AWS root account has access to the billing information by default and the root user can allow IAM users to access the billing information. In this post I will go through the steps on how to allow IAM users to be able to access billing information.
Below are the steps on the workflow to enable access,
When an IAM user tries to access the Billing Dashboard, this below error is displayed.
Table of Contents
Activate access to billing data
- Sign in to the AWS Management Console using root account credentials
- On the top right of the window, choose account name, and then click Account
- In the IAM User and Role Access to Billing Information section, click Edit
- Select the Activate IAM Access check box to activate access to the Billing and Cost Management console pages
- Click Update
With these above steps, we have activated IAM user access.
Create IAM policies to grant permissions to billing data
- Open IAM console (https://console.aws.amazon.com/iam/)
- In the left navigation menu, choose Policies and click Create Policy
- In the Visual editor tab, click Choose a service to get started, Select Billing
- In this step, I’ll show steps to create two different policies,
- Full Access Policy
- In Actions, Under Specify the actions allowed in Billing select the check box next to All Billing actions (aws-portal:*)
- No need to select a resource or condition for this policy
- Click Next:Tags to add necessary tags, click Review policy
- On the Review page, provide name as BillingFullAccess, and then click Create policy
- Full Access Policy
- Read-only access Policy
- In Actions, Under Specify the actions allowed in Billing select the check box next to Read
- No need to select a resource or condition for this policy
- Click Next:Tags to add necessary tags, click Review policy
- On the Review page, provide name as BillingViewAccess, and then click Create policy
Create groups and attach billing policies
It is possible to attach policies directly to users or roles but it is best practice to attach polices to groups. I will create two groups and attach the policies created in the previous step.
- Open IAM console (https://console.aws.amazon.com/iam/)
- In the left navigation menu, choose User groups and click Create group
- In this step, I’ll create the two groups and attach the policy,
- BillingFullAccessGroup
- In the User group name, provide name as BillingFullAccessGroup
- Under Attach permissions policies, select BillingFullAccess policy which we created in earlier step
- Click Create group
- BillingViewAccessGroup
- In the User group name, provide name as BillingViewAccessGroup
- Under Attach permissions policies, select BillingViewAccess policy which we created in earlier step
- Click Create group
- BillingFullAccessGroup
- If you already have IAM users created, you can add them while creating the groups as you can see in the user group creation window. I didn’t have any users yet and I chose not to add any but that’s fairly easy step.
Test access
It is recommended to test the billing access with some test users to make sure the access works as intended.
IAM users can login to the AWS console, On the top right of the window, choose account name, and then click My Billing Dashboard to view the billing information.
Hope this post helped you set up billing access for your users.
Thank you for stopping by.✌