How do I create a billing-only sub-user?
    • 28 Aug 2024
    • 2 Minutes to read
    • PDF

    How do I create a billing-only sub-user?

    • PDF

    Article summary

    You can now give sub-users the ability to view or even update billing information. To do this, just associate the template policies for either WasabiViewBillingAccess or WasabiModifyBillingAccess. 

    Here is the process, including creating a new user. 

    1. First, you'll want to Allow IAM Users and Roles to access the Billing Portal. Go to theSettings option on the left frame and select that from the menu. Move the slider to the right to enable this. 
      Capture.PNG

    2. Now, from the Wasabi Management Console at https://console.wasabisys.com/, log in as your ROOT user.

    3. From the Left Frame, choose the Users Icon
      mceclip1.png

    4. From the Users Menu, choose the CREATE USER button

      mceclip0.png

    5. Give your user a name and select the Console box to allow them to log into the console. 

      mceclip3.png
      (you can give them API access too for IAM based billing calls, but if you are doing that, you probably already know enough that you don't need to be reading this KB document)

    6. When prompted you can add this user to a Group (if you intend to set up others with similar privileges, for instance), or you can skip this. You may always go back and create and assign groups later. We will skip this for now, just hit NEXT to continue. 
      mceclip4.png

    7. Next you will select one of the preconfigured Policies for this user. You can select either the WasabiViewBillingAccess policy if you only want them to VIEW the invoices, or WasabiModifyBillingAccess policy if you'd like them to be able to update the payment information for this account. The policies look like this:

      WasabiViewBillingAccess

      WasabiModifyBillingAccess

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": "aws-portal:ViewBilling",
            "Resource": "*"
          }
        ]
      }
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": "aws-portal:ModifyBilling",
            "Resource": "*"
          }
        ]
      }


      We'll choose View Only here: 
      mceclip5.png

    8. When you are ready, you should see the user along with the Groups and the Policies that are associated with that account: 
      mceclip6.png

      Click the CREATE USER button to continue.

    9. When complete, you'll see a box that looks like this:

      mceclip7.png
    10. Now, the user will go to the same https://console.wasabisys.com to log in. Be sure that they select Sign in as a sub-user:

      mceclip9.png

    First, they may see a quick notification screen flash. The message reads: 

    access_denied_error.png

    That’s expected as the first thing the system attempts to do is show a list of all the Buckets. The policy is applied, and the system then defaults to showing the Billing System info: 

    mceclip1.png (note that in this example, the invoices shown are all intentionally $0.00.  Yours will probably not be :-) ) 

    Users with View Only access can open any of these invoices to view the details, download a PDF copy Now, If you had  assigned MODIFY privileges, you would see in the Payment Settings tab on the Billing page the option to ADD NEW CREDIT CARD. 

    mceclip2.png

    That should provide the steps needed to create a new sub-user who may then log in to retrieve invoices


    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence