How to Allow Federated Users logged into an Organization Member Accounts to their account's Billings

0

Problem: Federated users logging into organization member accounts with the AWSAdministratorAccess PermissionSet cannot view the billing dash board for the account they are logged into. Specifically we want developers to be able to access the billing for their own individual sandbox accounts.

Environment:

  • Multi-account Organization setup with ControlTower, and SSO and an external IdP
  • Account structure following the multi-account white paper
  • ControlTower only allows creation of resources in managed regions
  • On the Sandbox OU, the only SCP applied are full access, denying leaving the organization, denying performing actions as the root user, and those created by ControlTower.
  • Billing access for IAM is enabled in the management account
  • All Organization features are enabled including consolidate billing
  • No problems accessing billing in the management account from a Federated users with the AWSAdministratorAccess PermissionSet
  • This is a new organization (less than 1 month old)
  • The accounts were created with Account Factory for Terraform
  • There are no passwords on member account root users and we will not be adding them
  • Linked account access is granted to cost explorer.

When I test with Access Analyzer, I get that it was denied by SCP but I cannot see any SCPs that are denying.

demandé il y a un an431 vues
1 réponse
1

Please review the Repost Knowledge Center article: https://repost.aws/knowledge-center/iam-billing-access

Other Document for reference. Access Management: http://docs.aws.amazon.com/IAM/latest/UserGuide/PermissionsAndPolicies.html

Billing and Cost Management Permissions Reference: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html

You can also find information on how to enable IAM access to billing information here:

http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html#ControllingAccessWebsite-Activate

I believe you'll find this information useful

profile pictureAWS
répondu il y a un an

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions