unable to access aws cost explorer api from IAM user credential

Asked 7/3, 2018 at 11:21 Answered 21/9, 2024 at 14:16

I am trying to use cost explorer API from a IAM user credential but I am getting access denied error. Below is the policy attached for the IAM user. Is any other permission required? Where i am going wrong?

{
    "Version": "2012-10-17",
    "Statement": [
     {
         "Effect": "Allow",
         "Action": [
            "ce:*"
         ],
         "Resource": [
             "*"
         ]
     }
  ]
}

Antisocial answered 7/3, 2018 at 11:21 Comment(1)

Welcome to StackOverflow. Please take the tour have a look around, and read through the HELP center, then read How to Ask Question, What types of questions should I avoid asking? and provide a MCVE : Minimal, Complete, and Verifiable Example. If people around can easily read and understand what you mean, or what the problem is, they'll be more likely willing to help :) – Helaina 7/3, 2018 at 11:29

First make sure you are using root user credentials.

You can enable Cost Explorer only if you are the owner of the AWS account and you signed in to the account with your root credentials. If you are the owner of a master account in an organization, enabling Cost Explorer enables Cost Explorer for all the organization accounts. In other words, all member accounts in the organization are also granted access. You can't grant or deny access individually.

Cost Explorer and IAM Users

An AWS account owner who is not using consolidated billing has full access to all Billing and Cost Management information, including Cost Explorer. After you enable Cost Explorer, you should interact with Cost Explorer as an IAM user. If you have permission to view the Billing and Cost Management console, you can use Cost Explorer.

An IAM user must be granted explicit permission to view pages in the Billing and Cost Management console. With the appropriate permissions, the IAM user can view costs for the AWS account to which the IAM user belongs. For the policy that grants the necessary permissions to an IAM user, see Controlling Access.

More details read this

Steepen answered 7/3, 2018 at 11:34 Comment(1)

Thanks for your answer. But cost explorer is enabled and I can view it in console. I am only getting access denied error only when I am trying API call. – Antisocial 9/3, 2018 at 4:24

Your policy is probably missing an asterisk (*) which is why you are getting a access denied error. You can use the policy described below to access Cost Explorer:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ce:*",
            "Resource": "*"
        }
    ]
}

Cooncan answered 16/3, 2019 at 23:43 Comment(1)

The user had added the asterisk, but had not put the json in a code block. So the asterisk was not showing up because it was being interpreted as markdown. I added an edit that puts the json in a code block. – Cholecystotomy 31/10, 2023 at 16:10

This helped me to allow IAM user to view billing information, login as root user, in top right corner under username, click on dropdown arrow, select account

scroll down to section "IAM user and role access to Billing information" activate then add Billing permission to IAM user

once logged as IAM I could see Cost and Usage data (now it Data unavailable before it was Access Denied)

Phonologist answered 21/9, 2024 at 14:16 Comment(1)

This did it for me. Adding an inline policy to user groups allowing CE read access didn't work, but this did, thank you! – Reproachless 23/9, 2024 at 8:23

Recommended topics

Hot tags