Think Then Code by Dominic Umbeer

Giving IAM user access to the Billing Console on AWS

2021-05-19 - AWS

The root user is the only one who can access the billing and cost data of a AWS account by default. Unfortunately, it is not sufficient for two reasons:

  1. You should not utilize the root user for everyday tasks and better create IAM users with restricted permissions based on the operational needs.
  2. In bigger organizations, you need someone other than the account owner to access billing and cost data, e.g., for monitoring the costs.

Overall, it is a simple task to enable the Billing Console for an IAM user, but it was not apparent how to do it. It contains three steps.

👆 Prerequisite: You have an AWS account and access to the root user.

1. Activate IAM access to the Billing and Cost Management pages As a root user, you need to activate IAM access to the Billing console actively. You can find the step-by-step guide in the AWS docs.

Activating IAM access in the AWS Management Console

I failed to configure billing permissions initially because of this missing step. I executed only step 2 and 3 and expected it to work, but it was still getting a permission error. Whenever I tried to access the Billing Console with the IAM user, I got the following error.

Permission denied

2. Create an IAM user who will have access to the Billing Console

Skip this step if you already have an existing IAM user. If not, you can find a step-by-step guide in the AWS docs.

3. Assign permissions for the IAM user

AWS offers two predefined policies to grant access to the Billing and Cost Management pages.

List of existing AWS policies to grant billing access

You can find a step-by-step guide on adding a policy to an IAM user in the AWS docs. Adding the Billing policy gives full access to the Billing and Cost data.

References