Documentation and Best Practices

Learn how to use Cloudability and get the most out of our cloud cost management tool.

Follow

Solutions for enabling Advanced Features

If your organization has hundreds, or thousands, of GCP projects then credentialing Advanced Features for each project can feel quite cumbersome. In this article, we provide a few options that we hope will make this process easier.

Background

You probably read through the instructions in the Setup Overview Guide - Advanced Features when enabling Cloudability's Advanced Features for your projects. From a security standpoint, this credentialing process follows best practices and ensures that you have fine grained controls over what Cloudability can access in each of your projects. Also, we do not assume that any individual is a super admin, i.e., given carte blanche to affect org-wide permissions. Rather, individuals are scoped only to projects on which they work.

This is our default stance as your security is very important to us. However, this can make it time consuming to credential each project within Cloudability.

Solution 1: Org-level credentialing

Manually create an org level credential for Cloudability within your GCP org which will be inherited by all projects.

1. Determine your Org Id

org-id.png

2. Run the script injecting your Org Id

Replace Org Id in the script below with your Org Id.

# Create Org-level Role for Advanced Features
gcloud iam roles create CloudabilityRole_AdvancedFeatures \ --organization \ Org Id \ --title \ "Cloudability Advanced Features Role" \ --description \ "Allows Cloudability access to project level data related to RIs and utilization." \ --permissions \ cloudnotifications.activities.list,compute.commitments.get,compute.commitments.list,compute.instances.get,compute.instances.list,monitoring.alertPolicies.get,monitoring.alertPolicies.list,monitoring.dashboards.get,monitoring.dashboards.list,monitoring.groups.get,monitoring.groups.list,monitoring.metricDescriptors.get,monitoring.metricDescriptors.list,monitoring.monitoredResourceDescriptors.get,monitoring.monitoredResourceDescriptors.list,monitoring.notificationChannelDescriptors.get,monitoring.notificationChannelDescriptors.list,monitoring.notificationChannels.get,monitoring.notificationChannels.list,monitoring.publicWidgets.get,monitoring.publicWidgets.list,monitoring.timeSeries.list,monitoring.uptimeCheckConfigs.get,monitoring.uptimeCheckConfigs.list,resourcemanager.projects.get,resourcemanager.projects.list,stackdriver.projects.get \ --stage=GA
# Add Cloudability's service account to your Org with that role gcloud organizations add-iam-policy-binding Org Id \ --member serviceAccount:billing-data-service-acct@cloudability-credentials.iam.gserviceaccount.com \ --role 'organizations/Org Id/roles/CloudabilityRole_AdvancedFeatures'

3. Touch your project creds to create a credential record

Either click on the edit icon in the UI or use the API to call the edit endpoint to create a credential record - this actions needs to be taken for each project. Optionally, you can then hit the verify endpoint for each project to verify the credential. All of these actions can be automated via our APIs.

edit.png

Solution 2: Using our APIs

You can use our APIs to automate credentialing your projects.

1. Get the list of projects Ids

You will need to iterate through the GCP accounts API endpoint to get the list of projects. Only projects have parentAccountIds. Only projects that have been credentialed, or partially credentialed, in our system will contain createdAtauthorization, and verification fields.

In the example below,

"id":"000000-000000-000000" is a billing account.

"id":"my-project-123" is a project linked to billing account "id":"000000-000000-000000". This project is credentialed (or partially credentialed).

"id":"my-project-456" is a project linked to billing account "id":"000000-000000-000000". This project has not been credentialed.

Request URL: https://api.cloudability.com/v3/vendors/gcp/accounts?include=permissions&viewId=0
Request Method: GET
Sample Response:
{  
   "result":[  
      {  
         "id":"000000-000000-000000",
         "vendorAccountName":"000000-000000-000000",
         "vendorAccountId":"000000-000000-000000",
         "vendorKey":"gcp",
         "verification":{  
            "state":"verified",
            "lastVerificationAttemptedAt":"2019-04-16T12:35:47Z"
         },
         "authorization":{  
            "type":"gcp_role",
            "permissions":[  
               "bigquery.jobs.create",
               "bigquery.tables.getData"
            ],
            "tableName":"gcp_billing_export_v1_000000-000000-000000",
            "projectId":"my-billing-data",
            "datasetId":"my_billing_dataset"
         },
         "createdAt":"2019-02-15T19:24:22Z"
      },
      ...
      {  
         "id":"my-project-123",
         "vendorAccountName":"My Project",
         "vendorAccountId":"my-project-123",
         "vendorKey":"gcp",
         "verification":{  
            "state":"verified",
            "lastVerificationAttemptedAt":"2019-04-16T12:35:47Z"
         },
         "authorization":{  
            "type":"gcp_role",
            "permissions":[  
               "compute.commitments.list",
               "compute.commitments.get"
            ]
         },
         "createdAt":"2019-04-12T17:31:01Z",
         "parentAccountId":"000000-000000-000000"
      },
      ...
      {  
         "id":"my-project-456",
         "vendorAccountName":"My Other Project",
         "vendorAccountId":"my-project-456",
         "vendorKey":"gcp",
         "parentAccountId":"000000-000000-000000"
      }
   ]
}

2. Edit each project

Editing a project creates a credential record in our system. The response contains a createdAt field which indicates when the record was created. Also, note that the verification state is unverified.

In the request payload below, iterate over each project replacing my-project-456 with the project Ids from step 1.

Request URL: https://api.cloudability.com/v3/vendors/gcp/accounts?viewId=0
Request Method: POST
Sample Payload: {"type":"gcp_role","projectId":"my-project-456"}
Sample Response:
{  
   "result":{  
      "id":"my-project-456",
      "vendorAccountName":"My Other Project",
      "vendorAccountId":"my-project-456",
      "vendorKey":"gcp",
      "verification":{  
         "state":"unverified"
      },
      "authorization":{  
         "type":"gcp_role"
      },
      "createdAt":"2019-04-16T20:41:55Z",
      "parentAccountId":"000000-000000-000000"
   }
}

3. Run the credentialing script for each project

You don't need to perform this step if you have already run the script that perform Org-level credentialing. Instead, skip to the next section to verify project credentials.

Otherwise, use the script returned in the json response with your Google Cloud SDK to provide Cloudability's service account access to the project Id coded within the script.

You will need to iterate over each project Id, from step 1, replacing my-project-456 with the project Id to get the corresponding script for that project.

Request URL: https://api.cloudability.com/v3/vendors/gcp/accounts/my-project-456/setup-scripts?viewId=0
Request Method: GET
Sample Response:
{  
   "result":{  
      "scripts":"gcloud iam roles create CloudabilityRole_AdvancedFeatures \\\n  --project \\\n    my-project-456 \\\n  --title \\\n    \"Cloudability Advanced Features Role\" \\\n  --description \\\n    \"Allows Cloudability access to project level data related to RIs and utilization.\" \\\n  --permissions \\\n    cloudnotifications.activities.list,compute.commitments.get,compute.commitments.list,compute.instances.get,compute.instances.list,monitoring.alertPolicies.get,monitoring.alertPolicies.list,monitoring.dashboards.get,monitoring.dashboards.list,monitoring.groups.get,monitoring.groups.list,monitoring.metricDescriptors.get,monitoring.metricDescriptors.list,monitoring.monitoredResourceDescriptors.get,monitoring.monitoredResourceDescriptors.list,monitoring.notificationChannelDescriptors.get,monitoring.notificationChannelDescriptors.list,monitoring.notificationChannels.get,monitoring.notificationChannels.list,monitoring.publicWidgets.get,monitoring.publicWidgets.list,monitoring.timeSeries.list,monitoring.uptimeCheckConfigs.get,monitoring.uptimeCheckConfigs.list,resourcemanager.projects.get,stackdriver.projects.get \\\n  --stage=GA\ngcloud projects add-iam-policy-binding my-project-456 \\\n  --member serviceAccount:billing-data-service-acct@cloudability-credentials.iam.gserviceaccount.com \\\n  --role 'projects/my-project-456/roles/CloudabilityRole_AdvancedFeatures'"
   }
}

4. Verify credentials for each project

When the credential record was first created in step 2, its state was unverified.

Iterate over each project replacing my-project-456 with the project Ids from step 1 to update the verification state of the credential to one that is verified.

Request URL: https://api.cloudability.com/v3/vendors/gcp/accounts/my-project-456/verification?include=associatedAccounts&viewId=0
Request Method: POST
Sample Response:
{  
   "result":{  
      "id":"my-project-456",
      "vendorAccountName":"My Other Project",
      "vendorAccountId":"my-project-456",
      "vendorKey":"gcp",
      "verification":{  
         "state":"verified",
         "lastVerificationAttemptedAt":"2019-04-16T20:45:41Z"
      },
      "authorization":{  
         "type":"gcp_role"
      },
      "createdAt":"2019-04-16T20:41:55Z",
      "parentAccountId":"000000-000000-000000"
   }
}

Conclusion

The solutions described above provide two different mechanisms through which you can enable Cloudability's Advanced Features for your GCP projects. Please do not hesitate to reach out to us should you need further assistance.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.