Skip to main content
Skip table of contents

AWS Billing Account Manual CLI Onboarding

The steps below need to be executed in the AWS Cloud Shell. Please sign into the AWS console using the admin account where billing has been set up, and then initiate the Cloud Shell from the navigation bar.

Step-1: Configure Cost Export

  1. Use existing report

    1. Check if the cost report exists with Time granularity : Daily / Hourly and File format : text/csv

      NONE 
      aws cur --region us-east-1 describe-report-definitions --max-items 5 --query "ReportDefinitions[?TimeUnit=='DAILY'||TimeUnit=='HOURLY' && Format=='textORcsv'].{ReportName:ReportName, S3Bucket: S3Bucket, S3Prefix: S3Prefix}"

      • If above command returns only one cost record then capture S3Bucket, S3Prefix and Report Name

      • If above command returns more than one report then choose oldest record from UI.

        • Log into AWS Console and go to Billing service

        • On the billing page, look for Cost & Usage Reports section

        • Out of multiple available reports, choose the oldest and the one having following properties

          1. Time granularity : Daily / Hourly

          2. File format : text/csv

        • Capture the S3 bucket, Report path prefix fields from the report details section for the report you

  2. Creating new report (This step is not required if you have a exiting report)

    1. Create new S3 bucket by entering <S3BucketName> (Skip this step if you want to use exiting S3 bucket)

      NONE 
      aws s3 mb s3://<S3BucketName>

    2. Apply policy to S3 bucket by entering <S3BucketName> and AWS billing account id

      NONE 
      aws s3api put-bucket-policy --bucket <S3BucketName> --policy '{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "billingreports.amazonaws.com"
      },
      "Action": [
        "s3:GetBucketAcl",
        "s3:GetBucketPolicy"
      ],
      "Resource": "arn:aws:s3:::<S3BucketName>",
      "Condition": {
        "StringEquals": {
          "aws:SourceArn": "arn:aws:cur:us-east-1:<AccountId>:definition/*",
          "aws:SourceAccount": "<AccountId>"
        }
      }
    },
    {
      "Sid": "Stmt1335892526596",
      "Effect": "Allow",
      "Principal": {
        "Service": "billingreports.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<S3BucketName>/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceArn": "arn:aws:cur:us-east-1:<AccountId>:definition/*",
          "aws:SourceAccount": "<AccountId>"
        }
      }
    }
  ]
}'

    3. Create new cost and usage report by entering <ReportName> of your choice, <S3BucketName> & <S3BucketPrefix> created/caputured in above steps

      NONE 
      aws cur put-report-definition --region us-east-1 --report-definition '{
    "ReportName": "<ReportName>",
    "TimeUnit": "DAILY",
    "Format": "textORcsv",
    "Compression": "GZIP",
    "AdditionalSchemaElements": [
      "RESOURCES"
    ],
    "S3Bucket": "<S3BucketName>",
    "S3Prefix": "<S3BucketPrefix>",
    "S3Region": "us-east-1",
    "AdditionalArtifacts": [],
    "RefreshClosedReports": true,
    "ReportVersioning": "OVERWRITE_REPORT"
  }'

AWS takes up to 24 hours to create first report to the configured bucket

Step-2: Enable Cost Allocation Tags

  1. List cost allocation tags and capture the tags you want to use as dimensions for grouping and filtering cost data.

    CODE 
    aws ce list-cost-allocation-tags

  2.  Active cost allocation tags which you want from above tags by entering <"TagValue">

    CODE 
    aws ce update-cost-allocation-tags-status --cost-allocation-tags-status TagKey=<"TagValue">,Status=Active TagKey=<"TagValue">,Status=Active

Step-3: Create Role / IAM User

  1. Role Based

    Role-based access is generally considered to be more secure than user-based access, as it allows organizations to control access to resources and functions based on defined roles and responsibilities. We recommend using roles over individual users whenever possible.

    1. Create Role by Entering RoleName of your choice and tenantid(provided by your partner) and capture role ARN from output

      CODE 
      aws iam create-role --role-name <RoleName> --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::911403356698:root"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
          "StringEquals": {
            "sts:ExternalId": "<tenantid>"
          }
        }
      }
    ]
  }'

    2. Update role policy by entering <RoleName> created above, <PolicyName> of your choice. Enter <S3BucketName> captured from Step-1 while configuring Cost report

      CODE 
      aws iam put-role-policy --role-name <RoleName> --policy-name <PolicyName>  --policy-document '{
  "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts",
                "organizations:DescribeAccount"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ce:Get*",
                "ce:Desc*",
                "ce:List*"
            ],
            "Resource": "*"
            },
            {
            "Effect": "Allow",
            "Action": [
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        }
        {
     "Effect": "Allow",
     "Action": [
                "cur:Get*",
                "cur:ValidateReportDestination",
                "cur:Describe*"
      ],
     "Resource": "*"
}
    ]
}'

  2. Access/Secret Key Based (This step is not required if you have created a Role)

    1. Create User by Entering <UserName> of your choice

      CODE 
      aws iam create-user --user-name <UserName>

    2. Update user policy by Entering <UserName> created above,Enter <PolicyName> of your choice. Enter <S3BucketName> captured from Step-1 while configuring Cost report

      CODE 
      aws iam put-role-policy --role-name <RoleName> --policy-name <PolicyName>  --policy-document '{
  "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts",
                "organizations:DescribeAccount"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ce:Get*",
                "ce:Desc*",
                "ce:List*"
            ],
            "Resource": "*"
            },
            {
            "Effect": "Allow",
            "Action": [
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        }
        {
     "Effect": "Allow",
     "Action": [
                "cur:Get*",
                "cur:ValidateReportDestination",
                "cur:Describe*"
      ],
     "Resource": "*"
}
    ]
}'

    3. Create AccessKey and SecretAccessKey

      CODE 
      aws iam create-access-key --user-name ${UserName}

Step-4: Get Account ID

  1. Get your Account ID

    CODE 
    aws sts get-caller-identity --query Account --output text

Step-5: Submit Details in DigitalEx

Get the details Account ID, Role ARN or Access/Secret Key, Bucket Name, Report Path Prefix

Follow the below steps to onboard the billing account in DigitalEx.

If none of the providers is onboarded, follow the below steps.

If one of the providers is onboarded, follow the link Azure Connect Billing Account for Partner to onboard additional providers

  1. Click on AWS Provider

  2. Click on Connect manually.

  1. Click on Connect Billing Account

  1. Enter the details which you have captured above.

  2. Click on connect & done.

If one of the providers is onboarded, follow the steps below to onboard additional providers.

  1. Navigate to Menu > Admin > Public Clouds > +Account.

  1. Click on AWS Provider & Click on Manual tab.

  2. Enter the details which you have captured above.

  1. Click Connect

  2. The onboarded Billing Account will be displayed with the list of All linked Subscription accounts.

After adding a new account, it may take up to 30 minutes for the system to discover and process the data.

  1. Go to the Menu option and Click Cost.

  1. Data will display immediately after successful ingestion.

<<Previous ---------------------------------------------------------------------------------------------------------- Next>>

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close