be added to the constraint's allow list.

This error may occur due to the standard iam.managed.allowedPolicyMembers or iam.allowedPolicyMemberDomains organization constraints, or any custom organization policy referencing the iam.googleapis.com/AllowPolicy resource. See Restricting identities by domain for details.

  • If the iam.managed.allowedPolicyMembers policy is set, add serviceAccount:[email protected] to the allowedMemberSubjects parameter. Refer to the GCP documentation for configuring iam.managed.allowedPolicyMembers.

  • If the iam.allowedPolicyMemberDomains policy is set, add Archera's customer ID C02c8qgso to the allowedValues parameter. Refer to the GCP documentation for configuring iam.allowedPolicyMemberDomains.

10. Archera — Subscription

Search for "Archera" and subscribe to Archera - Subscription. Be sure to select the correct billing account corresponding to this install.

Archera - Subscription product page in the GCP Marketplace with the Subscribe button highlighted

11. Sign up with Provider

Select "Sign up with provider". You will be redirected and asked to sign into a service called clazar.io — this is Archera's trusted partner for marketplace transactions.

GCP confirmation that your order request has been sent to Archera, with a Sign up with Provider button

12. Complete Registration with Archera

Fill in the required information to complete your registration with Archera, or log into your existing Archera account.

Clazar Complete your registration form with Company Name and Full Name fields

Summary of values collected

Use this table as a quick reference when filling out Archera's installation form:

Field
Example

Organization ID

302636258399

Project ID

archera-integration

Billing Account ID

01478A-B65ABA-BCFDED

Billing Export Project ID

archera-integration

Billing Export Dataset ID

archera-integration.billing_export

Pricing Export Dataset ID

archera-integration.billing_export

CUD Export Dataset ID

archera-integration.billing_export_cud

Troubleshooting

Pricing or CUD table not found on verification

If verification fails with an error like Table 'cloud_pricing_export' not found in pricing dataset, the export table simply hasn't been backfilled yet. GCP can take 24–48 hours after exports are enabled to start populating these tables. Wait and retry — no configuration change is required.

Infrastructure Manager deployment fails with "blueprint fetch failed"

An error such as blueprint fetch failed: invalid path: stat /workspace/apply/content: no such file or directory is a transient Infrastructure Manager issue. The deployment is idempotent — safely re-run the deploy script. It typically succeeds on the second attempt.

Deployment script URL has expired

The script URL provided by Archera is valid for 7 days. If more time has passed, the URL will return a not-found error. Contact your Archera representative to generate a fresh URL.

"Not Installed" on the Archera GCP integration page

Running the GCP deployment script alone does not register the installation with Archera. You must also complete Step 8 (submitting your values in the Archera installation form) using the values collected in earlier steps. If the GCP integration page still reads Not Installed after running the deployment, Step 8 has likely been missed.

Appendix — APIs enabled and resources deployed

For reference, the deployment script will enable the following GCP APIs in the integration project (if not already enabled):

bigquery.googleapis.com

bigquerydatatransfer.googleapis.com

billingbudgets.googleapis.com

cloudbilling.googleapis.com

cloudcommerceprocurement.googleapis.com

cloudresourcemanager.googleapis.com

config.googleapis.com

iam.googleapis.com

storage.googleapis.com

storagetransfer.googleapis.com

The Terraform configuration applied by Infrastructure Manager creates: an organization-level IAM role for Archera's application service account, a role binding from that role to Archera's service account, a Cloud Storage bucket for exported billing data, and Storage Transfer Service permissions so that Archera can copy billing, pricing, and CUD data for analysis. The temporary deployment service account created during this process is granted Owner, Role Administrator, Organization Administrator, Organization Role Administrator, and Billing Administrator roles, and is deleted automatically when the deployment completes.

Last updated

Was this helpful?