What will change?

CloudBilling is introducing token-based authentication for the AWS connector.


Why do we make this change?

The AWS connector is currently authenticated through access keys. Access keys are long-term credentials for an IAM user or the AWS account root user. They should be rotated on a regular basis to be compliant with security best practices. If one were managing multiple accounts, they would have to rotate multiple keys, a manual task in CloudBilling. To help with this, we are now supporting token based authentication via roles. A token is short-lived, therefore making it less likely to be compromised.


How does this functionality work?

CloudBilling assumes a role that is trusted by the account from which we retrieve billing usage via S3 and fetches a token, which will be used to access S3 content.


How can you start using this functionality?

Please look at our documentation on enabling IAM roles with web identity before proceeding with any actions in CloudBilling. After activation of the functionality by CloudBilling, a radio button will appear in existing AWS connector accounts, enabling the user to switch to IAM Roles for authentication. Please note that this is a one-way street. Once switched to IAM roles, you cannot go back to access keys. For new accounts, only IAM roles are available for authentication. Our documentation covers the configuration in CloudBilling.