diff --git a/billing-role/README.md b/billing-role/README.md
new file mode 100644
index 0000000..db3935a
--- /dev/null
+++ b/billing-role/README.md
@@ -0,0 +1,28 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy_document.full_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.limited_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
diff --git a/billing-role/policy.tf b/billing-role/policy.tf
new file mode 100644
index 0000000..e94a654
--- /dev/null
+++ b/billing-role/policy.tf
@@ -0,0 +1,41 @@
+data "aws_iam_policy_document" "full_billing" {
+  statement {
+    sid       = "FullBillingAccess"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "aws-portal:View*",
+      "ce:Describe*",
+      "ce:Get*",
+      "ce:List*",
+      "ce:CreateNotificationSubscription",
+      "ce:CreateReport",
+      "ce:DeleteNotificationSubscription",
+      "ce:DeleteReport",
+      "ce:UpdateNotificationSubscription",
+      "ce:UpdateReport",
+      "ce:UpdatePreferences",
+      "budgets:View*",
+      "budgets:Describe*",
+      #"budgets:*",
+      # add others, to allow cost explorer and budgets
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "limited_billing" {
+  statement {
+    sid       = "LimitedBillingAccess"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "aws-portal:View*",
+      "ce:Describe*",
+      "ce:Get*",
+      "ce:List*",
+      # put in right set of things for cost explorer and read access to billing
+    ]
+  }
+}