In this video at 10:54, a Google representative says:
And here, we want to call out this tip -- really important tip -- by default, [we] leave the Billing Account Creator Roles ON in your organization for everyone who's in it. We want to strongly encourage you to remove that. To turn that off.
And in this video at 3:20, a Google rep says:
We recommend sticking to a single billing account per organization, and making sure only admins can create new billing accounts. You can do that by removing the Billing Account Creator Role from your organization.
How do you actually do that?
I tried activating an Organizational Policy Constraint, but there's no mention of billing account restrictions.
I tried disabling/deleting the role from IAM Roles, but Predefined Roles cannot be deleted.
Lastly I looked at the documentation for Billing Access and the IAM Permissions Reference, and it looks like the only way someone has creation permissions is through the "Billing Account Creator" Role (and perhaps "Owner"?) Is it enough to just NOT grant that role to anyone, or is there a way to positively blacklist this permission?
Your Organization Resource is established with two default roles turned on:
These two roles allow customers to open GCP services to all of their users immediately. Control of project creation and maintaining centralized billing can be accomplished by removing the default organization level IAM entries.
Removing default roles from the Organization node
This is visual representation of the process