Azure CSP Cost Exports

onboarding guide this guide is for azure administrators who need to grant shi access to copy cost management exports into your storage account you will run one script in your own azure tenant it takes approximately 5 minutes when complete, you send shi a single credentials file and no further action is required on your end what you are authorizing shi will be granted write only access to a single container in a storage account you control specifically, the script creates an app registration (service principal) in your entra id tenant and assigns it the storage blob data contributor role scoped to a container of your choosing shi receives no access to any other resources in your tenant prerequisites az login tenant \<your tenant id> az account set subscription \<your subscription id> azure cli installed and authenticated against your tenant your account must have owner or user access administrator on the target subscription (needed to create a role assignment) jq installed (brew install jq on macos) download the deployment script step 1 — configure copy the example config and fill in your values cp config json example config json edit config json field description customersubscriptionid your azure subscription id location azure region (default eastus2) destinationresourcegroup resource group for the destination storage account, created if needed (default rg shi cost exports) destinationstorageaccount storage account name where exports will be delivered if public network access is enable from selected networks then see step 4 further securing your environment destinationcontainer container within that account (default exports) the app registration will be named shi cost export but you may rename it as desired step 2 — run the script /deploy customer sh the script will create an app registration in your entra id tenant generate a client secret assign storage blob data contributor to the app registration on your container write the credentials to customer credentials json step 3 — send credentials to shi the script produces a file customer credentials json send this file to your shi contact securely (encrypted email, secure file transfer, etc ) security note this file contains a client secret treat it like a password — do not email it in plain text or commit it to source control the secret is scoped only to the single container specified above once shi has the file, your task is complete you can delete your local copy of customer credentials json step 4 — further securing your environment (optional) allow azure services the solution uses azure's server side start copy from url api to copy blobs between storage accounts this requires the source and destination storage accounts to allow azure services to access them this is typically configured by enabling the "allow trusted microsoft services to access this storage account" option in the storage account's firewall settings allow outbound ip addresses the solution is running as an azure function, your storage account firewall must allow the possible outbound ip addresses of the azure function app as shown below 20 96 41 220,20 96 44 46,20 85 25 138,20 96 42 23,20 96 44 74,20 96 44 106,20 96 44 111,20 96 43 23,20 96 44 124,20 96 41 67,20 96 44 174,20 85 31 83,20 96 43 165,20 186 55 179,40 70 154 43,52 138 116 173,52 167 66 117,52 167 249 187,52 167 251 93,52 167 253 8,52 167 254 159,52 167 254 248,52 177 94 143,52 177 232 216,20 119 128 3 service principal access the solution uses a service principal to authenticate to your storage account the service principal must maintain the "storage blob data contributor" role assigned at the container level this design ensures least privilege access best practices what shi does with the credentials shi stores the credentials in an azure key vault in the shi tenant they are never stored in plain text or in any config file the automated copy job retrieves them from key vault at runtime revoking access to revoke shi's access at any time \# delete the app registration az ad app delete id \<client id from customer credentials json> or via the azure portal entra id → app registrations → \[app name] → delete