Set up Advanced Credentials, Azure Rightsizing and Reserved Instance Planning
Azure Subscription level credentialing unlocks the following features within Cloudability :
- Apply resource group tags to resources within the resource groups
Learn about Tag mapping
- Optimization - through Rightsizing, and Reserved Instances (RIs)
Learn about Get recommendations for scaling your cloud resources with Rightsizing
Learn about The Reservation Portfolio
Currently, our platform uses a custom role called “CloudabilitySubscriptionDataReader” on Subscriptions with the below mentioned permissions in order to fetch the necessary data:
- Microsoft.Compute/virtualMachines/read
- Microsoft.Compute/virtualMachines/extensions/read
- Microsoft.Compute/disks/read
- Microsoft.Sql/servers/databases/read
- Microsoft.Sql/servers/read
- Microsoft.Sql/servers/elasticpools/read
- Microsoft.Insights/metricDefinitions/read
- Microsoft.Insights/metrics/read
- Microsoft.Resources/subscriptions/read
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Authorization/roleAssignments/read
- Microsoft.Insights/Metricnamespaces/Read
- Microsoft.Consumption/usageDetails/read
- Microsoft.Consumption/pricesheets/read
- Microsoft.CostManagement/query/read
- Microsoft.Commerce/UsageAggregates/read
- Microsoft.Commerce/RateCard/read
- Microsoft.Network/networkInterfaces/read
We use the OAuth 2.0 Authorization Grant Flow to register our application and create a service principal within the Azure tenant. You can read more about this process here: https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals
Before you begin
You must meet the minimum requirements for successful credentialing.
- You are a Cloudability Administrator. The Cloudability Administrator role gives you access to
the Vendor Credentials page where you can manage your credentials.
Learn about Re-validate, archive, or delete credentials
- You have one of the following Azure Active Directory roles in your organization:
- Global Administrator
- Application Developer
- Cloud Application Administrator
This is necessary for the OAuth 2.0 Authorization Grant Flow. See https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals
Your Azure Active Directory (AD) role is used to register our enterprise app within your Azure AD tenant, and create the Service Principal.
- You are an Owner (or higher) on the Subscription you are credentialing. This is necessary for the OAuth 2.0 Authorization Grant Flow. See https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals . You need to be at least an Owner on the Subscription so that permissions can be attached to the Service Principal through IAM.
Ensure you have the billing:EnrollmentReader permission on your billing account.
Enable Custom read-only role on a Subscription
The following steps assume that you have already added an Azure EA to Cloudability 's Vendor Credentials page. Also, you have one or more Subscriptions listed on that page for which you would like to provide us access.
Learn about Set up Cost Management for new Cloudability Azure Enrollment Agreement (EA) customers
- In Cloudability , edit the subscription. Select the Edit icon for the Subscription for which
you would like to provide Cloudability access.
- Select the Generate Link button to generate a URL for each selected Subscription that you will
then use to complete the OAuth 2.0 Authorization Grant Flow for each of those Subscriptions.
- Select Select Subscriptions.
- Choose Optimization options as Read Only vs Optimize Resources .
- Select the Subscription(s) for which to generate link(s).
- elect Ok to complete your selections.
- Select Generate Links. A link is generated for each Subscription that you selected.
- Select Select Subscriptions.
- Select each link to complete registering our application and creating a service principal.
- Complete the OAuth 2.0 flow triggered from the link.
- Accept the CloudabilityUtilizationDataCollector to complete the consent process.
- Verify successful consent in the Azure portal:
- Active Directory. You can verify that the application has been successfully consented to by
checking the Enterprise applications section in your Azure Active Directory.
- Active Directory. You can verify that the application has been successfully consented to by
checking the Enterprise applications section in your Azure Active Directory.
- Subscription IAM. You can check whether the service principal is a assigned the custom role
‘CloudabilitySubscriptionDataReader’ on the subscription.
Confirm that you have successfully credentialed your subscription
Return to the Vendor Credentials page in Cloudability to verify credentials.
You may see a yellow or green check box, in the Advanced Features column, for the Subscription.
- A green check box for a Subscription indicates that Cloudability has,
- a custom read-only role on the Subscription (through our service principal)
- A yellow check box implies that Cloudability has an incomplete credential, for example the credential process could have started (i.e., we have a record in our database) but there are no permissions attached to that credential.
- A red status color for the credential implies that there's an error with the credential.
We can now unlock all Advanced Features through our Service Principal (this requires the service principal to have the CloudabilitySubscriptionDataReader role on Subscriptions). The permissions box will show as a yellow checkbox but this is ok.
- Re-verify the credential by clicking on the circular arrow.
A check mark is displayed briefly upon successful verification.
You may need to refresh the browser to fetch new changes.
- Select
to view the
updated permissions. 
- Check whether you have the CloudabilitySubscriptionDataReader role on the subscription. This
role on the subscription is identified by these 11 permissions shown in green tick marks.
Some permissions are green and some are red. As long as we have the 11 permissions shown in green above, Advanced Features are unlocked for that Subscription.
Additional permission is required for Azure EA accounts.
Enrollment Reader permission will be added to Apptio Cloudability to access Azure SQL RI planner data (including Azure Compute, SQL, Cosmos DB, and Savings Plans)
Click here to Set up Azure Memory Metrics Collection
Upgrading existing Cloudability customers to Cloudability Premium
Upon upgrading to Cloudability Premium , the Billing Reports and Advanced Reports status for each GCP account in the listing page automatically changes to error status. This is because GCP token mechanism has been changed with this release. Hence, Cloudability admin needs to edit each account following the steps below which will set the right account status in Cloudability for GCP data ingestion as well as enable Cloudability share these accounts with Turbonomic .
-
In Cloudability , navigate to Settings > Vendor Credentials > Azure .
-
Hover your cursor over the icon of the payer or project for which you want to update credentials.
-
Select the
icon to
open Edit a Credential. -
Choose Optimization options as Read only vs Optimize Resources:
-
Generate setup script.
-
Update the permissions by executing the script.
-
Re-verify the account.
There are additional Turbonomic permissions that gets added to basic (Billing Data), advanced
(Utilization Data) and Optimize Resources (execute actions) which are documented in the help center
documents. Once your account is verified, the list of permissions can be viewed by choosing the
Details option on each GCP account listed under Cloudability. 
In case the existing customers do not add the new permissions then
-
There would be no change in Vendor credentials UI.
-
The Automate actions will be shown as Off on the subscriptions.
-
In the Details tab, all Turbonomic permissions appear with a RED x mark.
Once the new permissions are enabled on subscriptions with Readonly selection
-
The Automate actions will still be shown as Off.
-
In the Details tab, Turbonomic permissions for Cost, billing and billing execution will appear with a Green tick mark.
Once the new permissions are enabled with Optimize resources and account(s) is verified
-
The Automate actions will be marked as On.
-
In the Details tab, all Turbonomic permissions appear with a Green tick mark.
The Automate Actions ON/ OFF is displayed on the Vendor Credentials UI based on the selection in the Toggle and download of the template.