Setup GCP Account for CloudVerse

Setup GCP Account for CloudVerse

I. Prerequisite:

- Permissions to create a project.

- Permissions to create a BigQuery dataset.

- Permissions to modify Billing settings.

- Permissions to create Role

- Permissions to enable API

- Permissions to add Principal and assign Role

- The project needs to be linked to a Cloud Billing account you want to export. Refer to GCP docs for instructions.

II. Cloud account setup:

1. Enable billing export (On project hosting BigQuery):

Step 1: Open the console Navigation menu, and then

select Billing. Or go to Billing Console, choose your billing account.

Figure 1: Go to billing console

Step 2: In the Billing navigation menu, select Billing export

Step 3: Select the BigQuery export tab (this tab is selected by default)

Step 4: Under Detailed usage cost, click the Edit

settings button

Figure 2: Go to billing export

Step 5: From the Projects list, select the project you set up to contain your billing data

Step 6: From the Dataset ID field, select or create new dataset that you set up to contain your exported Cloud Billing data

Figure 3: Create dataset billing export

Step 7: Click the Save button

III. Add Integration in CloudVerse:

a. Have Organization ID:

Step 1: In GCP Console, you can get the Organization Id by selecting Organization (top left corner).

Step 2: In GCP creation form, input the following fields:

- Orginization ID: The id of organization we have collected in the step above.

- Billing Account ID: The billing account ID that links to the Project. Example: 00FD5B-6C58BD-0874B3.

- BigQuery Dataset Name: The dataset that is configured with the billing account, in Billing Export.

- Billing Project ID Hosting Big Query Dataset: The project that the BigQuery dataset belongs to.

Step 3: After click on Generate Script you will see a Google Shell Script generated by CloudVerse, copy that scipt and run in you Google Console.

Click on the copy Icon to copy the whole scipt, then login to the GCP console, then click on the terminal icon in GCP Console.

In GCP Cloud Shell, paste the script then press enter.

Step 4: After you run the script, come back to CloudVerse and the press I Ran The Script button.

Step 5: After a few seconds, it will show the projects that linked with your Billing Account, select the project you want to add to CloudVerse then click Connect.

Note: Make sure all your selected projects have enabled Compute Engine API, you can check by this link:

https://console.cloud.google.com/apis/api/compute.googleapis.com/over view?project=your-project-id

Ex:

https://console.cloud.google.com/apis/api/compute.googleapis.com/over view?project=cloudverse-project-id

b. Don’t Have Organization ID:

Step 1: In GCP creation form, input the following fields:

- Billing Account ID: The billing account ID that links to the Project. Example: 00FD5B-6C58BD-0874B3.

- BigQuery Dataset Name: The dataset that is configured with the billing account, in Billing Export.

- Billing Project ID Hosting Big Query Dataset: The project that the BigQuery dataset belongs to.

- Project IDs: The main projects you want to integrate, including resources such as VMs. You can input many projects, if they were setup up with the above Billing Account.

Figure 8: Input GCP integration

Step 2: After click on Generate Script you will see a Google Shell Script generated by CloudVerse, copy that scipt and run in you Google Console.

Click on the copy Icon to copy the whole scipt, then login to the GCP console, then click on the terminal icon in GCP Console.

In GCP Cloud Shell, paste the script then press enter.

Step 3: After you run the script, come back to CloudVerse and the press I Ran The Script button.

Step 4: Click Finish on the last step.

Azure Integration

How CloudVerse connects with Azure

CloudVerse supported options to connect to Azure

Connect via OAuth Application

Connect via Azure Token

How CloudVerse connects with Azure

CloudVerse integrates with your Azure account using an Active Directory Service Principal. This principal is then granted permissions to read individual subscriptions.

CloudVerse supported options to connect to Azure

CloudVerse lets you add your Azure accounts in 2 ways:

Connect via OAuth Application

Step 1: The user is required to give a name to the Azure integration with CloudVerse, along with their tenant ID and billing account ID, and click on “Authorize Application”.

How to get the tenant ID on Azure portal?

How to get the billing account ID on Azure portal?

Step 2: The user is redirected to Azure portal requesting for permissions to add CloudVerse application into their tenant. Service Principal will be created automatically once the user approves the application.

Step 3: After adding CloudVerse application into their tenant, the user has to manually grant the Billing Account Reader permission to be able to fetch all their subscriptions.

This can be found under Billing Account → Access Control → Add → Add role assignment → Then search and add CloudVerse Application (CloudVerse Application will appear in the results section if it has been added to the user's tenant)

Step 4: Once the Billing Account Reader permission is granted, the user can now fetch all their subscriptions.

Step 5: To add multiple subscriptions to CloudVerse, Service Principal should be able to access the subscriptions. CloudVerse will generate a script to grant permissions to Service Principal to be able to read the subscriptions. The user needs to select all subscriptions that he/she wishes to add onto CloudVerse and click on Run Script. Copy the script and run it in the Bash terminal in Azure portal.

This script will create a custom role with below permissions:

*/read - read all resources

Microsoft.Advisor/recommendations/suppressions/write - dismiss Azure recommendations

Scope - all subscriptions that are selected.

The selected Azure subscriptions are now connected.

Connect via Azure Token

The user can use the Azure token method in cases where they don’t want to use the CloudVerse application, and would like to manually create an application, and then provide the token to CloudVerse, or when the user doesn’t have enough permissions to approve CloudVerse application.

In this method, the user is required to manually create an application in their tenant, and share the Application ID (Client ID) and Application Secret (Client Secret) with CloudVerse.

Step 1: Create a new application registration

1. From the main page of the Azure portal, search for and navigate to Microsoft Entra ID.

2. In the left navigation, under Manage, select App registrations.

3. Click + New registration.

4. The Register an application screen is displayed. For Name, enter CloudVerse.

5. Leave all other settings as their defaults and click Register.

6. The app details are displayed. Record the Application (client) ID and Directory (tenant) ID to use later. Step 2: Generate a Client Secret

1. On the same page, next to the Client credentials field, click Add a certificate or secret. (You can also access the Certificates and secrets screen from the left navigation menu.)

2. Click + New client secret.

3. The Add a client secret pane is displayed. For Description, enter a description, such as CloudVerse-secret. 4. For Expires, select an expiration option for the secret.

5. Click Add.

6. The newly created secret is displayed. Copy the secret's Value to add to the CloudVerse console later. This value will be displayed only one time.

Step 3: Service Principal Creation

Step 1: From the main page of the Azure portal, search for and navigate to Microsoft Entra ID. In the left navigation, under Manage, select App Registrations, and search for your application.

Step 2: Under Application Overview, click on Create Service Principal.

Step 3: Once the Service Principal is created, the user can see his/her application under Enterprise Application. (Navigate to Azure Portal → Microsoft Entra ID → Enterprise Application)

Step 4: After the application is added, the user has to manually grant the Billing Account Reader permission to be able to fetch all their subscriptions.

This can be found under Billing Account → Access Control → Add → Add role assignment → Then search and add CloudVerse Application (CloudVerse Application will appear in the results section if it has been added to the user's tenant)

Step 5: Once the Billing Account Reader permission is granted, the user can now fetch all their subscriptions.

Step 6: To add multiple subscriptions into CloudVerse, Service Principal should be able to access the subscriptions. CloudVerse will generate a script to grant permissions to Service Principal to be able to read the subscriptions. The user needs to select all subscriptions that he/she wishes to add onto CloudVerse and click on Run Script. Copy the script and run it in the Bash terminal in Azure portal.

This script will create a custom role with below permissions:

*/read - read all resources

Microsoft.Advisor/recommendations/suppressions/write - dismiss Azure recommendations

Scope - all subscriptions that are selected.

The selected Azure subscriptions are now connected.

AWS Integration AWS Integration Updated

How CloudVerse connects with AWS

CloudVerse supported options to connect to AWS

Master Payer Account (MPA)/Root

How CloudVerse connects with AWS

CloudVerse creates a Cross-Account IAM role to interact with services in your AWS account using the provided CloudFormation template. When this role gets created, you provide CloudVerse with various read-only permissions.

Here is the CloudFormation template used:

https://cloudverse-public.s3.ap-southeast-1.amazonaws.com/cloudverse-integration/20230515.json

And this is the cross-account IAM role created (Assume role with prefix ConnectToCloudVerse)

PreviousNotificationsNextCustomer Perspectives

Last updated