diff --git a/billing-role/policy.tf b/billing-role/policy.tf
new file mode 100644
index 0000000..4a84560
--- /dev/null
+++ b/billing-role/policy.tf
@@ -0,0 +1,24 @@
+data "aws_iam_policy_document" "full_billing" {
+  statement {
+    sid       = "FullBillingAccess"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "aws-portal:*",
+      # add others, to allow cost explorer and budgets
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "limited_billing" {
+  statement {
+    sid       = "LimitedBillingAccess"
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      # put in right set of things for cost explorer and read access to billing
+    ]
+  }
+}