View a markdown version of this page

Execution role permissions for scheduled reports - Amazon Cost Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Execution role permissions for scheduled reports

When you create a scheduled report, you must provide an IAM execution role that grants Amazon Billing and Cost Management permissions to generate and deliver reports on your behalf. The execution role requires the following permissions and trust policy.

Permissions policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AwsBcmDashboardsScheduleReportsDataAccess",
      "Effect": "Allow",
      "Action": [
        "bcm-dashboards:GetDashboard"
      ],
      "Resource": [
        "arn:aws:bcm-dashboards::*:dashboard/*"
      ]
    },
    {
      "Sid": "AwsBcmDashboardsScheduleReportsDataAccessCE",
      "Effect": "Allow",
      "Action": [
        "ce:GetDimensionValues",
        "ce:GetCostAndUsageWithResources",
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "ce:GetTags",
        "ce:GetUsageForecast",
        "ce:GetCostCategories",
        "ce:GetSavingsPlansCoverage",
        "ce:GetReservationUtilization",
        "ce:GetReservationCoverage",
        "ce:GetSavingsPlansUtilization",
        "ce:GetSavingsPlansUtilizationDetails",
        "budgets:ViewBudget",
        "budgets:DescribeBudgetActionsForAccount",
        "billing:ListBillingViews"
      ],
      "Resource": "*"
    }
  ]
}
Note

If you created an execution role before the launch of the Amazon Budgets report widget, your existing role will not include the budgets API permissions. To schedule reports for dashboards that contain Amazon Budgets report widgets, update your execution role to include the budgets permissions listed above. You can update your service roles from the Additional configuration section when creating or editing a scheduled report. This update will fail if a role was manually modified in IAM. To resolve this, create a new role or restore the policy version to its original state. For more information, see Setting the default version of a policy in the IAM User Guide.

Trust policy

The execution role must trust the bcm-dashboards.amazonaws.com service principal. Replace <account-id> with your Amazon account ID.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowBcmDashboardScheduledReportAssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "bcm-dashboards.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "<account-id>"
        },
        "StringLike": {
          "aws:SourceArn": "arn:aws:bcm-dashboards::<account-id>:*"
        }
      }
    }
  ]
}