Setting Up AWS Bedrock Cost Tracking
Bedrock cost tracking pulls actual billed dollars from AWS Cost Explorer, grouped by model. We recommend creating one connection per client per region, mirroring how you connect their n8n instances.
What You'll Need
- An AWS account with Bedrock enabled (the client's AWS account, in the per-client setup)
- Permission to create IAM users in that account
- The AWS region where Bedrock is being invoked (e.g.
us-east-1,ap-southeast-2)
Step 1: Create a Read-Only IAM Policy
In the AWS Console, go to IAM > Policies > Create policy and paste this JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"ce:GetDimensionValues",
"bedrock:ListFoundationModels"
],
"Resource": "*"
}
]
}
Name it something like AdministrateBedrockReadOnly and save.
Step 2: Create an IAM User
- Go to IAM > Users > Create user
- Name it (e.g.,
administrate-cost-tracking) - Do not grant console access — programmatic access only
- Attach the
AdministrateBedrockReadOnlypolicy from Step 1 - After creation, open the user and go to Security credentials > Create access key
- Choose Application running outside AWS
- Copy the Access Key ID and Secret Access Key — you cannot view the secret again
Step 3: Enable Cost Explorer
Cost Explorer must be enabled in the AWS account before it returns data. Go to the Cost Explorer console once and accept the activation prompt. New activations take up to 24 hours before historical data is available.
Step 4: Connect in Administrate
In Administrate, go to LLM Providers > Add Provider and enter:
| Field | Value |
|---|---|
| Provider Type | AWS Bedrock |
| Name | e.g., "Acme Corp Bedrock (us-east-1)" |
| AWS Access Key ID | From Step 2 |
| AWS Secret Access Key | From Step 2 |
| AWS Region | The region the client uses (e.g. us-east-1) |
Click Connect Provider. We'll run a small Cost Explorer query to validate the credentials before saving.
What Gets Synced
- Daily costs in USD per Bedrock model (e.g.
anthropic.claude-3-sonnet,amazon.titan-text-express) - Aggregated by date at midnight UTC
Data syncs every hour automatically. Note: Cost Explorer data lags real usage by up to 24 hours.
What Doesn't Get Synced (yet)
Cost Explorer returns dollars but not token counts. Token counts will show as zero on Bedrock connections. We may add CloudWatch token metrics in a future release.
Cost Attribution
Set the Default Company on the provider to attribute all costs from this connection to a specific client. With one connection per client AWS account, all costs from that connection automatically belong to that client.
Multiple Regions
Cost Explorer aggregates across regions, but we sync one region per connection so each client/region pair stays clearly separated. If a client uses Bedrock in multiple regions, create one connection per region.
Troubleshooting
"Access denied" error
- Confirm the IAM policy includes ce:GetCostAndUsage
- Confirm Cost Explorer is enabled in the AWS account
- Newly enabled Cost Explorer accounts have a 24-hour activation lag
"Invalid credentials" error - Double-check the Access Key ID and Secret Access Key - Ensure the IAM user is active (not deactivated)
No data appearing - Cost Explorer data lags up to 24 hours - Confirm the client has actually invoked Bedrock in the selected region - Verify the AWS account has Bedrock model access approved
Security Best Practices
- Create a dedicated IAM user just for cost tracking — never reuse production keys
- Use the minimum read-only policy from Step 1; do not attach AdministratorAccess
- Rotate keys every 90 days
- Disable or delete the user if you stop tracking the client