K8s Governance & Cost Control
  • Quick Start Guide
  • Getting Started
    • Cluster Dashboard
    • Teams Dashboard
    • Namespace Dashboard
    • Node Dashboard
    • Settings Page
  • Concepts / Calculations
    • Calculations
    • Agent
    • Aggregator
    • Pushgateway
    • Server
    • Pricing API
  • Monitoring and Alerts
  • Settings
    • Users
    • Pending Invitations
    • Billing Credentials
    • Single Sign On (SAML)
    • Custom Cost
    • Cloud Costs (Out of Cluster Costs)
    • API Tokens
    • API Access
  • Changelog
    • Agent
    • Aggregator
    • Frontend
    • Pushgateway
    • Server
    • PricingAPI
Powered by GitBook
On this page
  • Add Billing Credentials
  • AWS
  • Google Cloud
  • Azure
  • Alibaba
  • Edit or Remove Credentials
  1. Settings

Billing Credentials

PreviousPending InvitationsNextSingle Sign On (SAML)

Last updated 3 years ago

The Billing Credentials section of the Settings page, allows admins to add, review edit and delete cloud provider billing credentials to their account.

By default Replex uses each cloud provider's list price to help chargeback and allocate Kubernetes costs. To accurately allocate and chargeback costs, it is recommended to enable Replex to access your cloud provider's billing data.

Add Billing Credentials

To add cloud provider billing credentials click + Add Credentials in the top right of the Billing Credentials section.

On the next screen, choose the cloud provider you are adding billing credentials for. Billing credentials can be added for AWS, Azure, Alibaba and Google Cloud.

On the next screen enter the Credential Name and choose the clusters that the credentials will be applied to.

To apply these credentials to all clusters currently in the account as well as to those that will be created in the future, click on the Set as default toggle.

Next enter the credentials manually or as JSON by filling out each required field.

Finally, click Save to add the billing credentials to your account. Once added, billing credentials will show up in the Billing Credentials section, where admins can review, edit or delete them.

Below is the list of required fields for each cloud provider:

AWS

  • Report Name

  • Access Key ID

  • Secret Access Key

To create Cost and Usage Reports you need a user with advanced access. This user must have at least this policies:

  1. AmazonS3FullAccess (or similar that can create, read, list and attach bucket policies)

  2. Billing (to access billing console and create report)

  3. AWSCloudFormationFullAccess (to create a stack that will get data from bucket and put it to Athena DB)

  4. IAMFullAccess (or similar to create user, create policy, attach policy, get access keys)

  5. EC2:DescribeInstances (to get information about available instance types)

  6. EC2:DescribeVolumes (to get information about attached node disks)

Report Name refers to AWS Cost and Usage Reports. Follow the steps outlined below to setup reports on your AWS console

a. Click the “Create report button” here and follow the following steps to create a billing report:

  1. Enter the report's name.

  2. Check the "Include resource IDs" and click next.

  3. Click "Configure" in "S3 Bucket section" and enter a bucket name in "Create a bucket" section.

  4. Enter report path prefix.

  5. Check "Daily" in "Time granularity" section.

  6. Check "Amazon Athena" in "Enable report data integration for" section.

  7. Click "Next", review entered data and save.

b. Create a CloudFormation Stack using doc from here.

c. Create a new AWS User, that will query billing data, here.

d. Grant the newly created user the following access roles:

Make sure you replace the {BUCKET_NAME} with the actual name of the bucket in the VisualEditor4 block and do not remove the trailing asterisk.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "athena:startQueryExecution", "athena:getQueryExecution", "cur:DescribeReportDefinitions", "glue:GetTable", "glue:GetPartitions", "glue:GetDatabase", "ec2:DescribeInstances", "ec2:DescribeVolumes" ], "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucketMultipartUploads", "s3:AbortMultipartUpload", "s3:CreateBucket", "s3:ListBucket", "s3:GetBucketLocation", "s3:ListMultipartUploadParts" ], "Resource": "arn:aws:s3:::aws-athena-query-results-*" }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucketMultipartUploads", "s3:AbortMultipartUpload", "s3:CreateBucket", "s3:ListBucket", "s3:GetBucketLocation", "s3:ListMultipartUploadParts" ], "Resource": "arn:aws:s3:::{BUCKET_NAME}*" } ] }

e. Proceed to creation of billing integration in Replex settings. Fields can be added both as JSON as well as manually.

Example JSON input:

{
  "accessKeyId": "<accessKeyId>",
  "secretAccessKey": "<secretAccessKey>",
  "reportName": "<reportName>"
}

Google Cloud

  • Type

  • Project ID

  • Private Key ID

  • Private Key

  • Client Email

  • Client ID

  • Auth URI

  • Token URI

  • Auth Provider X509 Cert URL

  • Client X509 Cert URL

  • Big Query Integration - Dataset Name

  • Big Query Integration - Table Name

  • Big Query Integration - Dataset Location

Make sure you configure Billing export to BigQuery by following the steps outlined below:

a. Create a new service account by following this guide.

b. Grant the newly created service account the following access roles:

  • BigQuery Data Viewer

  • BigQuery Job User

c. Follow the instructions here to enable and set up Billing export to BigQuery.

d. Input required fields in the Billing Credentials section either as JSON or manually.

Example JSON input:

{
  "serviceAccount": {
    "type": "<type>",
    "project_id": "<project_id>",
    "private_key_id": "<private_key_id>",
    "private_key": "<private_key>",
    "client_email": "<client_email>",
    "client_id": "<client_id>",
    "auth_uri": "<auth_uri>",
    "token_uri": "<token_uri>",
    "auth_provider_x509_cert_url": "<auth_provider_x509_cert_url>",
    "client_x509_cert_url": "<client_x509_cert_url>"
  },
  "bigQueryIntegration": {
    "datasetName": "<datasetName>",
    "tableName": "<tableName>",
    "datasetLocation": "<datasetLocation>"
  }
}

Azure

  • Client ID

  • Subscription ID

  • Secret

  • Domain

Make sure the account you use to add billing credentials has the "User Access Administrator" rights.

a. Get the subscription ID that contains the information about billing data.

b. Make sure Azure Active Directory is available and App Registrations are enabled.

c. Get the AAD ID and create the auth key.

  1. Open the AAD page, then click on the App registrations sidebar menu. Open the corresponding app and copy the Application (client) ID and the Directory (tenant) ID.

  2. Click on the Certificates & secrets tab and create a client secret.

d. Grant permissions

  1. Go to subscriptions and select the corresponding subscription.

  2. Click on Access Control (IAM) in the sidebar, open the Role assignments tab and add a new role assignment for the chosen app.

  3. Next click on the Add button, in the right pop-up modal, select roles "Cost Management Reader" and "Virtual Machine Contributor", assign access to "Azure AD user, group, or service principal", then in the Select choose the app.

e. Once the above steps have been completed, input required fields in the Billing Credentials section either as JSON or manually.

Example JSON input:

{
  "clientID": "<clientID>",
  "subscriptionID": "<subscriptionID>",
  "secret": "<secret>",
  "domain": "<domain>"
}

Alibaba

  • Access Key ID

  • Access Key Secret

Make sure the account you use to add billing credentials has the "AliyunBSSReadOnlyAccess" permission.

a. Follow this guide to obtain your Access Key ID and Access Key Secret.

b. Enter both in the replex Billing Credentials settings page. Example JSON input:

{
    accessKeyID: "<accessKeyID>",
    accessKeySecret: "<accessKeySecret>"
}

Edit or Remove Credentials

Admins can edit previously added Billing Credentials by clicking the edit icon in front of each credential.

Previously added billing credentials can be deleted by clicking on the delete icon in front of each credential.

Choose Cloud Provider
Enter Billing credentials
Billing credentials section
Billing credentials section
Enter AWS billing credentials as JSON
Enter AWS billing credentials manually
Enter GCP billing credentials as JSON
Enter GCP billing credentials manually
Enter Azure billing credentials as JSON
Enter Azure billing credentials manually
Enter Alibaba billing credentials as JSON
Enter Alibaba billing credentials manually