Onboard Azure to CloudHiro cost optimization platform

Please read until the end before you start.

Creating a service principal

The following guide will show you how to set up your account to allow Costi to access it in a secure manner. To do this We will create a Service Principal for Costi.

Use Azure CLI to set the active subscription - Run the following command: az account set --subscription ""
Use Azure CLI to Create the Service Principal - Run the following command: az ad sp create-for-rbac -n "Costi" --create-cert
You should get a response similar to the one below:

Creating a role assignment under the scope of "/subscriptions/"
{
"appId": "XXX",
"displayName": "Costi",
"fileWithCertAndPrivateKey":" "/path/to/certificate/tmp123abc_v.pem"
"name": "http://Costi",
"password": "YYY",
"tenant": "ZZZ"
}
Please save the response. We will need some of the properties - they are needed later in the registration step

Create billing export

There are two methods:
1. A - Traditional - Billing export - You control what CloudHiro can see, but billing data is available for up to 3 months in the past.
2. B - New method - billing API - CloudHiro can Access up to 12 months of billing data in the past.

Method A - Billing export

There is an Azure guide for this.
Create a storage account for Costi to be able to read from.
Create a billing exports at the highest level possible (billing account preferred), that will export CSV files to the storage account. Do not export at “Tenant management group” or any other management group. Billing account level or subscription level.
A total of 6 exports should be created:
1. Daily export - month to date - it will run automatically each day.
  1. Amortized cost (1)
  2. Actual cost (2)
2. One-time export of the last 2 months before the current month - each one of them will run 1 time.
  1. Previous month (i.e. we are in July, meaning June)
    1. Amortized cost (3)
    2. Actual cost (4)
  2. 2 months ago (i.e. we are in July, meaning May)
    1. Amortized cost (5)
    2. Actual cost (6)
Please note: The entire billing path must include two components.
1. The month of the export is in the ‘YYYYMM’ format, this is usually the Azure default.
2. The string ‘amor’ in the path of the export contains the amortized data, for example - directory or container has the “amor” string in it.
To automate the process - you can use the following powershell script

Method B - Billing API:

Just grant the “Enrollment reader” permission to the service principal - Add it manually or you can use the following script (haven’t been tested)

Add role assignments

You can use this script from the azure CLI to quickly assign the role to all subscriptions.
If you did not use the script, navigate to Subscriptions -> Access Control (IAM) -> Role Assignments. Add the following role assignments to the service principal:
1. Reader
2. Billing Reader
3. For the Storage accounts that all the billing exports:
  1. Reader and Data Access
  2. Storage Blob Data Reader

Register to CloudHiro

Register here. Please note: If you are using a reseller, either use the reseller-provided link to register or add “?partner=[reseller-name]” to the end of the URL above. If you did not, our support can re-allocate your account to your reseller later on
You will need the following values from the previously saved response to complete the registration form:
1. Client ID - “appId“ use XXX
2. Certificate - “fileWithCertAndPrivateKey”
3. Tenant Id - “tenant” use ZZZ
After registering to CloudHiro, confirm the email you got and login.

Add subscription and permissions for Auto-RI management

Auto-RI is our automated Reservation Management.

Create a new subscription for our purchases. If you already have a subscription for purchases, you can use that one.
Grant Reservations Administrator at the Tenant level. Azure’s manual on how to add permissions at the tenant level - use this link,
Grant Reservations Purchaser on the subscription you have created above.
Grant Reservations Reader to all the tenant to see all reservations purchased.
Please note: Auto-RI requires the billing export from the previous section (method A or B).

Add Log analytics permissions guide

After creating the service principal, go to the app registration of the service principal created → API permissions → add a permission → api’s my organization uses → log analytics API → add data.read permission.

Configure Billing Export & Azure-RI in CloudHiro

Login to your CloudHiro account.
Go to system->settings and update the four fields required for Bill CSV Location & the Azure RIs Subscription ID field. Update all at once. If you do not have a subscription ID, you can simply use 123 as a placeholder.

That’s it!

We are done setting up. You can now ask your partner for a tour of CloudHiro and the CloudHiro visualizer.

Required permissions summary for CloudHiro's service principal

Permission	Scope	Reason
Storage Blob Data Reader	Storage Account that holds the billing exports	The ability to list all blobs in that storage account (Billing - Method A - billing exports)
Enrollment reader	Billing Account	Ability to read billing data from API ((Billing - Method B - API)
Reader	Subscriptions	The ability to list and get all resources and their properties.
Monitoring Reader	Subscriptions	The ability to view metrics and see the usage of log analytics.
Reader and Data Access	Storage Account that holds the billing exports	The ability to view the blobs' content.
Log analytics API	App registration	Reach log analytics API and show how much each resource is sending to log analytics workspaces.
Reservations Administrator	Tenant	The ability to view and manage the reservations at the Tenant level, so all reservations will be visible to CloudHiro. The ability to manage RIs correctly by splitting, exchanging, refunding, etc.
Reservations Purchaser	Purchasing Subscription	The ability to calculate the cost of the reservation and to purchase the reservation in that billing subscription.
Reservations Reader	Tenant	The ability to see all reservations.

Azure Onboarding

AWS Onboarding

GCP Onboarding