Setting up pods and billing in Verily Workbench

Associating your Workbench user profile with cloud billing and creating a pod

Introduction

Verily Workbench enables users to take advantage of public cloud platforms for storage, compute, and other services. An important step in user setup is to enable Workbench to create resources and perform cloud operations that have cloud costs associated with them, with flexibility on who is billed. This document describes the steps to enable and manage the association between user profiles and how cloud services are paid for.

For more information about what Workbench operations lead to cloud charges and how to manage cloud costs, see Cloud cost management.

What is a pod?

Diagram showing how organizations, pods, users, and workspaces and data collections relate to one another.

Institutions can use pods to connect people and workspaces to cloud infrastructure and billing.

A pod organizes resources within an organization so that they share the same cloud platform and billing. With billing controls at a pod level, users within one organization can choose to use multiple billing accounts, and users across organizations can be allowed to collaborate in a given pod.

How pods work

Each pod is linked to a cloud account, which is used for billing. One pod can be used for many workspaces. Since pods are linked to cloud accounts, the pod specified upon workspace or data collection creation determines which cloud platform the workspace or data collection belongs to.

Pods are administered by organizations (“orgs”). An org may have a default pod associated with it, which means new workspaces and data collections created by org members will belong to that pod by default.

Only organization admins may create pods. In addition to organization admins, users can be granted a pod admin role to manage that pod. An org admin can grant users the admin role for a given pod. For more information about organization admins, see Organization roles and permissions.

Pod admins can grant permission to other users or groups in their org or in other orgs to use the pod. Users can be granted permission to access as many pods as needed.

When a user creates a workspace or data collection, they pick the pod in which to allocate the workspace or data collection, chosen from the pods they have permission to access. (As with pods, workspaces can be shared with users from other organizations.)

Using Workbench without belonging to a pod

You don’t need to be a pod member to use some Workbench features. For example, you can:

Browse read-only any workspaces to which you have been granted Reader
Work read-write in any workspace to which you have been granted Owner or Writer

For more information about workspace permissions, see Access control and sharing.

How to create a pod (for org admins)

Step 1: Confirm admin privileges for your Workbench organization

Before you proceed, ensure that you are an admin for your organization, as admin privileges are required to create pods.

See Request a new organization for more information on working with Workbench Support to set up an org. Once a pod has been created, org admins can grant other users pod admin access permissions, as discussed below.

Additionally, you (your GCP account) will need to have access to the billing account specified when creating a pod.

Step 2: Create a Cloud Billing account as necessary

Note: The information in this section is specific to Google Cloud.

If you don’t already have a Google Cloud Billing account set up that you want to use for this purpose, you’ll need to create one, as described below.

You may first want to talk to your institutional IT department or administration to determine if your organization has an existing account or a preferred account setup method with Google.

If you want to use an existing Cloud Billing account, your Google Cloud account will need to have access to the Billing account that you use, as the setup process will check that you have access permissions.

Otherwise, if you want to set up billing for yourself, you can follow Google’s instructions to create a new self-serve Cloud Billing account. Note that while you’ll need to set up some billing method, you may also be eligible for $300 in free credits from Google. Information and instructions for usage can be found at Free cloud features and trial offer.

Step 3: Grant permission to Workbench to use the Billing account

To grant permission to Workbench to use your Google Cloud Billing account, do the following:

Sign in to the billing accounts management page in the Google Cloud console at: https://console.cloud.google.com/billing. Check the box for the relevant account and click SHOW INFO PANEL.

Screenshot of billing accounts management page in Google Cloud console, highlighting 'Show info panel' button.

Billing accounts management page in the Cloud console.

You should see an info panel. Click the ADD PRINCIPAL button.

Screenshot of billing accounts management page in Google Cloud console with info panel opened, highlighting 'Add principal' button.

Info panel for the selected account.

Then assign the role to Billing Account User.

Screenshot of billing accounts management page in Google Cloud console with 'Grant access' dialog opened, highlighting 'Billing account user' option.

Assign the Billing Account User role.

Add billing@workbench.verily.com to “New principals.” Click SAVE.

Screenshot of the Grant access dialog with Workbench added as a new principal and 'Save' button highlighted.

Grant permission to Workbench to use your billing account.

Step 4: Install or access the Workbench CLI

You’ll need to use the Workbench command-line tool to create and manage pods. You can install the CLI on your own workstation, or you may find it convenient to install the Workbench CLI in a Google Cloud Shell.

To open a Cloud Shell, click the Activate Cloud Shell icon () at the top of the Google Cloud console. Then follow the instructions for Installing and running the Workbench CLI.

Alternatively, if you’re already a member of an existing pod, you can create a Workbench workspace cloud environment, where the Workbench CLI is automatically installed, and run the commands there.

Step 5: Create a pod

Reminder

Only org admins can create pods.

Creating a GCP pod requires being logged in with Google Application Default Credentials. You’ll need to first run the following command before creating the pod:

wb auth login --mode=APP_DEFAULT_CREDENTIALS

Then run:

wb pod create gcp \
  --id ID \
  --description DESCRIPTION \
  --billing-account-id YOUR-BILLING-ACCOUNT-ID \
  --org YOUR-ORG-ID 
  [--set-default]

Where:

ID is an identifier that you choose. The pod ID must be globally unique.
- Tip: Choose an ID that will make sense to others you add to the pod. When you create workspaces, you can see the pods you’re a part of. It could be the name of your team, department, program, or something meaningful to you and others you work with.
DESCRIPTION is a description of the pod. It should be something meaningful to you.
YOUR-BILLING-ACCOUNT-ID is your 18-character Google Billing account ID.
YOUR-ORG-ID is the identifier for the organization under which you want to place the new pod.

You can optionally add the --set-default flag, which will set this pod as the default for the given organization.

You can now use the pod when creating new workspaces and data collections. See below for more details.

How to update a pod (for pod admins)

Grant or revoke users’ access to and permissions on a pod

A pod admin may grant use of the pod to other Workbench users, or revoke that access.

wb pod role grant --email=<email> --org=<id> --pod=<id> --role=<role>
wb pod role revoke --email=<email> --org=<id> --pod=<id> --role=<role>

The valid --role values are ADMIN or USER.

Note: The user you add must be already onboarded to Workbench and may be from another Workbench org — that is, they don’t need to be members of the pod’s parent org.

Additional pod operations

See the wb pod reference documentation for a list of the available operations on pods including:

List the pods that you are a member of, which you can use for new workspace creation (wb pod list)
Describe a pod (wb pod describe --org=<id> --pod=<id>)
Requires pod admin access: Update the Google Billing Account ID associated with a pod that you administer, or change its name or description (wb pod gcp update)
Requires pod admin access: Delete a pod that you administer (wb pod delete --org=<id> --pod=<id>)
- Note: You cannot delete a pod if it holds any workspaces; workspaces must be deleted first.

Note: By default, an org admin isn’t given admin access to an org’s pods. However, an org admin can grant themselves admin permission to the org’s pods so that they may take ownership of a pod if need be.

Obtaining admin access to a pod

As noted above, only Workbench org admins may initially create a pod. After it’s created, the org admin can grant pod users the admin role. They can then perform pod update actions including renaming the pod ID, changing the pod’s billing account, and adding additional users.

If you know who your org admins are, you can contact them and request to be added as a pod admin.

If you don’t know who your org admins are, please contact Verily Workbench support for help.

Using a pod when creating resources

When you create a new workspace or data collection, you can select which pod — and thus billing account — that you want to use for that resource.

Via the UI, select the pod from a dropdown in the workspace or data collection dialog:

Screenshot of Create a new workspace dialog, highlighting Pod selection dropdown.

Important

The selected pod cannot be changed once the workspace is created.

You can also specify the pod for a new workspace via the Workbench CLI:

wb workspace create \
...
  [--org=<id>] [--pod=<id>]

If you don’t specify a pod, the default pod for your organization will be used.

Last Modified: 12 May 2024