# Granting a User Read-Only Access in AWS.

As a technical advisor, I often need to access a client’s AWS account with admin or read-only privileges so I can evaluate what they are doing. There are several ways to do this, including using [cross-account access using roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html). Often, the most straightforward way is for the client to create a user for me in their account and grant that user access.

To give me the right access, the client can follow these steps in AWS as the root user:

### Configure AWS Organizations

1. From the search bar, navigate to AWS Organizations.
    
2. If not already enabled → Create Organization
    

### Enable Other Users to Access Billing Info

1. In the top right, click on the account name.
    
2. Click Account.
    
3. Scroll down to IAM user and role access to Billing Information and Edit.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698531601423/ca2e3b8f-2bcb-498f-aa56-01d959f5283a.tif align="center")
    
4. Check Activate and click Update.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698531636683/4ad1c338-2ae1-4452-93fd-6ed1f4a6993e.tif align="center")
    
5. It should look like:
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698531669725/503daee8-c64c-4f6e-bab9-5cd28a431a82.tif align="center")
    

### Create IAM Permissions

1. From the search bar, navigate to IAM Identity Center.
    
2. Enable if not already enabled.
    
3. From left-hand bar, Multi-account permissions→ Permission Sets.
    
4. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698531741179/4eb5a9e2-d62b-4794-8c79-ad154960a59d.tif align="center")
    
    Click "Create permission set"
    
5. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698531756541/f61c711d-1194-459c-9afc-f4f16e946d01.tif align="center")
    
    Custom permission set→ Next
    
6. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698531781590/21954776-40f3-4bf7-9642-c0af41f00722.tif align="center")
    
    Select AWS Managed Policies
    
7. Filter by Type→ AWS managed - job function
    
8. Check ReadOnlyAccess or AdministratorAccess, depending on your needs. ReadOnlyAccess is probably all I need for the time being. It's easy enough to upgrade later as needed.
    
9. Click Next
    
10. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698531813949/db9eb898-ecb0-4a7e-8f0c-ca55a3a0c716.tif align="center")
    
    Permission set name→ ReadOnly
    
11. Tags-&gt; poc = &lt;your name&gt;
    
12. Next, Create
    

### Create Group

1. While still in the IAM Identity Center, from left side-bar, click Groups, then Create Group
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698532054244/be684b71-f9df-4196-91ae-0d196cc2844e.png align="center")

1. Fill out the details.
    
    1. Group Name: Solint
        
    2. Description: Grant admin privileges and billing access to consultant with Solint
        
2. You don’t need to add users at this time.
    
3. Create Group
    

### Create my user

1. While still in the IAM Identity Center, from left side-bar, click Users, then Add User
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698532321065/d1ae1380-3149-4e54-a8e4-a7c2b37d8a92.png align="center")
    
2. Username: my email address.
    
3. Leave the password set to email setup.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698532496063/fe8058b9-092b-4746-a3b8-2b70578f6d43.png align="center")
    
4. For email, again use my email address.
    
5. Fill out other details as you see fit.
    
6. Click Next
    
7. Add my user to Solint group.
    
8. Click Next.
    

### Assign Permissions

1. While still in the IAM Identity Center, from left side-bar, click Multi-account permissions→AWS accounts.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698532837743/fcd20d3d-4a5d-4be8-a32b-3afd95f4007a.tif align="center")
    
2. Under the Users and groups tab, click Assign users or groups
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698532882619/3c992912-624e-4274-b99b-76e89d715ff1.tif align="center")

3. Check the Solint group.
    
4. Check ReadOnly or AdministratorAccess, depending on what you provisioned above
    
5. Click Next, then Submit.
    

### Troubleshooting

#### Trouble finding the button to Assign users or groups?

You may need to click on the Root account to see the management account in which you can assign users and groups.

#### Other Problems?

Please let me know!

### Wrapping Up

I'll get an email inviting me to your account, but feel free to ping me. To revoke my access, you can just undo any/all of the steps above.
