- Newest
- Most votes
- Most comments
Dear Corey, My client (I'm an AWS SA) went live and after a deep dive with the service team we clarified the cost.
The bottom line:
- if they use IAM they pay for Users not by role
- for federated users, If the customer is using these APIs to obtain credentials, then is one user per role:
- assume-role
- get-federation-token
- If the customer is using any of these APIs to obtain credentials, then the number of users depends on attributes made within their API request.
- assume-role-with-saml
- assume-role-with-web-identity
in this case if the Saml data contains a subject which contains a name identifier (e.g., name.lastname@myclient.com). this means that the bill would be based on the number of unique SAML users who assume roles and use CodeCommit (not based on the number of roles they assume).
Bottom line, the last case is the most common one and my customer is paying for each user, despite the number of roles they assume.
Antonio
The bad answer ($10,500), and it also gets worse: if other identities (EC2 instances via instance roles, other AWS services integrated with CodeCommit, etc) are making git / CLI / API requests to CodeCommit, they count as an active user for that month.
As per the pricing docs:
An active user is any unique AWS identity (IAM user/role, federated user, or root account) that accesses AWS CodeCommit repositories during the month, either through Git requests or by using the AWS Management Console, AWS CLI or AWS SDKs. AWS identities that are created through your use of other AWS Services, such as AWS CodeBuild and AWS CodePipeline, as well as servers accessing CodeCommit using a unique AWS identity, count as active users. There is no charge for a user if that user does not access AWS CodeCommit during the month. Storage includes the full space required to retain the repository data.
Relevant content
- asked 5 months ago
- asked 19 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago