Azure Cost and Usage - Catalyst
These steps are specifically for the Azure Cost and Usage integration through Catalyst. If you have not been asked to follow these steps, these will likely have no effect on your Azure Cost and Usage visibility in SHI One.
To perform the following steps, the user executing them must have:
- Application Administrator role at the scope where the role assignment is being made (in this case, the root scope /) to assign roles to the service principal (Step 3).
- An Azure CLI environment. We recommend using the Cloud Shell available in the Azure Portal to run the az cli commands.
We request the following permission to be assigned to our application:
In order to access the actual cost and usage data across all subscriptions regardless of type, this will allow us to:
- Retrieve a list of your subscriptions attached to that tenant scope
- Schedule actual Cost & Usage reports for each subscription individually
- Repeat this process periodically to detect new subscriptions and auto-configure Cost & Usage Exports
While Cost Management Contributor also has access to Create/Update/Delete Budgets, that is not the purpose of this application and those permissions will not be used.
A storage account specifically created for cost & usage exports will be managed by our application, including configuring the storage retention policy to keep data storage costs minimal. Currently we are looking at hot storage for 7 days, cold storage for 30 days, then deletion. Please do NOT use this storage account for any other purpose, as the policies may apply to those files.
You will require access to both the Azure Portal and the Azure CLI to execute these commands. (show screenshots accessing the cloud console in Azure)
Create a Storage Account somewhere inside your root tenant - this will be used for the data exports. Make sure to copy the storage account name, you'll need this in a later step. We require this to be a new storage account, as the roles required to manage the creation of data exports and create file lifecycle policy will give full access to this storage account.
You can use the Azure Portal UI for this, or the AZ CLI if you're comfortable doing that.
From the Azure Portal Shell (bash), run the following command to validate you're currently active under the tenant you intend to grant access for:
Keep track of this tenantId for future steps, as well as providing this data back to us.
Run the following command to create a service principal for our application using its application ID:
(Validate the role was created and it says Catalyst by SHI - Azure Cost and Usage)
Explanation: This command creates a service principal associated with our application. A service principal is an identity used by applications or services to access Azure resources. By creating this, you establish an identity for our app in your Azure Active Directory (Azure AD).
- Application ID: 6b2205ef-191b-4e4a-b7dd-31a0059f8abe is the Application ID for "Catalyst by SHI - Azure Cost and Usage".
Example:
Save the output provided! We'll need that information in order to configure and retrieve cost and usage data. If you don't see that string, make sure your az command is surrounded by backticks (`) and not quotes.
Now run:
This will assign the Storage Account Contributor role to that specific storage account and only that storage account.
Cost Management Contributor: The purpose of this role is to allow us to create data exports for subscriptions. By providing this level of access, it reduces the amount of initial setup, and removes the need for ongoing maintenance per subscription - if you add a new subscription to your tenant, we will detect that subscription and start collecting Cost & Usage data for it.
Copy the value you saved above in step 4:
/subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/mynewstorageaccount
And provide it back to your SHI Expert. There are no secret values or passwords in this string, so it's safe to pass via Email or other methods.
