Multi-user billing at Amazon Web Sevices
Hi habrasoobschestvo 
There are large projects with separate accounts and multiple IAM users. But more often there are smaller clients, and here I would like to put everyone together, but to bill them separately. How to do it? How to bill different clients under one AWS account? I'll tell you about it now.
For resource sharing and multi-user billing, AWS uses tags. Tagging can be tailored to anything. All sorts of traffic, I / O operations, RDS, SQS, S3, etc. can be read separately by tags. So, take the main PROJECT tag and apply it to all serials, for example:
Reports from Amazon will come in a separate S3 bucket, which you need to create and prepare. Create a bucket and assign the following Bucket Policy to it:
This policy gives the AWS billing service access to your buck to add reports to it.
')
Next, go to the Billing Preferences page and turn on all services, specifying the desired batch with the policy already installed:
Going to the report settings page , we will select the tags by which we will invoice our clients:
So, over time, the report files in the CSV format will appear in the selected batch. They will contain all items for which AWS withdraws money from the card. Items that originate from services that have been tagged will be marked. In Excel / OO Calc, you can filter the lines by tags and display the amount that a particular client has charged on your account.
You can do something to beautifully issue reports:
In this short story, I gave the highlights of AWS multiplayer billing. It is so easy and simple to divide services between different users and issue them reasonable bills. Unfortunately, now it is impossible to differentiate access rights between clients, so that they manage their resources under one account, but I think someday it will be possible and I will definitely write how to do it on Habré!
There are large projects with separate accounts and multiple IAM users. But more often there are smaller clients, and here I would like to put everyone together, but to bill them separately. How to do it? How to bill different clients under one AWS account? I'll tell you about it now.
Tagging
For resource sharing and multi-user billing, AWS uses tags. Tagging can be tailored to anything. All sorts of traffic, I / O operations, RDS, SQS, S3, etc. can be read separately by tags. So, take the main PROJECT tag and apply it to all serials, for example:
S3 bucket
Reports from Amazon will come in a separate S3 bucket, which you need to create and prepare. Create a bucket and assign the following Bucket Policy to it:
Bucket policy
{
"Version": "2008-10-17",
"Id": "Policy1335892530063",
"Statement": [
{
"Sid": "Stmt1335892150622",
"Effect": "Allow",
"Principal": {
"AWS": "arn: aws: iam :: 386209384616: root"
},
"Action": [
"s3: GetBucketAcl",
"s3: GetBucketPolicy"
],
"Resource": "arn: aws: s3 ::: epm-cit_fin_reports"
},
{
"Sid": "Stmt1335892526596",
"Effect": "Allow",
"Principal": {
"AWS": "arn: aws: iam :: 386209384616: root"
},
"Action": "s3: PutObject",
"Resource": "arn: aws: s3 ::: epm-cit_fin_reports / *"
}
]
} This policy gives the AWS billing service access to your buck to add reports to it.
')
Billing Preferences
Next, go to the Billing Preferences page and turn on all services, specifying the desired batch with the policy already installed:
Cost Allocation Report
Going to the report settings page , we will select the tags by which we will invoice our clients:
Reports
So, over time, the report files in the CSV format will appear in the selected batch. They will contain all items for which AWS withdraws money from the card. Items that originate from services that have been tagged will be marked. In Excel / OO Calc, you can filter the lines by tags and display the amount that a particular client has charged on your account.
You can do something to beautifully issue reports:
findings
In this short story, I gave the highlights of AWS multiplayer billing. It is so easy and simple to divide services between different users and issue them reasonable bills. Unfortunately, now it is impossible to differentiate access rights between clients, so that they manage their resources under one account, but I think someday it will be possible and I will definitely write how to do it on Habré!
Source: https://habr.com/ru/post/160545/
All Articles