Set up billing with pods in Verily Workbench

Associate your Workbench user profile with cloud billing and create a pod

Categories:

Purpose: This document describes how Verily Workbench admins can create pods for Workbench billing purposes.

Introduction

Verily Workbench enables users to take advantage of public cloud platforms for storage, compute, and other services. An important step in user setup is to enable Workbench to create resources and perform cloud operations that have cloud costs associated with them, with flexibility on who is billed. This document describes the steps to enable and manage the association between user profiles and how cloud services are paid for.

For more information about what Workbench operations lead to cloud charges and how to manage cloud costs, see Cloud cost management.

What is a pod?

Diagram showing how organizations, pods, users, and workspaces and data collections relate to one another.

Institutions can use pods to connect people and workspaces to cloud infrastructure and billing.

A pod organizes resources within an organization so that they share the same cloud platform and billing. With billing controls at a pod level, users within one organization can choose to use multiple billing accounts, and users across organizations can be allowed to collaborate in a given pod.

How pods work

Each pod is linked to a cloud account, which is used for billing. One pod can be used for many workspaces. Since pods are linked to cloud accounts, the pod specified upon workspace or data collection creation determines which cloud platform the workspace or data collection belongs to.

Pods are administered by organizations (“orgs”).

In order to create a pod a user must have the Organization Admin or Pod Manager role. For more information on organization level roles and permissions, see Organization roles and permissions.

When a Pod Manager creates a pod they are then able to administer it by automatically being granted the Pod Admin role on that pod. Pod Admins can grant permission to other users or groups to use the pod. Users can be granted permission to access as many pods as needed.

When a user creates a workspace or data collection, they pick the pod in which to allocate the workspace or data collection, chosen from the pods they have permission to access. (As with pods, workspaces can be shared with users from other organizations.)

Using Workbench without belonging to a pod

You don’t need to be a pod member to use some Workbench features. For example, you can:

Browse read-only any workspaces to which you have been granted Reader
Work read-write in any workspace to which you have been granted Owner or Writer

For more information about workspace permissions, see Access control and sharing.

Pod roles and permissions

The set of roles and permissions at the pod level is as follows in the table below. Note that Pod Manager is not on this list because it is an organization-level role.

Role	Description	Permissions
Pod Admin	An end user of Workbench who is an administrator of a given pod. When a user creates a pod they are automatically granted this role.	Create workspace Read pod metadata Update pod metadata Grant/Revoke Pod Admin role Grant/Revoke Pod User role Delete pod
Pod User	An end user of Workbench who can create workspaces and resources in a given pod.	Create workspace Read pod metadata
Workbench Support	A Workbench-wide role. Generally assumed by the Workbench Support and Operations teams.	Pod Admin privileges as well as permission to create pods.

How to create a pod

Step 1: Create a Cloud Billing account

Note

The information in this section is specific to Google Cloud.

If you don’t already have a Google Cloud Billing account set up that you want to use for this purpose, you'll need to create one, as described below.

You may first want to talk to your institutional IT department or administration to determine if your organization has an existing account or a preferred account setup method with Google.

If you want to use an existing Cloud Billing account, your Google Cloud account will need to have access to the Billing account that you use, as the setup process will check that you have access permissions.

Otherwise, if you want to set up billing for yourself, you can follow Google's instructions to create a new self-serve Cloud Billing account. Note that while you'll need to set up some billing method, you may also be eligible for $300 in free credits from Google. Information and instructions for usage can be found at Free cloud features and trial offer.

Step 2: Grant permission to Workbench to use the Billing account

Sign in to the billing accounts management page in the Google Cloud console at: https://console.cloud.google.com/billing. Check the box for the relevant account and click **SHOW INFO PANEL**.

Screenshot of billing accounts management page in Google Cloud console, highlighting 'Show info panel' button.

Billing accounts management page in the Cloud console.

Troubleshooting

If you see the message "You don't have permission to edit the permissions of the selected resource" when you select a billing account, you should contact the billing account owner so they can grant you the necessary permissions.

You should see an info panel. Click the **ADD PRINCIPAL** button.

Screenshot of billing accounts management page in Google Cloud console with info panel opened, highlighting 'Add principal' button.

Info panel for the selected account.

Then assign the role to **Billing Account User**.

Screenshot of billing accounts management page in Google Cloud console with 'Grant access' dialog opened, highlighting 'Billing account user' option.

Assign the Billing Account User role.

Add billing@workbench.verily.com to **New principals**. Click **SAVE**.

Screenshot of the Grant access dialog with Workbench added as a new principal and 'Save' button highlighted.

Grant permission to Workbench to use your billing account.

Step 3: Allow Workbench to confirm your access to the Billing account

It's also necessary to allow Workbench to confirm your account's access to a given Google Cloud Billing account. This allows Workbench to check that you have authority to use a billing account ID for a pod. You can do this via the Workbench web UI.

Link a GCP billing account before creating a pod — *Link a GCP billing account via your Profile page before creating a pod.*

Clicking on "Link Account" will bring up an OAuth dialog window. You'll need to check the "View and manage your Google Cloud Platform billing accounts" box.

Allow Workbench access in the oauth dialog — *Allow Workbench access in the OAuth dialog.*

To later unlink your account, you can click the Disconnect button.

Note

If you want to disconnect your linked account directly, visit https://myaccount.google.com/connections and select "Verily Workbench".

Step 4: (CLI-only) Install the Workbench CLI (command-line interface) and set its credentials

Note

You can skip this step if you will create a pod using the Workbench web UI.

You can use the Workbench command-line tool to create and manage pods. You can access the CLI in several ways. If you're already a member of an existing pod, or have Writer/Owner access to a Workbench workspace, you can create a Workbench workspace app, where the Workbench CLI is automatically installed, and run the commands there.

You can also install the CLI on your own workstation, or you may find it convenient to install the Workbench CLI in a Google Cloud Shell. For a first-time user, Google Cloud Shell may be a smoother experience, as you will not need to install the required dependencies.

To open a Cloud Shell, click the Activate Cloud Shell icon () at the top of the Google Cloud console. Then follow the instructions for Installing and running the Workbench CLI .

Step 4.1: Provide credentials to the Workbench CLI

Creating a Workbench pod for Google Cloud via the CLI requires being logged in with Google Application Default Credentials. This allows Workbench to check whether you have access to the billing account information that you will provide. Run the following command in order to create credentials that will be used by the Workbench CLI in the next step.

Note

If running on Cloud Shell, you will be presented with a warning that this command is not necessary and could expose your credentials to other users on the VM. You can safely proceed in spite of this warning. The Cloud Shell runs on a Compute Engine Virtual Machine that is not a shared instance. Per How Cloud Shell works: "Cloud Shell instances are provisioned on a per-user, per-session basis."

gcloud auth application-default login

Next, authorize the Workbench CLI using your application-default credentials:

wb auth login --mode=APP_DEFAULT_CREDENTIALS

Step 5: Create a pod

Reminder

Only Org Admins and Pod Managers can create pods.

You can create a pod via the Workbench web UI or via the CLI. If you are using the CLI, ensure that you've completed Step 3 above. In either case, you'll need to know the 18-character Google Billing account ID that you want to use. You can find this information at https://console.cloud.google.com/billing.

If you have been granted permission to create a pod, then click on the New Pod button in the Pods page of the Workbench UI. If you have not already done so, you'll be prompted to first link a GCP billing account, as described in Step 2.

After you've linked your account, create the new pod. You'll need to know the 18-character Google Billing account ID of the GCP account that you want to use.

After creation, you can view your new pod in the list, which shows both the pods that you have created, and those to which others have granted you access.

view list of pods — *The Pods UI lists the pods to which you've been granted access.*

Determine the Org ID for the pod:

wb org list

Create a pod:

wb pod create gcp \
  --id ID \
  --description DESCRIPTION \
  --billing-account-id YOUR-BILLING-ACCOUNT-ID \
  --org YOUR-ORG-ID

Where:

ID is an identifier that you choose. The pod ID must be globally unique.
- Tip: Choose an ID that will make sense to others you add to the pod. When you create workspaces, you can see the pods you’re a part of. It could be the name of your team, department, program, or something meaningful to you and others you work with.
DESCRIPTION is a description of the pod. It should be something meaningful to you.
YOUR-BILLING-ACCOUNT-ID is your 18-character Google Billing account ID.
YOUR-ORG-ID is the identifier for the organization under which you want to place the new pod.

You can now use the pod when creating new workspaces and data collections. See below for more details.

How to update a pod (for pod admins)

Grant or revoke users’ access to and permissions on a pod

A pod admin may grant use of the pod to other Workbench users, or revoke that access.

From the Pods listing, click the link for a pod. From that page, you can grant users access to the pod, or manage the role for a given user.

wb pod role grant --email=<email> --org=<id> --pod=<id> --role=<role>
wb pod role revoke --email=<email> --org=<id> --pod=<id> --role=<role>

The valid --role values are ADMIN or USER.

Note

The user you add must be already onboarded to Workbench and may be from another Workbench org — that is, they don't need to be members of the pod’s parent org.

Update a pod's billing information or description

You can update a pod's description, billing account ID, and pod ID (must be unique). You may not modify the organization with which the pod is associated.

Click on the Edit button at the top right of a pod's details page to edit it.

This will allow you to edit a pod's description or billing account ID as well as the Pod ID.

Use wb pod update gcp to update a pod's description, billing account, or pod ID.

Delete a pod that you administer

Note: You cannot delete a pod if it holds any workspaces; workspaces must be deleted first.

Click on the "three-dot" menu at the top right of a pod's details page. This directs you to Workbench Support for assistance.

(Note that it is possible to delete a pod directly via the CLI. See the "Using the CLI" tab.)

wb pod delete --org=<id> --pod=<id>

The deletion operation will fail if there are workspaces that using that pod. You'll need to delete the workspaces first.

Additional pod operations

See the wb pod reference documentation for a list of the available operations on pods, including:

List the pods that you are a member of, which you can use for new workspace creation (wb pod list)
Describe a pod (wb pod describe --org=<id> --pod=<id>)

Obtaining admin access to a pod

As noted above, only Workbench Org Admins or Pod Managers may initially create a pod. After the pod has been created, the Org Admin can grant any user the admin role, even if the user is not in the same org. Users with the admin role can then perform pod update actions, including renaming the pod ID, changing the pod’s billing account, and adding additional users.

If you know who your Org Admins are, you can contact them and request to be added as a pod admin.

If you don't know who your Org Admins are, please contact Workbench support for help.

Note

An Org Admin inherits the Pod Admin role on all pods of the org.

Using a pod when creating resources

When you create a new workspace or data collection, you can select which pod — and thus billing account — that you want to use for that resource.

Via the UI, select the pod from a dropdown in the workspace or data collection dialog:

Screenshot of Create a new workspace dialog, highlighting Pod selection dropdown.

Be aware

The selected pod cannot be changed once the workspace is created.

You can also specify the pod for a new workspace via the Workbench CLI:

wb workspace create \
...
  [--org=<id>] [--pod=<id>]

Troubleshooting

If you've not been granted use of any pod, or have not been granted permission to create a pod, and believe you should have been, please contact your Org Admin if you know who they are, or Workbench support for assistance.

Last Modified: 17 January 2025