IAM tutorial: Grant access to the billing console - AWS Identity and Access Management

IAM tutorial: Grant access to the billing console

The AWS account owner (AWS account root user) can grant IAM users and roles access to the AWS Billing and Cost Management data for their AWS account. The instructions in this tutorial help you set up a pretested scenario. This scenario helps you gain hands-on experience configuring billing permissions without concern for affecting your main AWS production account.

Prerequisites

Make the following preparations before performing the steps in this tutorial:

  • Create a test AWS account.

  • Sign in to your test AWS account as the root user.

  • Record the AWS account number of your test account so that you can use it in the tutorial. In this tutorial we use the example account number 111122223333. Whenever a step uses that account number, replace it with your test account number.

Step 1: Activate IAM access to billing information on your test AWS account

In this scenario, you sign in to your test AWS account as the root user to grant IAM access to billing information. When you grant IAM access to billing information it allows IAM users and roles to access the AWS Billing and Cost Management console. This setting doesn't grant IAM users and roles the necessary permissions for these console pages, it enables access for IAM users or roles that have the required IAM policies. If policies are already attached to IAM users or roles, but this setting isn't enabled, the permissions granted by those policies aren't in effect.

Note

AWS accounts created using AWS Organizations have IAM access to billing information enabled by default.

Step 2: Create test users and groups

In this scenario, you grant IAM users access to the billing console and you create two users:

  • Pat Candella

    Pat is a member of the finance department and works with billing and payments. Pat requires full access to the billing information in your AWS account.

  • Terry Whitlock

    Terry is part of your IT support department. Most of the time Terry doesn't require access to the billing console, but sometimes needs access to answer questions for employees in the finance department.

Step 3: Create a role to grant access to the AWS Billing console

An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it's an AWS identity with permission policies that determine what the identity can and can't do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role doesn't have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. You can use roles to delegate access to users, applications, or services that don't normally have access to your AWS resources. In this scenario you create a role that Terry Whitlock can assume to access the billing console.

Step 4: Test access to the console

After you've completed the core tasks, you're ready to test the policy. Testing ensures that the policy works the way you want it to. By testing the access of each user you can compare the user experiences.

Prerequisites

Make the following preparations before performing the steps in this tutorial:

  • Create a test AWS account.

  • Sign in to your test AWS account as the root user.

  • Record the AWS account number of your test account so that you can use it in the tutorial. In this tutorial we use the example account number 111122223333. Whenever a step uses that account number, replace it with your test account number.

Step 1: Activate IAM access to billing information on your test AWS account

In this scenario, you sign in to your test AWS account as the root user to grant IAM access to billing information. When you grant access to billing information it allows IAM users and roles to access the AWS Billing and Cost Management console. This setting doesn't grant IAM users and roles the necessary permissions for these console pages, it just enables access for IAM users or roles that have the required IAM policies.

Note

AWS accounts created using AWS Organizations have IAM access to billing information enabled by default.

To activate IAM user and role access to the Billing and Cost Management console
  1. Sign in to the AWS Management Console with your root user credentials (specifically, the email address and password that you used to create your AWS account).

  2. On the navigation bar, select your account name, and then select Account.

  3. Scroll down the page until you find the section IAM User and Role Access to Billing Information, then select Edit.

  4. Select the Activate IAM Access check box to activate access to the Billing and Cost Management console pages.

  5. Choose Update.

    The page displays the message IAM user/role access to billing information is activated.

In the next step of this tutorial you attach IAM policies to grant or deny access to specific billing features.

Step 2: Create test users and groups

Your test AWS account doesn't have any identities defined except for the root user. To provide access to billing information we create additional identities to whom we can grant permission to access billing information.

Create test users and groups
  1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    Note

    As the root user, you can't sign in to the Sign in as IAM user page. If you see the Sign in as IAM user page, choose Sign in using root user email near the bottom of the page. For help signing in as the root user, see Signing in to the AWS Management Console as the root user in the AWS Sign-In User Guide.

  2. In the navigation pane, select Users and then select Add users.

    Note

    If you have IAM Identity Center enabled, the AWS Management Console displays a reminder that it's best to manage users' access in IAM Identity Center. In this tutorial, the IAM users we create are to learn about providing access to billing information. If you have created users in IAM Identity Center you assign the Billing permission set to those users or groups using IAM Identity Center instead of IAM.

  3. For User name, enter pcandella. Names can't contain spaces.

  4. Select the select box next to Provide user access to the AWS Management Console– optional and then choose want to create an IAM user.

  5. Under Console password, select Autogenerated password.

  6. Clear the select box next to User must create a new password at next sign-in (recommended) and then select Next. Because this IAM user is for testing, we're going to download the password for use during the verification procedure.

  7. On the Set permissions page, under Permissions options, select Add user to group. Then, under User groups, select Create group.

  8. On the Create user group page, in User group name, enter BillingGroup. Then, under Permissions policies, select the AWS managed job function policy Billing.

  9. Select Create user group to return to the Set permissions page.

  10. Under User groups, select the select box of the BillingGroup you created.

  11. Select Next to proceed to the Review and create page.

  12. On the Review and create page, review the list of user group memberships for the new user. When you are ready to proceed, select Create user.

  13. On the Retrieve password page, select Download .csv file to save a .csv file with the user sign-in information (Connection URL, user name, and password).

    Save this file to use as a reference when you sign in to AWS as this IAM user

  14. Select Return to users list

  15. Repeat this procedure using the following modifications to create the user for Terry Whitlock and a group for support users.

    1. In step 3, for User name, enter twhitlock.

    2. In step 8, for User group name, enter SupportGroup. Then, under Permissions policies, select the AWS managed-job function policy SupportUser.

You can review the new IAM users, groups and roles in the console lists. For each item you created you can select the name to view its details. When you view the user details, the console displays Billing listed under Permissions policies for pcandella and SupportUser listed under Permissions policies for twhitlock.

For more information about using policies to grant IAM users access to AWS Billing and Cost Management features, see Using identity-based policies (IAM policies) for AWS Billing in the AWS Billing User Guide.

Step 3: Create a role to grant access to the AWS Billing console

You can use a role to grant IAM users access to the billing console. Roles provide temporary credentials that users can assume when needed. In this tutorial, the user twhitlock needs to be able to access billing information when a support request from the finance department requires he investigate an issue.

  1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    Note

    As the root user, you can't sign in to the Sign in as IAM user page. If you see the Sign in as IAM user page, choose Sign in using root user email near the bottom of the page. For help signing in as the root user, see Signing in to the AWS Management Console as the root user in the AWS Sign-In User Guide.

  2. In the navigation pane, select Users and then select the twhitlock user to view the user details. Copy the ARN for the twhitlock user to the clipboard.

  3. In the navigation pane, select Roles and then select Create role.

  4. On the Select trusted entity page, select Custom trust policy and then under Edit statement complete the following items:

    • Add actions for STS - Verify that AssumeRole is selected.

    • Add a principal select Add to display the Add principal dialog box. For Principal type select IAM users then for ARN paste the ARN for the twhitlock user that you copied to the clipboard in step 16. Then select Add principal.

  5. Select Next to go to the Add permissions page.

  6. Under Permissions policies in the filter box, enter Billing and then select the AWS managed-job function policy Billing.

  7. Select Next to go to the Name, review, and create page. Under Role name, enter TempBillingAccess then select Create role.

    You are notified that the role has been created. View the role to display the details about the role. In the Summary section take note of the following information:

    • Maximum session duration is 1 hour by default. After that time the user who assumed the role reverts to their base account permissions. If the user wants to continue using the role permissions, they must switch roles again. You can edit the role to increase the maximum duration. The longest session duration possible is 12 hours.

    • Link to switch roles in console. You can copy the link to provide it directly to the users that you add as principals in the trust policy. You can view and edit the trust policy from the Trust relationships tab.

Step 4: Test access to the console

We recommend that you test access by signing in as the test users to learn what your users might experience. Use the following steps to sign in using both test accounts to see the difference between access rights.

To test billing access by signing in with both test users
  1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console.

    Note

    For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.

  2. Sign in with each user using the steps provided below so you can compare the different user experiences.

    Full access

    1. Sign in to your AWS account as the user pcandella.

    2. On the navigation bar, choose pcandella@111122223333 , and then choose Billing Dashboard.

    3. Browse through the pages and choose the various buttons to make sure that you have full modify permissions.

    No access

    1. Sign in to your AWS account as the user twhitlock.

    2. On the navigation bar, choose twhitlock@111122223333, and then choose Billing Dashboard.

    3. A message displays stating You need permissions. No billing data is visible.

    Switch role to elevate access

    1. Sign in to your AWS account as the user twhitlock.

    2. On the navigation bar, choose twhitlock@111122223333, and then choose Switch role.

      The Switch role page opens. Complete the information as follows:

      • Account-111122223333

      • Role-TempBillingAccess

      Select Switch role

      Alternatively, you could use the URL provided in Link to switch roles in console to open the Switch role page.

    3. The console displays the AWS Billing Dashboard and the navigation bar displays TempBillingAccess@111122223333.

Summary

You've now completed the steps necessary to provide IAM users access to the AWS Billing console. As a result, you've seen firsthand what your users billing console experience is like. You can now proceed to implement this logic in your production environment at your convenience.

Related resources

For related information found in the AWS Billing User Guide, see the following resources:

For related information in the IAM User Guide, see the following resources: