Minimum Permissions for Public Clouds

The following table lists the minimum permissions for public cloud accounts supported in Cost Optimizer and Workload Manager modules of CloudCenter Suite Release 5.0.

Product

Function

AWS (IAM or root user)

Azure RM (Application)

Google (Service Account)

Cost Optimizer and Workload Manager

Discover billing units

iam:Get*

iam:List*

organizations:Describe*

organizations:List*

The permissions – organizations:Describe* and organizations:List* – are required in permissions in CloudCenter Suite 5.0, not in CloudCenter Suite 5.0.1.

Cost Management Reader

resourcemanager.projects.get,list

Cost Optimizer

Discover organization hierarchy

organizations:Describe*

organizations:List*

N/A

billing.accounts.get,list

orgpolicy.policy.get

resourcemanager.folders.get,list

resourcemanager.organizations.get

Cost Optimizer

Collect invoice data

ce:*

cur:Describe*

The following permission is required on AWS IAM:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow"             
     "Action": [
       "ce:*", 
       "cur:Describe*"
     ],
     "Resource": "*",
   }
 ]
}

Non-EA Account: Billing Reader.

For Enterprise Agreement (EA) accounts, an EA API access key generated by the EA Admin must be provided when configuring AzureRM EA accounts as cloud accounts in CloudCenter Suite.

storage.objects.get,list

storage.buckets.get,list

Cost Optimizer and Workload Manager

Collect VMs and volumes

ec2:DescribeInstances

ec2:DescribeVolumes

VM: VM contributor

Volume: Reader

Reader role must be used because no built-in role is provided for disk resource read permission.

compute.instances.get,list

compute.disks.get,list

Cost Optimizer

Collect PAAS services

rds:Describe*

elasticloadbalancing:Describe*

SQL Server and SQL database: SQL Server contributor

MySQL and PostgreSQL Server: Reader

Reader role must be used because no built-in role is provided for disk resource read permission.

cloudsql.databases.get,list

cloudsql.instances.get,list

compute.forwardingRules.get,list

compute.targetPools.get,list

Cost Optimizer and Workload Manager

Collect VM metrics

cloudwatch:Describe*

cloudwatch:Get*

cloudwatch:List*

Monitoring reader or VM contributor 

monitoring.metricsDescriptors.get,list

monitoring.timeSeries.list

Cost Optimizer

Collect resource usage

s3:Get*

s3:List*

N/A

N/A

Cost Optimizer

Collect RI subscriptions

ec2:DescribeReservedInstances*

N/A

N/A

Cost Optimizer and Workload Manager

Collect RI subscription data for AWS member account

On Master Account user, add following permission:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "sts:assumerole"
     ],
     "Resource": "*"
   }
 ]
}

On Member Account:

Create a new role with required permissions for the Inventory, Invoice and VM metrics collection as specified above (depending on products you use). And add Trust Relationship to the master account:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam::<master account number>:root"
     },
     "Action": "sts:AssumeRole",
     "Condition": {}
   }
 ]
}

N/A

N/A

Workload Manager

Manage VMs and Volumes

ec2:AssignPrivateIpAddresses

ec2:AttachNetworkInterface

ec2:AttachVolume

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:CreateImage

ec2:CreateKeyPair

ec2:CreateNetworkInterface

ec2:CreateSecurityGroup

ec2:CreateSnapshot

ec2:CreateTags

ec2:CreateVolume

ec2:DeleteKeyPair

ec2:DeleteNetworkInterface

ec2:DeleteSecurityGroup

ec2:DeleteSnapshot

ec2:DeleteTags

ec2:DeleteVolume

ec2:DescribeAccountAttributes

ec2:DescribeAvailabilityZones

ec2:DescribeDhcpOptions

ec2:DescribeImageAttribute

ec2:DescribeImages

ec2:DescribeInstanceAttribute

ec2:DescribeInstances

ec2:DescribeInstanceStatus

ec2:DescribeKeyPairs

ec2:DescribeNetworkInterfaceAttribute

ec2:DescribeNetworkInterfaces

ec2:DescribeRegions

ec2:DescribeSecurityGroups

ec2:DescribeSnapshotAttribute

ec2:DescribeSnapshots

ec2:DescribeStaleSecurityGroups

ec2:DescribeSubnets

ec2:DescribeTags

ec2:DescribeVolumeAttribute

ec2:DescribeVolumes

ec2:DescribeVolumesModifications

ec2:DescribeVolumeStatus

ec2:DescribeVpcAttribute

ec2:DescribeVpcs

ec2:DetachNetworkInterface

ec2:DetachVolume

ec2:EnableVolumeIO

ec2:GetConsoleOutput

ec2:GetConsoleScreenshot

ec2:GetPasswordData

ec2:ImportKeyPair

ec2:ImportVolume

ec2:ModifyImageAttribute

ec2:ModifyInstanceAttribute

ec2:ModifyNetworkInterfaceAttribute

ec2:ModifyVolume

ec2:ModifyVolumeAttribute

ec2:RebootInstances

ec2:RevokeSecurityGroupEgress

ec2:RevokeSecurityGroupIngress

ec2:RunInstances

ec2:StartInstances

ec2:StopInstances

ec2:TerminateInstances

ec2:UnassignPrivateIpAddresses

Create, modify, or delete NIC, public IP, security group: Network contributor

Create, modify, or delete diagnostics: Storage account contributor

Create, modify, or delete unmanaged data disk: Storage account contributor

Create, modify, or delete managed data disks: Owner

Owner role must be used because no built-in role is provided for disk resource write permission.

VM with managed data disks: Owner Create, modify, or delete VM with unmanaged data disks and diagnostic log: Virtual machine contributor, network contributor, and storage account contributor

VM with no data disks: Virtual machine contributor and network contributor

Predefined role: Project Editor

OR

compute.addresses.create,delete,get,list,use

compute.disks.create,delete,get,list,update,use

compute.firewalls.create,delete,get,list,update

compute.instances.*

compute.machineTypes.get

compute.neworks.get,list,use

compute.projects.get

compute.regions.get

compute.subnetworks.get,list,use,useExternalIp

compute.zones.get

iam.serviceaccounts.get,list

  • No labels
Terms & Conditions Privacy Statement Cookies Trademarks