Exercise 2: Create an IAM user for future use

Natasha Ong
This is some text inside of a div block.
4 min read

In this bonus task, you will create an IAM user that is equivalent to the root user so that you don't need to use your root user when you are doing the lab exercise.

Moving forward, you will use this IAM user for your exercises.

1. Repeat the process from Task 1 to Task 2 of the previous exercise. Do you think you can run through these steps faster?

2. When you are finished setting up your IAM users, make sure that you're still in the details page of your IAM user. Under the Permissions tab, and in the Permissions policies section, choose Add permissions.

3. On the Permissions options, choose Attach policies directly.

4. From the list of Permissions policies, select (check the box) AdministratorAccess.

5. Once selected, choose Next.

6. Choose Add permissions.

7. You successfully added one policy to your IAM user.

Voila! All done.

IAM users they don't have the access to Billing dashboard by default. Only your root user can access the Billing dashboard.

Since you're using your IAM user every day, this means you won't have access to how much AWS is charging you everyday (a bit of a bummer!).

To enable billing access, here are the steps below.

Optional: Activating access to billing information

  1. Sign in to the AWS Management Console with your root user credentials (specifically, the email address and password that you used to create your AWS account).
  2. On the navigation bar, select your account name, and then select Account.
  3. Scroll down the page until you find the section IAM User and Role Access to Billing Information, then select Edit.
  4. Select the Activate IAM Access check box to activate access to the Billing and Cost Management console pages.
  5. Choose Update.
  • The page displays the message IAM user/role access to billing information is activated.
  • In the next step you will attach IAM policies to grant or deny access to specific billing features.

6. Once IAM user and role access to Billing information is activated, you will need to create a role. Navigate to Roles by clicking Roles on the left side under Access management section.

7. Once you're in the Roles page, choose Create rule.

8. On the Trusted entity type section, choose Custom trust policy, then Edit statement.

9. Add actions for STS - Verify that AssumeRole is selected.

10. Add a principal select Add to display the Add principal dialog box. For Principal type select IAM users then for ARN paste the ARN for the IAM user that you created (to find the ARN of your IAM user, go back to the IAM user details, and under the Summary section, click the copy icon to copy the ARN of your IAM user (image below)).

11. Then select Add principal.

12. Select Next to go to the Add permissions page.

13. Under Permissions policies in the filter box, enter Billing and then select (check the box) the AWS managed-job function policy Billing.

14. Select Next to go to the Name, review, and create page. Under Role name, enter TempBillingAccess (you may enter your own Role name) then select Create role.

15. You will see the role has been successfully created. To check the roles you've created, you can search for the name of the role in the search box.

16. You are notified that the role has been created. View the role to display the details about the role. In the Summary section take note of the following information:

  • Maximum session duration is 1 hour by default. After that time the user who assumed the role reverts to their base account permissions. If the user wants to continue using the role permissions, they must switch roles again. You can edit the role to increase the maximum duration. The longest session duration possible is 12 hours.
  • Link to switch roles in console. You can copy the link to provide it directly to the users that you add as principals in the trust policy. You can view and edit the trust policy from the Trust relationships tab.

17. To test the access to the Billing Dashboard, sign in to your IAM user.

18, Once you sign in, navigate to Billing Dashboard, choose Billing.

If you see this error message "A message displays stating You need permissions. No billing data is visible", this means you still have no access/visibility to the Billing Dashboard. You'll need to switch roles to change your access. To switch role, make sure that you're signed-in with the IAM user that you created. On the navigation bar, choose your account name on the top right, and then choose Switch role.

The Switch role page opens. Complete the information as follows:

  • Account-111122223333 (this is your AWS account ID)
  • Role-TempBillingAccess {refer from step 12 on this task on what name of the Role you enter)
  • Select Switch role.
  • Or, you could use the URL provided in Link to switch roles in console to open the Switch role page.

Copy the URL and paste it to a new tab of your web browser. You will see the page same as below.

Once you switch roles, you can access the AWS Billing Dashboard and the navigation bar displays TempBillingAccess@000000000000.

Awesome - you've just learnt how to provide IAM users access to the AWS Billing console. That's some pretty cool AWS Cloud Practitioner skills you've got there. 😉