AWS Integration
Connect your AWS accounts using secure OIDC authentication.
Overview
CosmosCost integrates with AWS Cost Explorer using OIDC (OpenID Connect) Web Identity Federation. This approach eliminates the need to store AWS credentials, providing enhanced security and simplified management.
Key Features
No Credentials Stored
Uses temporary security tokens
Read-Only Access
Cannot modify AWS resources
Automated Sync
Hourly, daily, or weekly updates
Historical Data
Import up to 24 months of cost data
Prerequisites
- Active AWS account with billing enabled
- IAM permissions to create roles and policies
- AWS Cost Explorer enabled
- CosmosCost Business or Business+ plan (Free plan supports 1 AWS account)
Quick Setup
Step 1: Start in CosmosCost
- Log in to your CosmosCost dashboard
- Navigate to Settings → Cloud Accounts
- Click Add Cloud Account
- Select AWS
- Note the OIDC Provider URL and Subject provided
Step 2: Configure AWS IAM
Create IAM Role
- Open AWS Console and go to IAM
- Click Roles → Create Role
- Select Web Identity
- Choose Identity Provider: OpenID Connect
- Enter Provider URL from CosmosCost
- Set Audience to
sts.amazonaws.com - Click Next
Attach Policies
Attach these AWS managed policies:
ViewOnlyAccessCostExplorerReadOnlyAccess
Or create a custom policy with minimum permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetCostForecast",
"ce:GetDimensionValues",
"ce:GetTags"
],
"Resource": "*"
}
]
}Configure Trust Relationship
Edit the trust relationship with:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::YOUR_ACCOUNT:oidc-provider/YOUR_OIDC_PROVIDER"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"YOUR_OIDC_PROVIDER:sub": "YOUR_SUBJECT_FROM_COSMOSCOST"
}
}
}
]
}Name and Create
- Name the role (e.g., "CosmosCostIntegration")
- Add description
- Create role
- Copy the Role ARN
Step 3: Complete in CosmosCost
- Return to CosmosCost setup wizard
- Paste the Role ARN
- Enter account name/alias
- Click Connect Account
- CosmosCost validates the connection
- Initial sync begins automatically
Success!
Your AWS account is connected. Initial sync takes 24-48 hours.
Cost Explorer Configuration
Enabling Cost Explorer
- Open AWS Billing Console
- Navigate to Cost Explorer
- Click Enable Cost Explorer
- Wait 24 hours for initial data population
Cost and Usage Reports
(Optional)
For more detailed cost analysis, enable Cost and Usage Reports:
- Go to Billing → Cost & Usage Reports
- Click Create Report
- Configure S3 bucket for report storage
- Enable hourly granularity
- Include resource IDs
- Create report
Multi-Account Setup
AWS Organizations
For organizations with multiple AWS accounts:
- Set up role in management (payer) account
- Enable consolidated billing
- All member account costs aggregated automatically
- Or create separate connections for each account
Troubleshooting
Connection Failed
Check these common issues:
- OIDC provider URL entered correctly
- Trust relationship configured properly
- Role ARN copied correctly
- Required policies attached
- Cost Explorer enabled
No Data Appearing
- Wait 24-48 hours for initial sync
- Verify Cost Explorer has data
- Check account has billable usage
- Review CloudTrail for API access logs
Permission Errors
- Verify all required policies attached
- Check trust relationship condition matches
- Ensure role is assumable
- Review AWS CloudTrail logs for denied requests
Need Detailed Instructions?
Check docs/COMPLETE_OIDC_SETUP_GUIDE.md in the repository for comprehensive step-by-step instructions with screenshots.
Still having issues? Check troubleshooting guide or contact support.