Exporting Your Archera Data to finout.io via S3 Telemetry Integration
Last updated: April 21, 2025
If you're using finout.io to centralize your cloud spend and would like to incorporate your daily use of Archera Insure Commitments for AWS, Azure, and GCP, this guide will help set up that S3 Telemetry Integration.
Integration Overview
This guide follows Finout's S3 Telemetry Integration documentation to set up a consistent daily export process of telemetry data and metadata to an S3 bucket that Finout can access, or utilize an existing bucket that Finout has access to.
Via this integration, Archera will send a Daily Cost Distribution report to the S3 Bucket you designate that Finout will then pull from. That report contains the following columns:
date
account_id
account_name
unblended_cost
distributed_cost
amortized_cost
aws_bill_unadjusted
aws_bill_with_archera
aws_savings
archera_premiums
net_savingsStep 1: Set up an S3 Bucket
Per Step 4 of Finout's guide, you can utilize an existing S3 bucket that Finout has access to or create a new bucket.
Using an existing S3 Bucket Finout has access to
Utilize the same bucket and ARN role. Role and bucket details will auto-populate in the Finout console (in the cost center integrations page).
Setting up a new S3 bucket & IAM Role
(Below is a reproduction of Finout's guide to setting up an IAM role here)
Create an S3 bucket.
Create an IAM role that will have read access to that bucket.
Copy your “external-id” from the Finout console, or use a random one, preferably in the format of finout-XXXXXXX.
Click on create a new cross-account role in IAM to create a role for another AWS account.
Enter the AWS Account ID associated with the S3 bucket in the Account ID field.
Choose the option to Require external ID and input the “external-id” you got from the Finout console.
Click Next until you reach the review screen.
In the Review section, modify the Role Name to be:
FinoutMetricsReadOnlyRoleGo to your newly created role.
Copy the Role ARN and paste it into the Finout console.
Click Add permissions and select Create inline policy.
Select JSON, and insert the following. Replace the <BUCKET_NAME> with the name of your newly created bucket or your existing CUR bucket:
"Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "tag:GetTagKeys" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::<BUCKET_NAME>/*" }, { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::<BUCKET_NAME>" } ] }Click Next until you reach the review screen, and name the policy finest-access-policy_telemetry_export (or choose your own name).
Create a Folder in the Bucket
Create a separate folder within the bucket for each telemetry integration. This setup allows you to easily reuse permissions for sending other telemetries using the same integration.
Step 2: Provide Data to Finout
Please provide Finout with the following information:
External ID
ARN role
Bucket name
Folder name within the bucket
Optional: region
Step 3: Provide Data to Archera
Please provide Archera with the following information:
Region of S3 Bucket
Name of the S3 Bucket
Folder in the S3 Bucket you'd like Archera to send data to
Step 4: Modify Archera IAM role
In order for Archera to be able to export data to the S3 Bucket you've created, you'll need to modify Archera's IAM role in your payer account. The role is usually named "ReservedAI-Write". Attach the policy below and replace <BUCKETNAME> with the name of your created bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<BUCKETNAME>/*"
}
]
}