Skip to content

feat(iam): add billing roles to assignable organization roles#248

Merged
kevwilliams merged 1 commit into
mainfrom
feat/billing-assignable-org-roles
Jun 5, 2026
Merged

feat(iam): add billing roles to assignable organization roles#248
kevwilliams merged 1 commit into
mainfrom
feat/billing-assignable-org-roles

Conversation

@kevwilliams
Copy link
Copy Markdown
Contributor

@kevwilliams kevwilliams commented Jun 5, 2026

Summary

  • Owner and Editor roles now include billing.miloapis.com-admin
  • Viewer role now includes billing.miloapis.com-viewer

Why

Creating a BillingAccount from the cloud portal fails with:

User "kwilliams@datum.net" cannot create resource "billingaccounts" in API group
"billing.miloapis.com" in the namespace "organization-personal-org-efb26a2b"

Organization members have no access to billing resources through their org-level role. The billing IAM roles (billing.miloapis.com-admin / -viewer) are already deployed and registered with Milo — infra/apps/billing-system/base/milo-control-plane.yaml applies billing/config/components/iam into milo-system — but were never wired into the assignable organization roles.

billing.miloapis.com-admin grants billingaccounts.{create,update,patch,delete} + the billingaccountbindings equivalents (and inherits -viewer); billing.miloapis.com-viewer grants {list,get,watch}.

Exactly mirrors the compute-roles wiring in #233.

⚠️ Decision for reviewers: should Editor get billing admin?

This follows #233's precedent (Owner and Editor get the resource admin role). But BillingAccounts tie to payment, so you may prefer Owner-only for -admin and give Editor -viewer. Easy to change — drop the editor entry. Flagging because billing is more sensitive than compute.

Rollout

Like #233, this config publishes as an OCI bundle consumed by datum-cloud/infra. If you want to validate in staging ahead of the bundle, a staging-only patch in infra can apply it first.

Verification after deploy

The original portal action (create BillingAccount as an org owner) should succeed; the authz denial should disappear.

@kevwilliams
feat(iam): add billing roles to assignable organization roles
d1a0bdd 
Organization members had no access to billing resources through their
org-level role, so creating a BillingAccount from the portal failed with
"User cannot create resource billingaccounts in API group
billing.miloapis.com". The billing IAM roles are deployed and registered
with Milo (billing-milo-control-plane, targetNamespace milo-system) but
were never wired into the assignable organization roles.

- Owner and Editor now include billing.miloapis.com-admin
  (billingaccounts + billingaccountbindings create/update/patch/delete)
- Viewer now includes billing.miloapis.com-viewer (list/get/watch)

Mirrors the compute-roles wiring in #233.
@kevwilliams kevwilliams requested a review from a team as a code owner June 5, 2026 21:41
@kevwilliams kevwilliams requested a review from yahyafakhroji June 5, 2026 21:41
@kevwilliams kevwilliams merged commit c06156a into main Jun 5, 2026
11 checks passed
@kevwilliams kevwilliams deleted the feat/billing-assignable-org-roles branch June 5, 2026 22:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scotwells scotwells scotwells approved these changes

@yahyafakhroji yahyafakhroji Awaiting requested review from yahyafakhroji yahyafakhroji is a code owner automatically assigned from datum-cloud/engineering

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kevwilliams @scotwells