Documentation

Set up Alibaba Cloud bill in Ternary

I. Set up Alibaba Cloud Bill Subscription (FOCUS Export)

  1. Navigate to the Alibaba Cloud Expenses and Costs console to export and subscribe to billing data. For detailed steps, refer to: Export and Subscribe Bills.
  2. Configure an automatic subscription to an Object Storage Service (OSS) bucket; the billing data push usually occurs daily.
  3. When configuring the subscription, ensure you capture and save the following values, as they will be required for the Ternary integration:
    • Region
    • Bucket Name
    • Prefix (The directory path where the ZIP files will be delivered)

II. Enable Automated ZIP File Decompression

Note: Alibaba Cloud bill exports are produced as ZIP files, which Ternary does not support ingesting directly. This decompression process is a necessary workaround to allow for out of the box support of the files.

  1. To enable automated unzipping, you must use Alibaba Cloud's Function Compute feature. This process is triggered when a ZIP file is uploaded to the directory specified by the prefix you configured in the bill subscription.
  2. For detailed configuration, refer to the source documentation: ZIP Package Decompression.
  3. The main requirements for enabling this feature are:
    • Activate Function Compute.
    • Authorize specific roles to allow OSS and Function Compute to interact and access the necessary buckets.
    • Be aware of limitations, such as a 1 GB size limit for individual objects within a ZIP package, and that only .zip formats are supported.

III. Alibaba Cloud Connection Setup

This section adapts the standard Alibaba Cloud Connection Setup guide to ensure the Ternary OIDC identity has access to the newly created bill subscription bucket.

1. Gather Necessary Information

Collect the following IDs:

  • Ternary Service Account Unique ID: Find this in the Ternary Admin console.
  • Alibaba Account ID (Account-ID): This is your 'Main Account ID' found in the upper right-hand corner of the Alibaba Cloud console.

2. Create OIDC Identity Provider (SSO)

Establish a trust relationship between Alibaba Cloud RAM and Google’s identity service.

  • Navigate to the RAM / SSO section in the Alibaba Cloud console.
  • Click Create IdP and select Google as the provider type.
  • Configure the OIDC IdP (e.g., named 'Google') with the following settings:
    • IdP Name: Google
    • Issuer URL: https://accounts.google.com
    • Client ID: Add the Ternary Service Account Unique ID.
  • Add the required root CA fingerprint: 932BED339AA69212C89375B79304B475490B89A0.

3. Configure RAM Role and Trust Policy

Create a dedicated role that Ternary will assume via the OIDC provider.

  • Navigate to the RAM / Roles section and click Create Role.
  • Switch to the Policy Editor and then the JSON Editor.
  • Copy and Paste the below JSON, replacing the Account-ID and Ternary Service Account Unique ID.
{
  "Statement": [
    {
    "Action": "sts:AssumeRole",
    "Condition": {
      "StringEquals": {
        "oidc:aud": ["<Ternary Service Account Unique ID>"],
        "oidc:iss": ["https://acounts.google.com"]
      }
    },
    "Effect": "Allow",
    "Principal": {
      "Federated": ["acs:ram::<Account-ID>:oidc/provider/Google"]
    }
    }
  ],
  "Version": "1"
}
  • Name the new role, for example, TernaryCMPServiceAgent.

4. Update Permissions for TernaryCMPServiceAgent

Grant the new role permissions to the OSS bucket containing the bill subscription.

  • Navigate to the RAM / Roles section and click on your new role (TernaryCMPServiceAgent).
  • Attach a permissions policy that includes oss:ListObjects, oss:GetObject, and oss:GetBucketLocation. This policy is necessary for Ternary to read the billing data from the OSS bucket.
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:ListObjects",
        "oss:GetObject",
        "oss:GetBucketLocation"
      ],
      "Resource": [
        "acs:oss:oss-<region>:<Account-ID>:<bucket-name>",
        "acs:oss:oss-<region>:<Account-ID>:<bucket-name>/*"
      ]
    }
  ]
}

Note: Be sure to replace <region>, <Account-ID>, and <bucket-name> with the values from your OSS bucket configured in Step I.

IV. Finalize Connection in Ternary

  1. In the Ternary console, navigate to Admin > Integrations.
  2. Click New integration and select Bring Your Own.
  3. Select the Alibaba OSS button.
  4. Enter the required parameters gathered in the previous sections.
Required ParameterDescription / Format
Storage URIoss://<bucket-name>.<region>.aliyuncs.com/<path>/
Role ARNacs:ram::<Account-ID>:role/TernaryCMPServiceAgent
OIDC Provider ARNacs:ram::<Account-ID>:oidc-provider/Google
  1. Validate the connection using the Ternary UI preview tool to ensure data is accessible.

Updated about 16 hours ago