Authorization

Follow this guide to create a new AWS Cost Explorer API credential that will allow Nexla to authenticate to and exchange data with your AWS account.

AWS Cost Explorer API

Prerequisites

Before creating an AWS Cost Explorer API credential in Nexla, you need to create an IAM user with appropriate permissions and obtain AWS Access Key credentials. AWS Cost Explorer API uses AWS Signature Version 4 for authentication.

AWS IAM User Setup

The IAM user must have appropriate permissions to access the Cost Explorer API. Ensure that the user has the necessary IAM policies attached. For detailed information about Cost Explorer API permissions, see the AWS Cost Explorer API documentation.

1. Access AWS IAM Console: Sign in to your AWS account and navigate to the IAM Console.

2. Create an IAM User: Create a new IAM user or select an existing user that will be used for API access. This user will need permissions to access the Cost Explorer API.

3. Attach Cost Explorer Permissions: Attach the necessary IAM policies to the user. The user needs permissions to access the Cost Explorer API, such as:

   • ce:GetCostAndUsage
   • ce:GetCostAndUsageWithResources
   • ce:GetDimensionValues
   • ce:GetReservationCoverage
   • ce:GetReservationPurchaseRecommendation
   • ce:GetReservationUtilization
   • ce:GetRightsizingRecommendation
   • ce:GetSavingsPlansCoverage
   • ce:GetSavingsPlansPurchaseRecommendation
   • ce:GetSavingsPlansUtilization
   • ce:GetUsageReport
   • ce:ListCostCategoryDefinitions
   • Or attach the AWSCostExplorerServiceReadOnlyAccess managed policy for read-only access

4. Create Access Key: Create an access key pair for the IAM user. This will generate an Access Key ID and Secret Access Key that you'll use for authentication.

5. Select AWS Region: Determine which AWS region you want to use for the Cost Explorer API. The Cost Explorer API is available in specific regions, typically us-east-1 (N. Virginia).

6. Copy Credentials: Copy the Access Key ID and Secret Access Key immediately after creation, as the secret key will only be shown once.

   AWS Access Keys provide programmatic access to your AWS account. Keep your Access Key ID and Secret Access Key secure and do not share them publicly or commit them to version control systems. If you suspect your access keys have been compromised, rotate them immediately in the IAM Console. For detailed information about AWS IAM and access keys, see the AWS IAM documentation.

Create an AWS Cost Explorer API Credential

• To create a new AWS Cost Explorer API credential, after selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.

New Credential Overlay – AWS Cost Explorer API

Credential Name & Description

1. Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.

   Resource descriptions are recommended but are not required. They should be used provide information about the resource purpose, data freshness, etc. that can help the owner and other users efficiently understand and utilize the resource.

AWS Authentication Configuration

2. Enter your AWS Access Key ID in the AWS Access Key field. This should be the Access Key ID obtained from your IAM user's access key pair. The Access Key ID is used together with the Secret Access Key to sign API requests using AWS Signature Version 4.

3. Enter your AWS Secret Access Key in the AWS Secret Key field. This should be the Secret Access Key obtained from your IAM user's access key pair. The Secret Access Key is used together with the Access Key ID to sign API requests.

   The AWS Access Key ID and Secret Access Key provide programmatic access to your AWS account through the Cost Explorer API. Keep these credentials secure and do not share them publicly or commit them to version control systems. AWS uses AWS Signature Version 4 to sign API requests, which allows Nexla to make authenticated requests to your AWS account.

4. Enter your AWS Region in the AWS Region field. This should be the AWS region where you want to make Cost Explorer API requests. Common regions include us-east-1 (N. Virginia), us-west-2 (Oregon), eu-west-1 (Ireland), and others. The Cost Explorer API is typically available in us-east-1.

5. Optionally, enter a Session Token in the Session Token field if you are using temporary security credentials. Session tokens are required when using temporary credentials from AWS STS (Security Token Service) or when assuming IAM roles. If you are using permanent access keys, you can leave this field empty.

   If you are using temporary security credentials (for example, from AWS STS or IAM role assumption), you must provide a Session Token. The session token is added to requests as the x-amz-access-token header. For permanent access keys, the session token field can be left empty.

Save the Credential

1. Once all of the relevant steps in the above sections have been completed, click the Save button at the bottom of the overlay to save the configured credential.

2. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation and can be selected for use with a new data source or destination.