Azure CSP Cost Exports

onboarding guide this guide is for azure administrators who need to grant shi access to copy cost management exports into your storage account you will run one script in your own azure tenant it takes approximately 5 minutes when complete, you send shi a single credentials file and no further action is required on your end what you are authorizing shi will be granted write only access to a single container in a storage account you control specifically, the script creates an app registration (service principal) in your entra id tenant and assigns it the storage blob data contributor role scoped to a container of your choosing shi receives no access to any other resources in your tenant manual deployment prerequisites your account must be able to create new application registrations your account must be able to create azure resources your account must have owner or user access administrator on the target subscription (needed to create a role assignment) step 1 — configure you may reuse existing resources for this process, however, we recommend you create dedicated resources for this purpose create a resource group create a storage account create a blob container in the storage account these resources should be dedicated to shi create a new app registration and document the client id assign a new secret and document for sending to shi assign the app registration storage blob data contributor on the created blob container step 2 — send credentials to shi send the following information to your shi contact securely (encrypted email, secure file transfer, etc ) security note this information contains a client secret treat it like a password — do not email it in plain text or commit it to source control the secret is scoped only to the single container specified above once shi has the file, your task is complete shi will need the following information tenant id storage account id container name app registration client id app registration secret automated deployment prerequisites az login tenant \<your tenant id> az account set subscription \<your subscription id> azure cli installed and authenticated against your tenant your account must have owner or user access administrator on the target subscription (needed to create a role assignment) jq installed (brew install jq on macos) download the deployment script step 1 — configure copy the example config and fill in your values cp config json example config json edit config json field description customersubscriptionid your azure subscription id location azure region (default eastus2) destinationresourcegroup resource group for the destination storage account, created if needed (default rg shi cost exports) destinationstorageaccount storage account name where exports will be delivered if public network access is enable from selected networks then see step 4 further securing your environment destinationcontainer container within that account (default exports) the app registration will be named shi cost export but you may rename it as desired step 2 — run the script /deploy customer sh the script will create an app registration in your entra id tenant generate a client secret assign storage blob data contributor to the app registration on your container write the credentials to customer credentials json step 3 — send credentials to shi the script produces a file customer credentials json send this file to your shi contact securely (encrypted email, secure file transfer, etc ) security note this file contains a client secret treat it like a password — do not email it in plain text or commit it to source control the secret is scoped only to the single container specified above once shi has the file, your task is complete you can delete your local copy of customer credentials json step 4 — further securing your environment (optional) allow azure services the solution copys blobs between storage accounts this requires the source and destination storage accounts to allow azure services to access them this is typically configured by enabling the "allow trusted microsoft services to access this storage account" option in the storage account's firewall settings allow outbound ip addresses the solution is running as an azure function (in east us 2), your storage account must be running in a region other than east us 2 (as traffic within the same region does not support dedicated public ip addresses) and your storage account firewall must allow the ip addresses of the azure function app as shown below 52 247 3 29 service principal access the solution uses a service principal to authenticate to your storage account the service principal must maintain the "storage blob data contributor" role assigned at the container level this design ensures least privilege access best practices what shi does with the credentials shi stores the credentials in an azure key vault in the shi tenant they are never stored in plain text or in any config file the automated copy job retrieves them from key vault at runtime revoking access to revoke shi's access at any time \# delete the app registration az ad app delete id \<client id from customer credentials json> or via the azure portal entra id → app registrations → \[app name] → delete