Tutorial: Getting Your Consumption Using an EIM User

In terms of governance, it can be a best practice to create an EIM user whose only right is to read your account’s consumption information. This way, you can grant access to your consumption to a dedicated person or script without having to grant them any other rights on the rest of your account.

First, you need to use your root account to create and configure the EIM user.

Then, the other person or script can configure their OSC CLI to use the credentials of the EIM user.

(Root Account) Create and Configure the EIM User

  1. Create the EIM user:

    $ osc-cli eim CreateUser --profile "default" \
      --UserName "readconsumption-user"

    For more information on this command, see CreateUser in the EIM API documentation.

  2. Create a policy that allows only the ReadConsumptionAccount action:

    $ osc-cli eim CreatePolicy --profile "default" \
      --PolicyName "readconsumption-policy" \
      --PolicyDocument '{ \
          "Statement": [ \
            { \
              "Action": "api:ReadConsumptionAccount", \
              "Resource": "*", \
              "Effect": "Allow" \
            } \
          ] \
        }'

    This command returns several response elements, including an Arn element (for example, "arn:aws:iam::123456789012:policy/readconsumption-policy").

    For more information on this command, see CreatePolicy in the EIM API documentation.

  3. Attach the policy to the EIM user:

    $ osc-cli eim AttachUserPolicy --profile "default" \
      --PolicyArn "arn:aws:iam::123456789012:policy/readconsumption-policy" \
      --UserName "readconsumption-user"

    For more information on this command, see AttachUserPolicy in the EIM API documentation.

  4. Create an access key for the EIM user:

    $ osc-cli eim CreateAccessKey --profile "default" \
      --UserName "readconsumption-user"

    This command returns several response elements, including an AccessKeyId element and a SecretAccessKey element.

    For more information on this command, see CreateAccessKey in the EIM API documentation.

(EIM User) Configure Your OSC CLI Profile

  1. In the .osc/config.json file, configure a profile to use the access key and secret key of the EIM user:

    .osc/config.json
    {
       "readconsumption-user": {
          "access_key": "AAAAAAAAAAAAAAAAAAAA",
          "secret_key": "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",
          "host": "outscale.com",
          "https": true,
          "method": "POST",
          "region_name": "eu-west-2"
       }
    }
  2. The EIM user can now run the ReadConsumptionAccount action using OSC CLI:

    $ osc-cli api ReadConsumptionAccount --profile "readconsumption-user" \
      --FromDate 2022-06-01 \
      --ToDate 2022-07-01 \
      --Overall False

    The Overall parameter specifies whether to return an overall consumption:

    • If False, returns only the consumption of the account that sends this command.

    • If True and this command is sent from a paying account, returns the overall consumption of the paying account and all linked accounts.

    • If True and this command is sent from a linked account, returns nothing.

    In all cases, the consumption is that of one or more accounts and not that of the EIM user. The notion of consumption of an EIM user has no meaning, since Cloud resources are not allocated to EIM users but to the accounts.

    EIM must be considered as a set of credentials allowed to perform granted API calls on a specific account. For more information, see About EIM Users.

    For more information on this command, see Getting Information About Your Resource Consumption > OSC CLI.

Related Pages