How to Provide Billing Access to an IAM User
Have you ever tried to check your AWS account spent, being an IAM admin user and was greeted with cryptic access denied message instead?
Well, I am sure, you must have 🙂
But, what If I tell you that, this is intentional and by default any IAM user is not allowed to access billing and cost management dashboard.
You will tell me, Hey, checking AWS spent is one of the critical things while designing and developing a cost effective solution.
I absolutely agree with you.
Although this feature is disabled by default, as a root user you can enable it.
Don’t worry, I will show you, how you can provide billing access to IAM user as a root user or account administrator.
A bit of background
When I created my AWS free tier account, as a best practice, I created an IAM user with administrator access and stopped using my root account right away.
There after, I used my IAM user for all my learning and development. Everything was going great. Then one day, I wanted to check if I have spent anything due to my experiments in my AWS account.
I opened billing console And to my surprise I was greeted with a beautiful error message like below:
You don’t have permission to access billing information for this account. Contact your AWS administrator if you need help. If you are an AWS administrator, you can provide permissions for your users or groups by making sure that (1) this account allows IAM and federated users to access billing information and (2) you have the required IAM permissions.
Being the admin user, I was like how could this happen to me?
Let’s discuss that in the next section…
Why Billing Access Was Denied?
Well, after I dug a bit deeper I found that, by default only root account has access to billing dashboard. Not even admin users or anyone with explicit billing policy can access billing console unless root user enables it.
Therefore, you can ask your account administrator to enable billing access.
Or
If, you are the account owner as well, don’t worry. In the upcoming section I will explain how you can login as root and enable this setting.
To be precise, there to two steps before you can view billing dashboard:
Let’s start with each of the steps.
1. Activate IAM Access
Activating IAM Access is a an account level setting which is disabled by default. Once you enable it, all the admin user or any IAM user/role with correct billing policy can see billing dashboard.
Login to AWS Management Console using your root account credentials( Email Id and password).
Once logged into your account, Click on your account name and then choose My Account as shown in screenshot below.
Account Name –> My Account
Scroll down to IAM User and Role Access to Billing Information section
It looks like below.
As you can read above paragraph, by default IAM access is deactivated. If this setting is deactivated, then your IAM users or roles can’t access Billing and Cost Management dashboard even though they have administrator access or required IAM policies.
Well, then lets enable it so that our authorized users can view billing information.
Click Edit and enable Billing Access
Click Edit, enable Activate IAM Access checkbox and click update.
2. Billing Access Policy
If you are an admin IAM user, you already have policy that allows full access hence billing access. Therefore, after performing step 1 , you are good to go.
Just reload the billing dashboard and now you should be able to see the dashboard like below.
For non-admin users, you can create a policy and apply to your user. You can apply as granular policy as you like or full billing access as well.
Suggested Read: Creating IAM Policies
For understanding purpose, I will just show you full billing access policy
AWS Billing full access policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1632311462161",
"Action": "aws-portal:*",
"Effect": "Allow",
"Resource": "*"
}
]
}Once both the steps are completed, your IAM user can view billing dashboard.
Conclusion:
In this post we learnt to provide Billing Access to an IAM User. We learnt that by default only root user has billing dashboard access. No other user(even with correct billing access) can view billing dashboard.
By default, IAM access to billing is disabled but a root user can enable it. This post explained all the steps root user needs to perform to enable billing access.
Feel free to drop a comment in case you face any issue or just to share the feedback.
Enjoyed the content?
Subscribe to our newsletter below to get awesome AWS learning materials delivered straight to your inbox.
Don’t forget to motivate me by-
- Adding a comment below on what you liked and what can be improved.
- Follow us on
- Share this post with your friends
