AWS Organisation Federated User SSO Access to Member Account Billing

I sincerely feel and hope that what I’m about to write about is not the best way to do what I said in the title but after messing around in the AWS console, it feels like it is THE way…?

Problem Statement

I have created a federated SSO user under AWS IAM Identity Center:

I have also given the default billing permission set for that user, who is assigned under my member AWS account:

Note that this Billing Permission set is AWS managed, it’s not something I came up with.

Yet when I log in as the federated user under the Billing profile, I get permission denied when I go to Billing page.

Solution

You might think that you no longer need the root login for the AWS member’s account after adding it to the AWS organisation. No…

You still need to login to the member root account, go to Accounts, click on Billing and Payments, and then scroll down to click on the Activate IAM Access.

So simple right? But Who-TF would have thought of this, that even though I created a Billing federated user in my organisation’s management account, I still need to go to the member root account to enable this IAM Access option. Maybe I’m just getting this wrong, maybe there’s a better way, a more intuitive way? IDK, before someone can enlighten me, this seems to be what I’ll be doing for all my member accounts.