Skip to main content
Skip table of contents

Billing Engine for AWS - Customer Manual

Overview

As an AWS Managed Service Provider (MSP) and AWS Reseller, we utilise our proprietary billing tool, Billing Engine, which plays a crucial role in our billing process. The Billing Engine extracts cost and usage data from customer AWS accounts and integrates it into our ERP system for processing and invoice creation. To enable this functionality, we configure OpenID federation within your AWS management account. Deploying all the necessary components to provide access to the Billing Engine is essential.

Key Components and Resources

  1. OIDC Identity Provider (SWOOpenIDCProvider)

    • Allows the Billing Engine to authenticate with AWS using OpenID Connect (OIDC). It configures an OIDC Identity Provider in the customer's AWS account to establish a trusted connection for authentication. The Billing Engine service authenticates with SoftwareOne's Active Directory first and then assumes an IAM role in the AWS account.

  2. IAM Role (SWOOpenIDCAssumeBillingOnlyRole)

    • An IAM role tailored for billing operations, allowing actions like listing accounts and fetching billing data. The trust relationship is configured to allow only specific AzureAD claims, ensuring that only authorized entities can assume this role. This role is used by the Billing Engine. The following policy is attached to this role.

  3. IAM Managed Policy (SWOOpenIDCAssumeBillingOnlyPolicy)

    • Defines the permissions required by the Billing Engine to access AWS resources:

      • organizations:ListAccounts: Allows listing all AWS accounts in the organization.

      • organizations:DescribeAccount: Allows retrieving information about an AWS account in the organization.

      • ce:GetCostAndUsage: Allows retrieving cost and usage data from AWS Cost Explorer.

IAM Policy (JSON Format)

Here is the IAM policy document in JSON format:

CODE 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "organizations:ListAccounts",
        "organizations:DescribeAccount",
        "ce:GetCostAndUsage"
      ],
      "Resource": "*"
    }
  ]
}

Setup:

This Billing Engine deployment is not fully automated. After configuring the payer account as described below, request manual onboarding from the Billing Engine team.

  1. Log into your master payer account.

  2. Run the CloudFormation from the following CloudFormation QuickLink (v2.10.3)

    • This link will automatically open the AWS CloudFormation console with the correct template and all parameters filled in.

    • Configuration:

      The screenshot below shows how it should be configured. The provided QuickLink will fill in all details for you.

image-20240718-094002.png

Stack Version and Location:

  1. This section stays as it is.

    • Key Parameters:

      • SelectedEnvironment=Prod

        • Configures the OpenID connector to use the Production AD.

      • RoleDeploymentOption=Only Billing OpenID role

        • Ensures that only the role for the Billing Engine is deployed.

        • Note: there are other roles in the stack, but with this option selected those roles are NOT deployed

      • OpenIDFederationService=Simple

        • Deploys the role only in the Master Payer AWS account.

        • "Managed" would use StackSets to deploy to linked accounts, used for Managed Services deployments.

  2. Acknowledging deployment completion

    • Customer Responsibility:
      After deploying the OpenID stack, please report the successful execution of the script to the individual who provided the script and instructions. This is typically an MCOE team member or your account manager.

  3. Onboarding and validation

    • Initiating Onboarding
      Once you report the deployment, the MCOE team member will automatically initiate the manual onboarding process to the Billing Engine with the Billing Engine team.

    • Validation During Onboarding
      During the onboarding process, the Billing Engine team will validate the OpenID stack implementation to ensure it has been set up correctly. You will be informed whether the onboarding was successful or if any issues need to be addressed.

  4. Handling issues

    • Issue Resolution
      If any discrepancies are found during validation, the MCOE team will collaborate with the Billing Engine team to determine the appropriate steps to resolve them.

    • Communication
      You will be notified of any required actions or resolutions to ensure the process is completed successfully.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close