How to Allow Federated Users logged into an Organization Member Accounts to their account's Billings

0

Problem: Federated users logging into organization member accounts with the AWSAdministratorAccess PermissionSet cannot view the billing dash board for the account they are logged into. Specifically we want developers to be able to access the billing for their own individual sandbox accounts.

Environment:

  • Multi-account Organization setup with ControlTower, and SSO and an external IdP
  • Account structure following the multi-account white paper
  • ControlTower only allows creation of resources in managed regions
  • On the Sandbox OU, the only SCP applied are full access, denying leaving the organization, denying performing actions as the root user, and those created by ControlTower.
  • Billing access for IAM is enabled in the management account
  • All Organization features are enabled including consolidate billing
  • No problems accessing billing in the management account from a Federated users with the AWSAdministratorAccess PermissionSet
  • This is a new organization (less than 1 month old)
  • The accounts were created with Account Factory for Terraform
  • There are no passwords on member account root users and we will not be adding them
  • Linked account access is granted to cost explorer.

When I test with Access Analyzer, I get that it was denied by SCP but I cannot see any SCPs that are denying.

gefragt vor einem Jahr427 Aufrufe
1 Antwort
1

Please review the Repost Knowledge Center article: https://repost.aws/knowledge-center/iam-billing-access

Other Document for reference. Access Management: http://docs.aws.amazon.com/IAM/latest/UserGuide/PermissionsAndPolicies.html

Billing and Cost Management Permissions Reference: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html

You can also find information on how to enable IAM access to billing information here:

http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html#ControllingAccessWebsite-Activate

I believe you'll find this information useful

profile pictureAWS
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen