AWS Secrets Manager is a service that you can use to manage, retrieve, and rotate database credentials, application credentials, API keys, and other secrets throughout their lifecycles. You can use Secrets Manager to replace hard-coded credentials in application source code with a runtime call to the Secrets Manager service to retrieve credentials dynamically when you need them. Storing the credentials in Secrets Manager helps avoid unintended access by anyone who inspects your application’s source code, configuration, or components.
Until today, your AWS bill would reflect the total cost of Secrets Manager in any given account, and you had no option to break out the cost per secret to a given cost center or organization.
In this post, we introduce a new feature—Secrets Manager Costs Allocation Tags—and walk through how you can use them for improved visibility into your Secrets Manager costs. Before getting into the details of this new feature, we want to give you primer about cost allocation tags.
A tag is a key-value pair that you assign to an AWS resource. In AWS Cost Explorer, you can activate tags as cost allocation tags. With tags activated, you can categorize and track costs by cost allocation tags. For example, you can create a tag named Group with value Engineering and assign it to resources owned by the engineering team of your company. After activating the Group tag as a cost allocation tag, you can track charges with this tag, filter or group by tags in Cost Explorer, and add tags to reports such as cost and usage reports for further analysis and visualization.
Cost allocation in AWS is a four step process:
Create the required cost allocation tags
Attach cost allocation tags to your resources
Activate your tags in the Cost Allocation Tags section of the AWS Billing console
Filter the tags, group by tags in Cost Explorer, and create cost categories
After you create and attach the tags to resources, they appear in the AWS Billing console Cost Allocation Tags section under User-defined cost allocation tags within 24 hours. You must activate these tags for AWS to start tracking them for your resources and for the tags to show up in Cost Explorer. When the tags appear under Tags in the Filter or Group by fields in Cost Explorer, you can start filtering or grouping by tag to view usage and charges by tag.
AWS Secrets Manager now supports cost allocation tags
Secrets Manager now supports cost allocation tags, giving you more granular control and visibility into your Secrets Manager costs. You can use this feature to categorize and track your Secrets Manager usage charges at a more detailed level, helping you to better understand and manage your AWS spending and assign costs per secret back to cost centers or organizations.
Solution overview: Enhanced cost visibility and management
With this new capability, you can:
Break down Secrets Manager costs by department, project, environment, or other dimensions important to your organization
View itemized Secrets Manager usage in Cost Explorer as well as in cost and usage reports
Improve cost allocation and chargeback processes across your business units and organizations
Prerequisites
To walk through the examples in this post, you need to have the following:
An AWS account
Access to the AWS Management Console or the AWS Command Line Interface (AWS CLI) version 2
An existing tagging and cost allocation strategy
Existing secrets inside Secrets Manager
Create user-defined tags for cost allocation purposes using the console
In this example, we assume that you want to manage the cost of your secrets by different cost centers in your organization. Here, we create a tag with CostCenter as a key and the value equal to the cost center codes of the teams that are using secrets.
You’ll walk through two examples, the first one with a cost center for Engineering and a second one with a cost center for Finance. You will reuse those examples throughout this post.
In this example, start by creating and assigning a tag called cost allocation center with the key name: CostCenter and assign a cost center value of 7263 for the engineering department to an existing or new secret.
To assign a user-defined tag to a new or existing secret:
In the Secrets Manager console, choose Secrets from the navigation pane.
In the list of available secrets, select the secret to edit the tags or choose Store A New Secret to create a new secret.
When the secret is displayed, select the Tags option and choose Edit Tags to add new or edit existing tags.
Figure 1: Assign a user-defined tag to an existing secret
Repeat the process, but assign the cost center value of 7263 for the engineering department and 1121 for the finance department to a second secret.
Create user-defined tags for cost allocation purposes using the AWS CLI
Optionally, you can use the AWS CLI to create the same tags as in the preceding example.
To use the AWS CLI to create tags:
Use the following AWS CLI command to create the first tag:
aws secretsmanager tag-resource
–secret-id prod/mastersecret
–tags Key=Role,Value=admin
Create the second tag using the following AWS CLI command:
aws secretsmanager tag-resource
–secret-id prod/mastersecret
–tags Key=CostCenter,Value=7263
This command produces no output in case of a successful execution.
Use the second AWS CLI command with a value of 1121 for the second secret.
Turn tags into cost allocation tags using the AWS Billing and Cost Management console
The next step is to activate the user-defined tags within the AWS Billing and Cost Management console so they can be used.
To activate cost allocation tags:
Go to the AWS Billing and Cost Management console and choose Cost allocation tags in the navigation pane.
Select the option for user-defined cost allocation tags.
Select the tag keys that you want to activate.
Choose Activate.
Note: After you create and apply user-defined tags to your resources, it can take up to 24 hours for the tag keys to appear on your cost allocation tags page for activation. It can then take up to 24 hours for tag keys to activate.
Figure 2: Activate cost allocation tags
Turn tags into cost allocation tags using the AWS CLI
You can also activate user-defined tags within the AWS Billing and Cost Management Console using the AWS CLI.
To activate tags using the AWS CLI:
For activation of the first user-defined tag use the following AWS CLI command:
aws ce update-cost-allocation-tags-status
–cost-allocation-tags-status TagKey=Role,Status=Active
To activate the second user-defined tag use the following AWS CLI command:
aws ce update-cost-allocation-tags-status
–cost-allocation-tags-status TagKey=CostCenter,Status=Active
View the results in Cost Explorer
The last step is to view the results for secrets in Cost Explorer. When the tag CostCenter shows up under Tags in the Filter or Group By fields in Cost Explorer, you can start filtering or grouping by the tag to view usage and charges by tag.
When applying the tag filter for Secrets Manager, Cost Explorer displays charges only for resources tagged with the selected tag values. And when grouped by a particular tag, the charges are grouped by each value of the selected tag.
To view results:
As an example, use the following parameters to view results.
In the Cost Center console, select the right arrow (>) icon to open the report parameters options to the right of the billing dashboard.
On the Report parameters window:
For Date Range, enter the desired time range.
Under Group by, for Dimension, select Tag, and for Tag select Cost Center.
For Filters, Service, select Secrets Manager.
Figure 3: Configure report parameters
You can use the resulting report to clearly identify the cost and usage of the two secrets, broken down into the two cost centers: engineering 7263 and finance 1121. Now, you can cross-charge secrets to the corresponding cost centers in your organization and provide a report similar to Figure 4.
Figure 4: Cost and usage report
Conclusion
In this post, we introduced the AWS Secrets Manager Cost Allocation Tags feature and showed you how to use AWS Cost Explorer Costs and Usage Reports to gain secrets usage insights. You can now allocate the cost for every secret to one or more cost centers and charge them accordingly. See the AWS Secrets Manager Cost Allocation Tag documentation to learn more about how you can use Secrets Manager Cost Allocation Tags in your accounts.
Go to the AWS Secrets Manager console to get started. For more information, see AWS Secrets Manager.
To learn more about how to build an effective tagging strategy for cost allocation and financial management, see the Tags for cost allocation and financial management whitepaper.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
Jirka Fajfr
Jirka is a Software Engineer at AWS working in the Cryptography organization focusing on AWS Secrets Manager. He’s passionate about helping customers secure their applications and manage sensitive information and contributes to building and improving secure, scalable solutions for secrets management in the cloud. Before joining AWS, he applied neural networks to predict electricity load demand and price, bringing together data science and utility infrastructure.
Marc Luescher
Marc is a Senior Solutions Architect helping enterprise customers be successful, focusing strongly on threat detection, incident response, and data protection. His background is in networking, security, and observability. Previously, he worked in technical architecture and security hands-on positions within the healthcare sector as an AWS customer. Outside of work, Marc enjoys his two dogs, three cats, twenty chickens, and his huge yard.
