Documentation and Best Practices

Learn how to use Cloudability and get the most out of our cloud cost management tool.

Follow

Prerequisites

The purpose of this article is to establish prerequisites prior to credentialing your GCP billing and project accounts. In addition, this article provides information about Cloudability's credentialing process. The following topics are addressed:

  1. Do you have the necessary IAM permissions required to proceed?
  2. Have you enabled the Cloud Resource Manager API?
  3. What is the complete BigQuery Table ID for the billing account?
  4. What do our scripts do?

Getting Started

IAM Permissions

Cloudability uses your billing Table ID to generate a script that contains gcloud IAM commands to create a custom role, with permissions specific to reading billing data, and add our Service Account as a member with this custom role; both of these actions are taken at the billing project level. A similar script is generated when enabling Advanced Features for your GCP projects. Details of the scripts are covered in here.

Your gcloud user needs to be granted the following IAM permissions, at the project-level, to be able to successfully run our script from within your cloud console:

  • iam.roles.create
  • resourcemanager.projects.setIamPolicy
  • resourcemanager.projects.getIamPolicy

You will need to be granted these permissions on the billing project if you are adding the corresponding billing account in Cloudability, and you will need to be granted these permissions on a specific project if you are enabling Cloudability's Advanced Features for that project.

Check the IAM section of the appropriate project to determine whether you have these permissions.

Cloud Resource Manager API

Cloudability uses Google's Cloud Resource Manager API to test whether the necessary permissions have been granted to support the available features.

You can read more about the Cloud Resource Manager API. as well as how to enable it, here.

Table ID

We need the complete Table ID for your billing account in order to begin the process. You have a Table ID if you currently export your billing data to BigQuery. If not, Google has a tutorial, Export Billing Data to BigQuery, that thoroughly describes how to do this. Once you have enabled BigQuery export, it might take a few hours for the billing table to be created after which you will be able to locate the Table ID.

You can find the billing Table ID by navigating to the project that contains the BigQuery export of your billing data. An example Table ID is boxed in red in the image below.

tableid.png

The Scripts

Billing Script

Cloudability's Service Account needs to have access to read your billing data in order to ingest it.

You need to specify a project and dataset where the billing data will be exported when you enable BigQuery export for a Billing Account. A table is automatically created for you within the specified dataset; we refer to this table as the billing table and our Service Account needs to be able to read data from this table.

The script performs two steps - it first sets up a custom role within the billing project and then adds our Service Account as a member to the project, binding the custom role. It is done this way so that our Service Account can read data only from BigQuery tables within a billing project. We do not access BigQuery data in non-billing projects.

Step 1: Custom Role Setup

The script first creates a custom role within the billing project. Following the Principle of Least Privilege, the script attaches the minimum permissions necessary to read billing data to the custom role, i.e.,

  • bigquery.jobs.create
  • bigquery.tables.getData
# Example: Create billing custom role for my-billing-project-123
# Billing project ID is my-billing-project-123
gcloud iam roles create CloudabilityRole_Billing \
--project \
my-billing-project-123 \
--title \
"Cloudability Billing Role" \
--description \
"Allows Cloudability access to billing account data" \
--permissions \
bigquery.jobs.create,bigquery.tables.getData \
--stage=GA

Step 2: Add Service Account as Member and Bind Custom Role

Once the custom role has been created, the script adds Cloudability's Service Account as a member of the billing project, and binds the custom role to it.

# Example: Add Cloudability's Service Account as member of my-billing-project-123
# Billing project ID is my-billing-project-123
gcloud projects add-iam-policy-binding my-billing-project-123 \
--member serviceAccount:billing-data-service-acct@cloudability-credentials.iam.gserviceaccount.com \
--role 'projects/my-billing-project-123/roles/CloudabilityRole_Billing'

Advanced Features Script

Cloudability's Service Account needs to have access to specific GCP APIs in order to provide Advanced Features support.

The script performs two steps - it first sets up a custom role within the project and then adds our Service Account as a member to the project, binding the custom role. This permission is scoped to a specific project and does not give Cloudability access to all projects.

Step 1: Custom Role Setup

The script first creates a custom role within the project. Following the Principle of Least Privilege, the script attaches the minimum permissions necessary to support Advanced Features to the custom role. Currently, these permissions are,

  • compute.commitments.list
  • compute.commitments.get

The list of permissions can change over time as we introduce new features that require additional permissions. Consequently, the script may change to improve UX through better error handling, and clear messaging.

# Example: Create advanced features custom role for my-project-123
# Project ID is my-project-123
gcloud iam roles create CloudabilityRole_AdvancedFeatures \
--project \
my-project-123 \
--title \
"Cloudability Advanced Features Role" \
--description \
"Allows Cloudability access to project level data for advanced features and analytics" \
--permissions \
compute.commitments.get,compute.commitments.list \
--stage=GA

Step 2: Add Service Account as Member and Bind Custom Role

Once the custom role has been created, the script adds Cloudability's Service Account as a member of the project, and binds the custom role to it.

# Example: Add Cloudability's Service Account as member of my-project-123
# Project ID is my-project-123
gcloud projects add-iam-policy-binding staging-vpc \
--member serviceAccount:billing-data-service-acct@cloudability-credentials.iam.gserviceaccount.com \
--role 'projects/my-project-123/roles/CloudabilityRole_AdvancedFeatures'

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk