Azure Subscription level credentialing unlocks the following features within Cloudability
- Apply resource group tags to resources within the resource groups
- Optimization - through Rightsizing, and RIs
Currently, our platform requires the Reader role on Subscriptions in order to fetch the necessary data. We use the OAuth 2.0 Authorization Grant Flow to register our application and create a service principal within the Azure tenant. You can read more about this process here:
Steps to enable Reader role on a Subscription
The following steps assume that you have already added an Azure EA to Cloudability's Vendor Credentials page. Also, you have one or more Subscriptions listed on that page for which you would like to provide us access.
Before you begin the process, ensure that:
- You are a Cloudability administrator
- In Azure Active Directory, that you have one of the following Directory roles:
- Global Administrator, or
- Application developer, or
- Cloud application administrator
- You are an Owner (or higher) on the Subscription you are credentialing
Step 1: Edit the Subscription
Click the Edit icon for the Subscription for which you would like to provide us access.
Step 2: Generate a link
Here, you have the option to select multiple Subscriptions. Clicking the Generate Link button will generate a URL for each selected Subscription that you will then use to complete the OAuth 2.0 Authorization Grant Flow for each of those Subscriptions.
Click the Generate Links button
Select the Subscription(s) for which to generate link(s)
Click Ok, once you have completed your selections
Step 3: Click on each generated link
A link is generated for each Subscription that you selected in the previous step. Click on each link to complete registering our application and creating a service principal.
Click on each link
Step 3a: Complete the OAuth 2.0 flow triggered from the link
Sign into your Azure portal
After logging in, you may get a message similar to the one below. If so, then you need to provide consent to the application through your Azure AD, under Enterprise applications.
Otherwise, you will see a prompt that, once you click Accept, will complete the consent process.
Verify successful consent in the Azure portal
You can verify that the application has been successfully consented to by checking the Enterprise applications section in your Azure Active Directory.
Additionally, you can check whether the service principal is a Reader on the subscription.
Step 4: Return to the Vendor Credentials page to verify credentials
You may see a yellow or green check box, in the Advanced Features column, for the Subscription.
- A green check box for a Subscription indicates that Cloudability has,
- valid SAS tokens for one or more storage accounts containing VM utilization metrics tables
- a Reader role on the Subscription (through our service principal)
- A yellow check box implies that Cloudability has an incomplete credential, such as
- the credential process could have started (i.e., we have a record in our database) but there are no permissions attached to that credential
- the credential has either SAS tokens or the Reader role, not both
- A red status color for the credential implies that there's an error with the credential.
Note: We can now unlock all Advanced Features through our Service Principal (this requires the service principal to be a Reader on Subscriptions). The permissions box will show as a yellow checkbox but this is ok.
Re-verify the credential by clicking on the circular arrow
A check mark is displayed briefly upon successful verification
In some cases, you may need to refresh the browser to fetch new changes
Finally, click on the Details button to view the updated permissions
Verify that Cloudability has Reader permissions on the Subscription
We are looking to deprecate fetching utilization metrics using SAS tokens. Instead, Cloudability will start using the Reader role on Subscriptions to fetch utilization metrics through Azure Monitor (Log Analytics workspaces). That being said, the additional two permissions listed on the Details pane for Azure Subscriptions are no longer needed/necessary; these permissions are table:ListRead and table:ReadWadMetrics.
1. How do I know if I have successfully credentialed my Subscription?
Ignore the color of the checkboxes. All you need to do is check whether you have the Reader role on the subscription.
A Reader role on the subscription is currently identified by the management:Reader permission.
We're looking to update this to subscription:ReadSubscription.
2. Why are some permissions boxes green, while others yellow?
Short answer: We need only the Reader role on subscriptions. As long as we have this permission, Advanced Features are unlocked for that Subscription.
We're working to fix the experience around the status of permissions, and their colors.