These aren’t limits though, they are just budget notifications.
What would be helpful, would be if when you set up your account there was a default limit – as in an actual limit, where all projects stop working once you go over it - of some sane amount like $5 or $50 or even $500.
I have a handful of toy projects on AWS and Google cloud. On both I have budgets set up at $1 and $10, with notifications at 10% 50% and 90%. It’s great, but it’s not a limit. I can still get screwed if somehow, my projects become targets, and I don’t see the emails immediately or aren’t able to act on them immediately.
It blows my mind there’s no way I can just say, “there’s no conceivable outcome where I would want to spend more than $10 or more than $100 or whatever so please just cut me off as soon as I get anywhere close to that.”
The only conclusion I can come to is that these services are simply not made for small experimental projects, yet I also don’t know any other way to learn the services except by setting up toy projects, and thus exposing yourself to ruinous liability.
I’ve accidentally hit myself with a bigger than expected AWS bill (just $500 but as a student I didn’t really want to spend that much). So I get being annoyed with the pricing model.
But, I don’t think the idea of just stopping charging works. For example, I had some of their machine image thingies (AMI) on my account. They charged me less than a dollar a month, totally reasonable. The only reasonable interpretation of “emergency stop on all charges completely” would be to delete those images (as well as shutting down my $500 nodes). This would have been really annoying, I mean putting the images together took a couple hours.
And that’s just for me. With accounts that have multiple users—do you really delete all the disk images on a business’s account, because one of their employees used compute to hit their spend limit? No, I think cloud billing is just inherently complicated.
> The only reasonable interpretation of “emergency stop on all charges completely” would be to delete those images
I disagree; a reasonable but customer-friendly interpretation would be to move these into a read-only "recycle bin" storage for e.g. a month, and only afterwards delete them if you don't provide additional budget.
There is no reason that cloud providers shouldn't be able to set up the same kind of billing options that advertisers have had access to for years. In Google and Meta ads I can set up multiple campaigns and give each campaign a budget. When that budget gets hit, those ads stop showing. Why would it be unreasonable to expect the same from AWS?
Cloud providers charge for holding data, for ingress/egress, and for compute (among other things). If I hit my budget by using too much compute, then keeping my data will cause the budget to be exceeded.
The difference is that cloud providers charge you for the “at rest” configuration, doing nothing isn’t free.
Great so they can give you an option to kill all charges except basic storage. Or let you reserve part of your budget for storage. Or let you choose to have everything hard deleted.
Surely these billion and trillion dollar companies can figure out something so basic.
> But, I don’t think the idea of just stopping charging works.
You don't stop CHARGING. You stop providing the service that is accumulating charges in excess of what limit I set. And you give some short period of time to settle the bill, modify the service, etc. You can keep charging me, but provide a way to stop the unlimited accrual of charges beyond limits I want to set.
> No, I think cloud billing is just inherently complicated.
You're making it more complicated than it needs to be.
> The only reasonable interpretation of “emergency stop on all charges completely” would be to delete those images.
It's by far certainly not the 'only reasonable interpretation'.
"Stop all charges" is a red herring. No one is asking for a stop on charges. They want an option to stop/limit/cap the stuff that causes the charges.
So you want to proactively determine if, at the current rate charges are accumulating, the budget will be exceeded?
That _also_ runs into problems!
Take, for example, a nightly job that spins up a few giant instances to do some batch processing and shuts them down. Running an hour a night, over the course of the month that's going to accumulate ~$300 in charges. Great, we can set a $400/mo budget and have some wiggle room and all is well!
But how can AWS know that you're going to shut the instances down? Looking only at the rate charges are accumulating, the first night those instances start up you are on track to run up a $7,000 bill!
So do we set a $400/mo budget and then just kill the account so it stops accumulating charges when we hit $400, or do we set a $7,000/mo budget to account for the potential rate of accumulation and risk exceeding our budget by 2,000%?
It would be nice if this were in fact just overcomplicating things, but after much thought and many arguments on the internet I really can't see an easy "general" solution to this. The solution is heavily dependent on your specific workload and usage patterns, and the tooling is there to manage that if you want: Create billing alerts, and run code to adjust your usage in response to them.
That all said: I would fully support some sort of "developer sandbox" account that allowed a "kill the account" billing limit. I'd really prefer it had some sort of obvious limitation to avoid people accidentally using it for production workloads or dev workloads turning into production ones. Something like a hard limit that shuts the account down in 30 days, or limiting inbound connectivity to only via a VPN or something. That's purely self interest though--I don't want to see the article on the top of HN every few weeks about how "Amazon killed my startup" because someone set a billing limit and then all their customers' data was deleted.
So, are you looking for some “rate of charges” cap? Like, allow the charges to accumulate indefinitely, but keep track of how much $/sec is being accumulated, and don’t start up new services if it would cause the rate of charges to pass that threshold?
Might work. I do think that part of the appeal of these types of services is that you might briefly want to have a very high $/sec. But the idea makes sense, at least.
A theme of many of the horror stories is something like "I set up something personal, costing a few dollars a month, and I was DDOSed or (in earlier terms) slashdotted out of the blue, and I now have a bill for $17k accumulated over 4 hours".
As someone else pointed out, some(?) services prevent unlimited autoscaling, but even without unlimited, you may still hit a much larger limit.
Being able to say 'if my bill goes above $400, shut off all compute resources' or something like that. Account is still on, and you have X days (3? 1? 14?) to re-enable services, pay the bill, or proceed as you wish.
Yes, you might still want some period of high $/sec, but nearly every horror story in this vein ends with an issue with the final bill. Whether I burn $300 in 5 minutes or 26 days, I want some assurance that the services that are contributing most to that - likely/often EC2 or lambda in the AWS world - will be paused to stop the bleeding.
If you could pipe "billing notification" SNS message to something that could simply shut off public network access to certain resources, perhaps that would suffice. I imagine there's enough internal plumbing there to facilitate that, but even then, that's just AWS - how other cloud providers might handle that would be different. Having it be a core feature would be useful.
I was on a team that had our github CI pipeline routinely shutdown multiple times over a few weeks because some rogue processes were eating up a lot of minutes. We may have typically used $50/$100 per month - suddenly it was $100 in a day. Then... $200. Github just stopped the ability to run, because the credits used were over the limits. They probably could run their business where they would have just moved to charging us hundreds per day, perhaps with an email to an admin, and then set the invoice at $4500 for the month. But they shut down functionality a bit after the credits were exhausted.
I think "free or low cost tier that doesn't rack up a $100,000 bill" would be pretty common actually, enough to warrant a prominent preset template/option in their UI. They'd probably save a lot in support requests too.
There is no such thing as a “free or low cost tier” in AWS. Or at least there wasn’t before July 15th of this year when they actually added a free tier where you can’t go over $200.
There are services that give you a free year and there are services that give you a free amount every month.
If you want AWS with training wheels, use AWS Lightsale
The disconnect comes from the difference between 'shut it off' and 'clear the account'. If I read an earlier poster correctly, the claim is "the only reasonable interpretation is to immediately delete the contents of the entire account". But to you point, yes, this seems like it would be pretty easy to grasp. Stop incoming access, don't delete the entire account 5 seconds after I go 3 cents over a threshold.
I missed a water bill payment years ago. They shut off the water. They didn't also come in and rip out all my plumbing and take every drop of water from the house.
Yeah I get it. It just irks that it's something I'd like to spend more time with and learn, but at every corner I feel like I'm exposing myself. For what I have done w/AWS & GCP so far with personal accounts, complete deletion of all resources & images would be annoying to be sure, but still preferable to unlimited liability. Ofc most companies using it won't be in that boat so IDK.
> But, I don’t think the idea of just stopping charging works.
I'm sorry but this is complete bullshit. they can set a default limit of 1 trillion dollars and give us the option to drop it to $5. there's a good reason they won't do it, but it's not this bullshit claim that's always bandied about.
There isn’t an option to not resolve “you’ve reached your billing limit and now storage charges are exceeding it.” You can resolve it by unceremoniously dumping the user data. You can resolve it by… continuing to charge the user, and holding their files hostage until they pay the back storage charges, and then the egress fees (so, it isn’t really a limit at all). Or you can resolve it by just giving the user free storage by some other name.
Just saying that there should be a limit is not an explanation.
I hate how every time this issue mentioned everyone's response is that it would hurt the companies. Literally just make it an option. It's not that difficult for some of the smartest engineers in the world to implement it.
This isn't a great answer to the overall issue (which I agree is a ridiculous dark pattern), but I've used Privacy.com cards for personal projects to hard spend at a card level so it just declines if it passes some threshold on a daily/weekly/monthly/lifetime basis. At work, I do the same thing with corporate cards to ensure the same controls are in place.
Now, as to why they're applying the dark pattern - cynically, I wonder if that's the dark side of usage/volume based pricing. Once revenue gets big enough, any hit to usage (even if it's usage that would be terminated if the user could figure out how) ends up being a metric that is optimized against at a corporate level.
I feel that the likely answer here is that instrumenting real-time spending limit monitoring and cut-off at GCP/AWS scale is Complicated/Expensive to do, so they choose to not do it.
I suppose you could bake the limits into each service at deploy time, but that's still a lot of code to write to provide a good experience to a customer who is trying to not pay you money.
Not saying this is a good thing, but this feels about right to me.
Its not expensive for them, its expensive for their customers. If you went over your spending limit and they deleted all your shit, people would be absolutely apoplectic. Instead they make you file a relatively painless ticket and explain why you accidentally went over what you wanted to spend. This is an engineering trade-off they made to make things less painful for their customers.
There is a huge difference between deleting data and stopping running services.
You're right in that there's a few services that expose this complexity directly, the ones where you're paying for actual storage, but this is just complex, not impossible.
For one thing, storage costs are almost always static for the period, they don't scale to infinite in the same way.
If it’s a web server, sure. But if you drop data because you’re no longer processing it, or you need to do an expensive backfill on an ETL, then turning off compute is effectively the same as deleting data
Why would I apoplectic at Amazon if I set “turn my shit off after it has accrued $10 in charges” to TRUE and they actually followed what I asked them to do?
Is it a serious question? Because then I could have you shutdown just by posting a call to ddos with a link to your search form on an anime image board.
OK? Good! That's what I want to happen! I want that. I do not care if some weirdos on an anime image board can't access some image. I don't want my credit card maxed out.
Is that not a serious request? I play around in the same big-boy cloud as some SaaS company, but I'm on the free tier and I explicitly do not want it to scale up forever, and I explicitly do not want to destroy my credit or even think about having to call Amazon over a $100,000 bill because I set my shit up wrong or whatever. I want it to shut off my EC2 instance once it has used up whatever amount of resources is equal to $X.
Obviously any world with this feature would also feature customizable restrictions, options, decision trees, etc etc. I don't think anyone is or was suggesting that someone's SaaS app just gets turned off without their permission.
They could add it as an optional limit. If it's on and is exceeded, stop everything. Surely the geniuses at Amazon (no they really are, I'm not joking) can handle it.
What about the space you're using? Do they delete it? Remove all your configurations? Prevent you from doing anything with your account until you up your limit or wait until your month resets?
If you're worried about getting a big bill, and you don't care if it gets shut off when you're not using it, why don't you shut it down yourself?
AWS made the tradeoff to keep the lights on for customers and if there is a huge bill run up unintentionally and you contact them with it they refund it. I've never experienced them not doing this when I've run up five figure bills because of a misconfiguration I didn't understand. I don't think I've ever even heard of them not refunding someone who asked them for a refund in good faith.
How many times has AWS refunded you a five figure bill? I've heard stories from people who got refunded but were told that it would be the first and last time they would get a refund.
I think I'm up to two five figure bills and two six figure bills refunded for various companies/clients. On one account, we had about $70k refunded, then a year or two later $130k. The normal monthly spend was closer to $30k.
There were no warnings or "don't do it again". They, very reasonably IMO, asked us to essentially explain how and why this happened and how we'd stop it happening again. They then provided some additional guidance and resources around those areas. In the one case where the charges were due to compromised credentials, they asked us to rotate all of our access keys before they issued the refund.
Completely anecdotal and slightly dated information, but that's been my experience.
Pass a law requiring cloud compute providers to accept a maximum user budget and be unable to charge more than that, and see how quickly the big cloud providers figure it out.
There is no such thing as “signing up for a free tier” at least there wasn’t before July of this year. Some services have free tiers for a certain amount of time and others have an unlimited free tier that resets every month.
I agree that that’s the likely explanation. It just feels infuriating that the services are sold as easy to get started and risk free with generous free tiers, inviting people and companies to try out small projects, yet each small experiment contains an element of unlimited risk with no mitigation tools.
You can attach an action to that budget overage that applies a "Deny" to an IAM and limits costly actions (that's for small accounts not in an Org. Accounts with an Org attached also have the option of applying an SCP which can be more restrictive than an IAM "Deny")
> The only conclusion I can come to is that these services are simply not made for small experimental projects, yet I also don’t know any other way to learn the services except by setting up toy projects
Yeah, I'm sure this is it. There is no way that feature is worth the investment when it only helps them sell to... broke individuals? (no offense. Most individuals are broke compared to AWS's target customer).
A key assumption behind property tax is that land in a given location increases in value because that location has become more popular, and thus the owner of popular land is likely in one of two boats:
- utilizing the land more intensely thus easily able to pay tax based on value
- rich enough not to care
North American zoning breaks this assumption since no matter how popular a given location becomes, it remains illegal to do anything on it except teardown & 1:1 replacement of existing houses. This guarantees that all land rises in value due to scarce floorspace, while simultaneously guaranteeing that most owners of the land won't have the cash to pay property tax.
If you had the freedom to build on your land, this would solve property tax 2 ways:
- if you want to build, you can, and in doing so, property tax ceases to be a significant expense
- if you don't want to build but others do, their doing so eases the floorspace shortage, so that land doesn't become so expensive
For bonus points, property tax should exempt the value of the structure. There's some logic to the idea that since we cannot directly manufacture land, there's always some public stake in it. But we can directly manufacture floorspace, just like we can manufacture tv's and shoes. We don't tax ownership of tv's & shoes, so it makes sense to exclude floorspace as well.
> We don't tax ownership of tv's & shoes, so it makes sense to exclude floorspace as well.
give it time and that will be taxed too. in more states than not in the US citizens are not only not allowed to own houses but also cars without paying the government a fee every year - the shoes and tvs and kids toys are coming :)
In most places, registered cars are taxed but unregistered cars are not, so classic/museum or inoperative cars can be owned without paying the government a fee every year. (This makes sense/feels fair to me. Registered cars are expected to be used and the use of cars costs the government significant money and has externalities on the public. Unregistered cars mostly do neither of those things at least no more than a bunch of shoes.)
This was extra on top of whatever the average cost really is for employees who are not abusing the system.
So, if other engineers get their equipment for $6k (beefed-up laptop, 32" or 30" 5k widescreen screen, ergonomic chair, standing desk — in theory amortized over 3-10 years, but really, on the retention period which is usually <3 years in software), we are talking about an increase of $200 on that.
Maybe not peanuts, but the cost of administration to oversee spending and the cost to employees to provide proof and follow due process (in their hourly rate for time used) will quickly add up and usually negate any "savings" from stopping abuse altogether — since now everybody needs to shoulder the cost.
Any type of cap based on average means that those who needed something more special-cased (more powerful machine, more RAM vs CPU/storage, more expensive ergonomic setup due to their anatomy [eg. significantly taller than average]...) can't really get it anymore.
Obviously, having no cap and requiring manager approval is usually enough to get rid of almost all abuse, though it is sometimes important to be able to predict expenses throughout the year.
> people started staying just late enough for the food delivery to arrive while scrolling on their phones and then walking out the door with their meal.
That doesn't sound like actually working late?
(I still agree with you, though, that this isn't the equivalent of stealing a laptop, even if you do it enough to take home $2,000 worth of dinner.)
That's true, but the point I made to that was more along the lines of "physically being present in the office, it's likely an employee will still provide enough benefit to make the money worth it". They don't have to be coding. Chatting with a coworker about something non-work-related can be enough of a bonding experience for that to.be worth the company the dinner money in intangible productivity benefits down the line.
I understand that async communications has some benefits, but I am continually flabbergasted that instead of weighing async & sync comms suitability for different situations, we've landed in a place where everyone is terrified to make or receive a phone call.
Sharing a fixed quantity of floorspace with more roommates isn't "easing a housing crunch", it's just accepting less floorspace, something we all do with commodities like floorspace.
What would actually ease a housing crunch would be more floorspace, so that floorspace owners had less pricing power.
There is also the recursive nature of a shortage
1. housing becomes a bit scarce for any reason, even a temporarily transient reason
2. prices go up
3. people point to high prices a reason new housing is bad, enact laws to limit it
4. housing becomes more scarce
5. goto 2
What would be helpful, would be if when you set up your account there was a default limit – as in an actual limit, where all projects stop working once you go over it - of some sane amount like $5 or $50 or even $500.
I have a handful of toy projects on AWS and Google cloud. On both I have budgets set up at $1 and $10, with notifications at 10% 50% and 90%. It’s great, but it’s not a limit. I can still get screwed if somehow, my projects become targets, and I don’t see the emails immediately or aren’t able to act on them immediately.
It blows my mind there’s no way I can just say, “there’s no conceivable outcome where I would want to spend more than $10 or more than $100 or whatever so please just cut me off as soon as I get anywhere close to that.”
The only conclusion I can come to is that these services are simply not made for small experimental projects, yet I also don’t know any other way to learn the services except by setting up toy projects, and thus exposing yourself to ruinous liability.