user is not authorized to perform: ce:GetCostAndUsage

Question

I am using boto3, trying out Cost Exploer to get cost and usage

import boto3
client = boto3.client('ce')
client.get_cost_and_usage()

Already grant the following permissioin to the user

  "aws-portal:ViewUsage",
  "aws-portal:ViewBilling"

But always get error

An error occurred (AccessDeniedException) when calling the GetCostAndUsage operation: User: arn:aws:iam::123456789:user/User1 is not authorized to perform: ce:GetCostAndUsage on resource: arn:aws:ce:us-east-1:123456789

Answer 1

I couldn't find existing small scope read-only policy to get usage statistics.

Creating new policy through the web "Visual Editor" is easy too:

1. Navigate to IAM -> Policies -> Create Policy
2. Select service as Cost Explorer Service
3. Tick [X] Read permissions
4. Click Review
5. Name it, for example MyCostExplorerRead
6. Assign the newly created policy to your user

Answer 2

Just found answer from here https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-example-policies.html#example-policy-ce-api

Example 11: View costs and usage

To allow IAM users to use the AWS Cost Explorer API, use the following policy to grant them access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ce:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}