Connecting an Alibaba Cloud account
Overview
To onboard your Alibaba Cloud environment to DigiUsher, you set up a FOCUS 1.0 billing data export to an Object Storage Service (OSS) bucket, along with a dedicated RAM user that has read-only access to that bucket. This document describes exactly what permissions are requested, why each is needed, and what credentials to provide.
FOCUS export is in invitational preview
You will see the Bills > Bill Subscription menu in the Expenses and Costs console only if your account has been granted preview access. Contact Alibaba Cloud support to request access if it is not visible.
Cost analysis only
The exported FOCUS data is for cost analysis only and cannot be used for reconciliation or settlement. For official reconciliation, use the bill overview on the Alibaba Cloud Management Console.
Summary of Access Required
| Component | Details |
|---|---|
| Identity | RAM user — programmatic access only, no console login |
| Authentication | Access Key ID + Access Key Secret |
| Access level | Read-only — scoped to a single OSS bucket |
| Data | FOCUS 1.0 bill export, via Alibaba Cloud's OSS |
| OSS bucket | One bucket dedicated to billing exports |
| Capability | What It Provides |
|---|---|
| Billing data | Cost analytics, chargeback/showback, budgeting, forecasting, anomaly detection |
DigiUsher cannot create, modify, or delete any of your Alibaba Cloud resources.
Prerequisites
Information to Gather
| Item | How to Find | DigiUsher Field |
|---|---|---|
| RAM Access Key ID | RAM Console > Identities > Users > (create/select a RAM user) > Create AccessKey | access_key_id |
| RAM Access Key Secret | Shown once at AccessKey creation (store securely) | access_key_secret |
| OSS Bucket Name | The bucket configured as the FOCUS export target — Expenses & Costs Console > Bills > Bill Subscription | bucket_name |
| OSS Bucket Prefix / Directory | The "OSS Directory" set on the bill subscription, e.g. billing-focus/ | bucket_prefix |
| OSS Region ID | Region of the bucket, e.g. cn-hangzhou, ap-southeast-1 (OSS Console > Bucket Overview) | region |
Roles Required by the Person Performing Setup
| Role / Permission | Why |
|---|---|
| Billing/Finance Administrator on the management (master) account | To create the FOCUS Bill Subscription and complete the one-time OSS authorization (grant the billing service write access to the bucket). |
RAM Administrator (e.g. AliyunRAMFullAccess) | To create the dedicated RAM user and issue the AccessKey pair provided to DigiUsher. |
OSS read access on the export bucket (e.g. AliyunOSSReadOnlyAccess or a scoped policy on the specific bucket) | Permission attached to the RAM user whose AccessKey is used by DigiUsher. Read-only access is sufficient and preferred. |
Network & Email Access (For Regulated Environments)
If your organization restricts outbound internet access or email domains, ensure the following are in place before starting:
- Domain allowlist: Add
*.digiusher.comto your network/firewall allowlist so that users in your organization can access the DigiUsher platform from their browsers. - Email allowlist: Add
digiusher.comas an approved sender domain in your email security gateway. DigiUsher sends onboarding confirmations, alerts, and reports from@digiusher.comaddresses.
Setup
Step 1 — Create an OSS Bucket
The FOCUS export writes files to an existing OSS bucket. Create a dedicated bucket to keep billing data isolated.

- Sign in to the Alibaba Cloud Console.
- Navigate to Object Storage Service (OSS).
- Click Create Bucket.
- Configure the bucket:
- Bucket Name:
digiusher-focus(or any name you prefer — note it down) - Region: Choose the region closest to your primary workloads
- Storage Class: Standard
- Access Control List (ACL): Private

- Bucket Name:
- Click OK.
Choose a unique bucket name
OSS bucket names are globally unique across all of Alibaba Cloud — a name already taken by another user cannot be reused. For this reason digiusher-focus and digiusher will be unavailable, pick your own distinct name.
Keep the bucket private
Keep the bucket ACL set to Private. Access is controlled through the RAM policy you will attach in Step 4.
Step 2 — Set Up the FOCUS Bill Subscription
This step authorises the Expenses and Costs service to push FOCUS billing data into your OSS bucket automatically.
- In the Expenses and Costs console, navigate to Bills > Bill Subscription.

- Click Create Bill Subscription.

- If this is your first OSS subscription, you must complete the authorization:
- Click Authorize.
- On the RAM Quick Authorization page, review the
AliyunConsumeDump2OSSRolerole and click Authorize. This grants the billing service write access to OSS so it can push files on your behalf.
- Wait for the role creation and policy attachment steps to finish, then click Return.

- In the OSS Subscription tab, select FOCUS Billing Data as the export type.
- Set Start Billing Month — you can select the current month or backfill to an earlier month (available back to when the feature entered preview for your account).
- In OSS Bucket, enter the bucket name you created in Step 1 (e.g.
digiusher-focus-exports). - In OSS Directory, enter
focus— this creates a predictable path for DigiUsher to find the data.
- Click Create.
Step 3 — Create a RAM User for DigiUsher
Create a dedicated RAM user with programmatic (API) access only. This user will have read-only access restricted to the billing export bucket.
- Sign in to the Alibaba Cloud Console and open Products and Services > Resource Access Management (or go directly to the RAM Console).

- In the left navigation, click Identities > Users, then click Create User.

- Configure the user:
- User Login Name: e.g.
digiusher - Access Configuration: Check Permanent AccessKey and leave Console Access unchecked (programmatic access only).
- Confirm that it is necessary to create an AccessKey.

- User Login Name: e.g.
- Click OK.
Create an Access Key
Because you selected Permanent AccessKey, the system creates an AccessKey ID and AccessKey secret automatically when the user is created. If you need to create one later, open the user detail page and click Create AccessKey (under the AccessKey tab).
Save the Access Key ID and Secret immediately — the Secret is shown only once and cannot be retrieved again. Download the AccessKey.csv file.
Save your credentials
You will enter these credentials into DigiUsher in the final step.
Step 4 — Attach a Read-Only OSS Policy to the RAM User
Create a custom RAM policy that grants read-only access scoped to your billing export bucket only, then attach it to the digiusher user.
Create the Custom Policy
- In the RAM Console, navigate to Permissions > Policies, then click Create Policy.

- Click the JSON Editor tab.
- Paste the following policy, replacing
your-bucket-namewith the actual bucket name from Step 1:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:ListObjectVersions",
"oss:GetObject",
"oss:GetObjectAcl",
"oss:GetBucketInfo",
"oss:GetBucketStat"
],
"Resource": [
"acs:oss:*:*:your-bucket-name",
"acs:oss:*:*:your-bucket-name/*"
]
}
]
}
4. (Optional) Click Optimize to let RAM refine the policy scope.
5. Click OK.
6. In the dialog, set Policy Name to DigiUsherBillingPolicy (add a Description if you like), then click OK.

Attach the Policy to the RAM User
- In the RAM Console, navigate to Identities > Users.
- Click on
digiusher. - Click the Permissions tab, then click Grant Permission.

- In the Policy panel, search for
DigiUsherBillingPolicy, select it, and click OK.
Scoped access
The RAM user now has read-only access to your billing bucket and nothing else.
Connect in DigiUsher
After completing the steps above, enter the following into DigiUsher to complete the connection:

| Field | Where to Find |
|---|---|
| Connection Name | Any label you prefer (e.g. Alibaba Cloud Production) |
| Access Key ID | The key ID from the user's AccessKey.csv |
| Access Key Secret | The secret from the user's AccessKey.csv |
| OSS Bucket Name | The bucket created in Step 1 (e.g. digiusher-focus-exports) |
| Bucket Prefix | The directory configured in the subscription (e.g. focus) |
| Region | Identifier for your bucket's region — e.g. oss-ap-southeast-1 for Singapore |
OSS Endpoints by Region
Find the full list at OSS Regions and Endpoints. Use the public endpoint for your bucket's region.
Verification Checklist
- OSS bucket created with Private ACL
- FOCUS bill subscription created with export type set to FOCUS Billing Data
- OSS write authorization for the billing service completed during subscription setup
- Start Billing Month set and subscription confirmed active on the Bill Subscription page
- RAM user created with OpenAPI (programmatic) access only
- Access Key ID and Secret saved securely
- Custom policy
DigiUsherBillingPolicycreated and attached to RAM user - Policy scoped to the correct bucket name
- Connection details entered in DigiUsher
-
*.digiusher.comallowlisted in your network/firewall (if applicable) -
digiusher.comallowlisted as an approved sender domain in your email security gateway (if applicable)
Security
What DigiUsher CAN Access (Read-Only)
- FOCUS billing export files in the specified OSS bucket and directory
- Object listings within that bucket to discover and download new exports
What DigiUsher CANNOT Do
- Access any OSS bucket other than the one specified
- Create, modify, or delete objects in OSS
- Access any other Alibaba Cloud service (ECS, RDS, VPC, etc.)
- View or modify billing settings
- Read secrets, credentials, or key pairs
- Make purchases or changes to your account
Monitoring
Monitor digiusher activity in the RAM Console under Identities > Users > digiusher > ActionTrail. You can also view OSS access logs by enabling logging on the bucket under OSS Console > Bucket > Logging.
Credential Rotation
- In the RAM Console, go to Identities > Users > digiusher > User AccessKeys.
- Click Create AccessKey to generate a new pair.
- Update the credentials in DigiUsher immediately.
- Delete the old Access Key from the RAM Console.
Avoid ingestion gaps
Always create the new key before deleting the old one to avoid an interruption in data ingestion.
Revocation
Delete the digiusher user in the RAM Console under Identities > Users. This immediately invalidates the Access Key pair and all associated permissions. Alternatively, disable the Access Key without deleting the user to pause access temporarily.
Troubleshooting
Files not appearing in the OSS bucket
- Confirm that the FOCUS bill subscription status shows Active on the Bill Subscription page.
- No file appears immediately on creation. Files are pushed on a schedule into dated directories; the finalized file for a month is exported after 12:00 (UTC+8) on the 4th day of the following month.
- Check that the OSS write authorization for the billing service is still valid. If revoked, the push stops. Re-authorize by clicking Authorize on the Bill Subscription page.
- Verify the bucket name entered in the subscription matches exactly — bucket names are case-sensitive.
OSS Permission Denied error on the Bill Subscription page
- This indicates the billing service cannot write to your bucket. Complete the authorization flow again at the Bill Subscription page.
- Verify the bucket exists in the same Alibaba Cloud account that owns the subscription.
DigiUsher cannot read files — Access Denied
- Confirm the
DigiUsherBillingPolicypolicy is attached todigiusherand that the bucket name in the policy exactly matches the bucket name provided to DigiUsher. - Ensure the Access Key entered in DigiUsher belongs to
digiusherand not a different user. - Check that the Access Key is in Active status in the RAM Console (not disabled).
FOCUS export not available in Bill Subscription menu
- The FOCUS export feature is in invitational preview. If you do not see FOCUS Billing Data as an option, your account has not yet been granted preview access. Contact Alibaba Cloud support to request it.
Need Help?
If you encounter any issues not covered above, contact DigiUsher support at support@digiusher.com and the team will help you get set up.
DigiUsher Documentation