more explanations about the billing.user role restriction and alternatives

Author: Mathieu Benoit

content/config-controller/create-config-controller.md

@@ -127,11 +127,8 @@ gcloud organizations add-iam-policy-binding ${ORG_OR_FOLDER_ID} \
 {{% /tab %}}
 {{< /tabs >}}
 
-Set the `billing.user`, `serviceusage.serviceUsageAdmin` and `iam.serviceAccountAdmin` roles:
+Set the `serviceusage.serviceUsageAdmin` and `iam.serviceAccountAdmin` roles:
 ```Bash
-gcloud beta billing accounts add-iam-policy-binding ${BILLING_ACCOUNT_ID} \
-    --member="serviceAccount:${CONFIG_CONTROLLER_SA}" \
-    --role='roles/billing.user'
 gcloud projects add-iam-policy-binding ${CONFIG_CONTROLLER_PROJECT_ID} \
     --member="serviceAccount:${CONFIG_CONTROLLER_SA}" \
     --role='roles/serviceusage.serviceUsageAdmin'
@@ -140,6 +137,16 @@ gcloud projects add-iam-policy-binding ${CONFIG_CONTROLLER_PROJECT_ID} \
     --role='roles/iam.serviceAccountAdmin'
 ```
 
+Finally, you need to assign the `billing.user` role too. Later in this workshop, it will be needed to attach a `Project` to a Billing Account. If you don't have the proper role you may have an error by running the command below. In this case you need to ask your Billing Account or Organization admins in order to run this command for you.
+```Bash
+gcloud beta billing accounts add-iam-policy-binding ${BILLING_ACCOUNT_ID} \
+    --member="serviceAccount:${CONFIG_CONTROLLER_SA}" \
+    --role='roles/billing.user'
+```
+{{% notice note %}}
+In some specific scenario, you may not be able to accomplish this step. You could skip it for now, another way to assign the Billing Account to a `Project` will be provided later in this workshop, when you will need it.
+{{% /notice %}}
+
 ## Check deployments
 
 List the GCP resources created:

content/gke-project/create-gke-project.md

@@ -188,4 +188,36 @@ getting 1 RepoSync and RootSync from krmapihost-configcontroller
 │ resourcemanager.cnrm.cloud.google.com │ Project                │ acm-workshop-463-gke            │ config-control       │
 │ serviceusage.cnrm.cloud.google.com    │ Service                │ cloudbilling.googleapis.com     │ config-control       │
 └───────────────────────────────────────┴────────────────────────┴─────────────────────────────────┴──────────────────────┘
-```
+```
+
+Here, if you skipped the assignment of the `billing.user` role earlier while you were setting up your Config Controller instance, you will have an error with the creation of the `Project`. A simple way to make sure you don't have any error is to run this command below:
+```Bash
+kubectl get gcpproject -n config-control
+```
+
+If the output is similar to this below, you are good:
+```Plaintext
+NAMESPACE        NAME                     AGE     READY   STATUS     STATUS AGE
+config-control   acm-workshop-463-gke     24m     True    UpToDate   21m
+```
+
+But if you have this output below, that's where you will need to take actions:
+```Plaintext
+NAMESPACE        NAME                     AGE     READY   STATUS        STATUS AGE
+config-control   acm-workshop-463-gke     24m     True    UpdateFailed  21m
+```
+
+With a closer look at the error by running this command `kubectl descibe gcpproject -n config-control`, you will see that the error is similar too:
+```Plaintext
+Update call failed: error applying desired state: summary: Error setting billing account "XXX" for project "projects/acm-workshop-463-gke": googleapi: Error 403: The caller does not have permission, forbidden
+```
+
+You can resolve this issue by running by yourself this command below:
+```Bash
+gcloud beta billing projects link $GKE_PROJECT_ID \
+    --billing-account $BILLING_ACCOUNT_ID
+```
+
+As Config Connector is still reconciling the resources, if you successfully ran this command, the error will disappear. You can run again the command `kubectl get gcpproject -n config-control` to make sure about that.
+
+If you can't run the command above, the alternative is having someone in your organization (Billing Account or Organization admins) running it for you.