November 28, 2012 at 13:53Multi-user billing at Amazon Web Sevices
- Tutorial
Hello habrasociety! 
There are large projects with separate accounts and many IAM users. But more often there are smaller clients, and here I would like to bring everyone together, but bill them separately. How to do this? How do I bill different customers under the same AWS account? I’ll talk about this now.
AWS uses tags to share resources and multi-tenant billing. Tagging can be attached to anything. All kinds of traffic, I / O, RDS, SQS, S3, etc. can be considered separately by tags. So, take the main PROJECT tag and apply it to all series, for example:
Reports from Amazon will come in a separate S3 bucket, which you need to create and prepare. Create a bucket and assign the following Bucket Policy to it:
This policy gives your AWS billing service access to your bucket so you can add reports to it.
Next, go to the Billing Preferences page and turn on all services by specifying the desired bucket with the policy already installed:
Turning to page report settings, we choose the tags, on which we will issue an invoice to our customers:
So, over time, report files in CSV format will appear in the selected bucket. All items for which AWS withdraws money from the card will be present in them. Those items that come from services that have been tagged will be marked. In Excel / OO Calc, you can filter rows by tags and display the amount that an individual client has rolled up on your account.
You can do something to beautifully format reports:
In this short story, I gave the highlights of AWS multi-tenant billing. It is so easy and simple to share services between different users and issue them reasonable bills. Unfortunately, right now it is impossible to differentiate access rights between clients so that they themselves manage their resources under one account, but I think someday it will be possible and I will definitely write on Habré how to do it!
There are large projects with separate accounts and many IAM users. But more often there are smaller clients, and here I would like to bring everyone together, but bill them separately. How to do this? How do I bill different customers under the same AWS account? I’ll talk about this now.
Tagging
AWS uses tags to share resources and multi-tenant billing. Tagging can be attached to anything. All kinds of traffic, I / O, RDS, SQS, S3, etc. can be considered separately by tags. So, take the main PROJECT tag and apply it to all series, for example:
S3 bucket
Reports from Amazon will come in a separate S3 bucket, which you need to create and prepare. Create a bucket and assign the following Bucket Policy to it:
Bucket policy
{
"Version": "2008-10-17",
"Id": "Policy1335892530063",
"Statement": [
{
"Sid": "Stmt1335892150622",
"Effect": "Allow",
"Principal": {
"AWS": "arn: aws: iam :: 386209384616: root"
},
"Action": [
"s3: GetBucketAcl",
"s3: GetBucketPolicy"
],
"Resource": "arn: aws: s3 ::: epm-cit_fin_reports"
},
{
"Sid": "Stmt1335892526596",
"Effect": "Allow",
"Principal": {
"AWS": "arn: aws: iam :: 386209384616: root"
},
"Action": "s3: PutObject",
"Resource": "arn: aws: s3 ::: epm-cit_fin_reports / *"
}
]
} This policy gives your AWS billing service access to your bucket so you can add reports to it.
Billing preferences
Next, go to the Billing Preferences page and turn on all services by specifying the desired bucket with the policy already installed:
Cost Allocation Report
Turning to page report settings, we choose the tags, on which we will issue an invoice to our customers:
Reports
So, over time, report files in CSV format will appear in the selected bucket. All items for which AWS withdraws money from the card will be present in them. Those items that come from services that have been tagged will be marked. In Excel / OO Calc, you can filter rows by tags and display the amount that an individual client has rolled up on your account.
You can do something to beautifully format reports:
conclusions
In this short story, I gave the highlights of AWS multi-tenant billing. It is so easy and simple to share services between different users and issue them reasonable bills. Unfortunately, right now it is impossible to differentiate access rights between clients so that they themselves manage their resources under one account, but I think someday it will be possible and I will definitely write on Habré how to do it!