Project: GCP Billing Auto-Disable
What does it do?
- Triggers when a GCP Budget Alert fires
- Routes the event through Pub/Sub → Eventarc → Cloud Run Function
- Calls the Billing API to disable billing on the target project
- Each service runs under a dedicated service account with minimal IAM permissions
Backstory
Built during my internship at Capgemini to protect personal and client GCP projects from unexpected cost spikes. Cloud billing alerts are useful for visibility, but they don't stop charges — this pipeline closes that gap.
The flow: a budget threshold triggers a GCP Budget Alert, which publishes a message to a Pub/Sub topic. Eventarc picks up that message and triggers a Cloud Run Function, which calls the Billing API to disable billing on the project.
The main challenge was IAM — each service in the chain needs its own service account with the right permissions and no more. Getting that configuration right across Pub/Sub, Eventarc, Cloud Run, and the Billing API was the bulk of the work, and the experience gave me a solid grounding in how GCP's permission model works across interconnected services.
Technical details
Architecture
- GCP Budget Alerts (trigger)
- Pub/Sub (event propagation)
- Eventarc (event-driven trigger)
- Cloud Run Function (execution)
- Billing API (action)
- IAM Service Accounts (per-service, least privilege)