Documentation and Best Practices

Learn how to use Cloudability and get the most out of our cloud cost management tool.

Follow

Stage 1: Reader role for Subscriptions

Azure Subscription level credentialing unlocks the following features within Cloudability

  • Apply resource group tags to resources within the resource groups
  • Optimization - through Rightsizing, and RIs

Currently, our platform requires the Reader role on Subscriptions in order to fetch the necessary data. We use the OAuth 2.0 Authorization Grant Flow to register our application and create a service principal within the Azure tenant. You can read more about this process here:

https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals

Before you begin...

Please use the checklist below to verify that you meet the minimum requirements for successful credentialing.

       

[  1  ]

You are a Cloudability Administrator

 

 

The Cloudability Administrator role gives you access to the Vendor Credentials page where you can manage your credentials.

       

[  2  ]

You have one of the following Azure Active Directory roles in your organization

  • Global Administrator, or
  • Application Developer, or
  • Cloud Application Administrator

 

This is necessary for the OAuth 2.0 Authorization Grant Flow. Your Azure Active Directory (AD) role is used to register our enterprise app within your Azure AD tenant, and create the Service Principal. 

       

[  3  ]

You are an Owner (or higher) on the Subscription you are credentialing

 

 

This is necessary for the OAuth 2.0 Authorization Grant Flow. You need to be at least an Owner on the Subscription so that permissions can be attached to the Service Principal through IAM. 

 

Steps to enable Reader role on a Subscription

The following steps assume that you have already added an Azure EA to Cloudability's Vendor Credentials page. Also, you have one or more Subscriptions listed on that page for which you would like to provide us access.

Step 1: Edit the Subscription

Click the Edit icon for the Subscription for which you would like to provide us access.

01_.png

Step 2: Generate a link

Here, you have the option to select multiple Subscriptions. Clicking the Generate Link button will generate a URL for each selected Subscription that you will then use to complete the OAuth 2.0 Authorization Grant Flow for each of those Subscriptions.

Click the Generate Links button

02_.png

Select the Subscription(s) for which to generate link(s)

03_.png

Click Ok, once you have completed your selections

04_.png

Step 3: Click on each generated link

A link is generated for each Subscription that you selected in the previous step. Click on each link to complete registering our application and creating a service principal.

Click on each link

06_.png

Step 3a: Complete the OAuth 2.0 flow triggered from the link

Sign into your Azure portal

07_.png

Consent complete

After logging in, you may get a message similar to the one below. If so, then you need to provide consent to the application through your Azure AD, under Enterprise applications.

08_.png

Otherwise, you will see a prompt that, once you click Accept, will complete the consent process.

credentials13.png

Verify successful consent in the Azure portal

Active Directory

You can verify that the application has been successfully consented to by checking the Enterprise applications section in your Azure Active Directory.

17_.png

Subscription IAM

Additionally, you can check whether the service principal is a Reader on the subscription.

18_.png

Step 4: Return to the Vendor Credentials page to verify credentials

You may see a yellow or green check box, in the Advanced Features column, for the Subscription.

  • A green check box for a Subscription indicates that Cloudability has,
    • valid SAS tokens for one or more storage accounts containing VM utilization metrics tables
    • a Reader role on the Subscription (through our service principal)
  • A yellow check box implies that Cloudability has an incomplete credential, such as
    • the credential process could have started (i.e., we have a record in our database) but there are no permissions attached to that credential
    • the credential has either SAS tokens or the Reader role, not both
  • A red status color for the credential implies that there's an error with the credential.

Note: We can now unlock all Advanced Features through our Service Principal (this requires the service principal to be a Reader on Subscriptions). The permissions box will show as a yellow checkbox but this is ok.

11_.png

Re-verify the credential by clicking on the circular arrow

12_.png

A check mark is displayed briefly upon successful verification

13_.png

In some cases, you may need to refresh the browser to fetch new changes

14_.png

Finally, click on the Details button to view the updated permissions

15_.png

Verify that Cloudability has Reader permissions on the Subscription

16_.png

Additional Notes

We are looking to deprecate fetching utilization metrics using SAS tokens. Instead, Cloudability will start using the Reader role on Subscriptions to fetch utilization metrics through Azure Monitor (Log Analytics workspaces). That being said, the additional two permissions listed on the Details pane for Azure Subscriptions are no longer needed/necessary; these permissions are table:ListRead and table:ReadWadMetrics.

FAQ

1. How do I know if I have successfully credentialed my Subscription?

Ignore the color of the checkboxes. All you need to do is check whether you have the Reader role on the subscription.

A Reader role on the subscription is currently identified by the management:Reader permission.

We're looking to update this to subscription:ReadSubscription.

16_.png

2. Why are some permissions boxes green, while others yellow?

Short answer: We need only the Reader role on subscriptions. As long as we have this permission, Advanced Features are unlocked for that Subscription.

We're working to fix the experience around the status of permissions, and their colors.

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.