Cloud Overview

Workload Manager and Cost Optimizer manage clouds on a per-region basis. The main point of control for a cloud region is the cloud region API endpoint. In the case of public VM-based clouds, such as AWS, GCP, and AzureRM, each cloud can have multiple regions that correspond to different geographic regions. OpenStack clouds also support multiple regions, but they are logical regions that do not have to be in different geographical areas. Kubernetes clouds and VMware vCenter clouds have only one region each. 

Each AWS and Azure cloud account may not have access to all regions. To access different regions you may need to use different accounts. In CloudCenter Suite 5.x, this delineation is not enforced - when you add regions and cloud accounts to a cloud group, make sure to only add the regions that are accessible by all the cloud accounts you add to the cloud group. For example, AWS has separate accounts for China, Government, and other regions. The Public Clouds section provide additional details on the regions supported by AWS and Azure - for each of these cloud groups, be sure to create separate cloud accounts.

For public clouds, a cloud region is associated with a geographic region defined by the cloud provider. For OpenStack clouds, a cloud region is a logical region defined within OpenStack. For VMware – vCenter and vCD – clouds, each instance of vCenter or vCD is considered a region. For Kubernetes clouds, each Kubernetes cluster is considered a region unto itself. The following table summarizes the scope of a region for each of the supported cloud types.

Cloud Family

Cloud Region Mapping

Supports any number of these per region

AWS

Geographical Region

  • Accounts

  • Sub-Accounts

  • Identity and Access Management (IAM)

VMware vCenter

vCenter instance

  • Datacenter

  • Clusters

  • Resource pools

  • Accounts

  • Datastores

  • Datastore clusters

VMware vCloud Director

vCD instance

  • Datacenter

  • Clusters

  • Resource pools

  • Accounts

  • Datastores

  • Datastore clusters

Azure RM

Geographical Region

  • Networks

  • Cloud services

  • Accounts

Google Cloud

Geographical Region

  • Projects

  • Accounts

IBM Cloud

Geographical Region

  • Accounts

OpenStack

Logical Region

  • Tenants

  • Networks

  • Accounts

Kubernetes

Kubernetes cluster

  • Accounts
  • Namespaces
  • VPCs
  • IAM policies

Minimum Permissions for Public Clouds

The following table lists the minimum permissions for public cloud accounts supported in Cost Optimizer and Workload Manager modules of CloudCenter Suite Release 5.1.

You must enable AWS Cost Explorer to view AWS-specific costs on the Cost Optimizer dashboard. For additional details on enabling AWS Cost Explorer, see https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/ce-enable.html.

Product

Function

AWS (IAM user)

Azure RM (Application)

Google (Service Account)

Cost Optimizer and Workload Manager

Discover billing units

iam:Get*

iam:List*

Cost management reader

resourcemanager.projects.get,list

Cost Optimizer

Discover organization hierarchy

organizations:Describe*

organizations:List*

N/A

billing.accounts.get,list

orgpolicy.policy.get

resourcemanager.folders.get,list

resourcemanager.organizations.get

Cost Optimizer

Collect invoices

ce:*

cur:Describe*

AWS Cost Explorer must be enabled to view AWS-specific costs on Cost Optimizer.

Billing reader

storage.objects.get,list

storage.buckets.get,list

Cost Optimizer and Workload Manager

Collect VMs and volumes

ec2:DescribeAvailabilityZones

ec2:DescribeAddresses

ec2:DescribeInstances

ec2:DescribeVolumes

ec2:DescribeTags

tag:getTagKeys

tag:getTagValues

  • The ec2:DescribeAvailabilityZones permission is mandatory and used for validating accounts.

  • The ec2:DescribeAddresses permission is optional and is used for Used to populated IP allocation type of NIC during inventory collection.

  • The ec2:DescribeTags permission is mandatory and used for discovering  tags of PassService (ELB).

  • The tags permissions are required for tag-based reporting and only applicable to Cost Optimizer.

VM: VM contributor

Volume: Reader

The Reader role must be offered because no built-in role is provided.

compute.instances.get,list

compute.disks.get,list

Cost Optimizer

Collect PAAS services

rds:Describe*

elasticloadbalancing:Describe*

SQL Server and SQL database: SQL Server contributor

MySQL and PostgreSQL Server: Reader

The Reader role must be offered because no built-in role is provided.

cloudsql.databases.get,list

cloudsql.instances.get,list

compute.forwardingRules.get,list

compute.targetPools.get,list

Cost Optimizer and Workload Manager

Collect VM metrics

cloudwatch:Describe*

cloudwatch:Get*

cloudwatch:List*

Monitoring reader or virtual machine contributor

monitoring.metricsDescriptors.get,list

monitoring.timeSeries.list

Cost Optimizer

Collect resource usage

s3:Get*

s3:List*

N/A

N/A

Cost Optimizer

Collect RI subscriptions

ec2:DescribeReservedInstances*

N/A

N/A

Cost Optimizer and Workload Manager

Collect RI subscription data for AWS member account

To allow a primary account to collect the RI subscription data on behalf of member accounts, the following is necessary:

  • A primary account must be permitted to assume the role of a member account

  • A member account must establish trust with the primary account

You must associate the following permission with the primary account's IAM user, as shown below:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "sts:assumerole"
     ],
     "Resource": "*"
   }
 ]
}

On a member account, create a role named Optimizer. Do the following to the new role:

  • Associate permissions listed above to collect invoices, inventory, metrics

  • Add a trust relationship to the primary account

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam::
       <primary-account-number>:root"
     }, 
     "Action": "sts:AssumeRole",
     "Condition": {}
   }
 ]
}

N/A

N/A

Workload Manager

Manage VMs and volumes

ec2:AssignPrivateIpAddresses

ec2:AttachNetworkInterface

ec2:AttachVolume

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:CreateImage

ec2:CreateKeyPair

ec2:CreateNetworkInterface

ec2:CreateSecurityGroup

ec2:CreateSnapshot

ec2:CreateTags

ec2:CreateVolume

ec2:DeleteKeyPair

ec2:DeleteNetworkInterface

ec2:DeleteSecurityGroup

ec2:DeleteSnapshot

ec2:DeleteTags

ec2:DeleteVolume

ec2:DescribeAccountAttributes

ec2:DescribeAvailabilityZones

ec2:DescribeDhcpOptions

ec2:DescribeImageAttribute

ec2:DescribeImages

ec2:DescribeInstanceAttribute

ec2:DescribeInstances

ec2:DescribeInstanceStatus

ec2:DescribeKeyPairs

ec2:DescribeNetworkInterfaceAttribute

ec2:DescribeNetworkInterfaces

ec2:DescribeRegions

ec2:DescribeSecurityGroups

ec2:DescribeSnapshotAttribute

ec2:DescribeSnapshots

ec2:DescribeStaleSecurityGroups

ec2:DescribeSubnets

ec2:DescribeTags

ec2:DescribeVolumeAttribute

ec2:DescribeVolumes

ec2:DescribeVolumesModifications

ec2:DescribeVolumeStatus

ec2:DescribeVpcAttribute

ec2:DescribeVpcs

ec2:DetachNetworkInterface

ec2:DetachVolume

ec2:EnableVolumeIO

ec2:GetConsoleOutput

ec2:GetConsoleScreenshot

ec2:GetPasswordData

ec2:ImportKeyPair

ec2:ImportVolume

ec2:ModifyImageAttribute

ec2:ModifyInstanceAttribute

ec2:ModifyNetworkInterfaceAttribute

ec2:ModifyVolume

ec2:ModifyVolumeAttribute

ec2:RebootInstances

ec2:RevokeSecurityGroupEgress

ec2:RevokeSecurityGroupIngress

ec2:RunInstances

ec2:StartInstances

ec2:StopInstances

ec2:TerminateInstances

ec2:UnassignPrivateIpAddresses

Offer the italicized roles to create, modify, or delete:

  • NICs, Public IPs and security group: Network Contributor
  • Diagnostics: Storage Account Contributor
  • Unmanaged data disk: Storage Account Contributor
  • Managed data disks: Owner
  • VMs with managed data disks: Owner
  • VMs with unmanaged data disks and diagnostic logs: Virtual Machine Contributor, Network Contributor, and Storage Account Contributor
  • VMs with no data disks: Virtual Machine Contributor and Network Contributor

In some cases, the Owner role must be offered because no built-in role is provided.

Use the pre-defined Project Editor role,

OR

compute.addresses.create,delete,get,list,use

compute.disks.create,delete,get,list,update,use

compute.firewalls.create,delete,get,list,update

compute.instances.*

compute.machineTypes.get

compute.neworks.get,list,use

compute.projects.get

compute.regions.get

compute.subnetworks.get,list,use,useExternalIp

compute.zones.get

iam.serviceaccounts.get,list




  • No labels
Terms & Conditions Privacy Statement Cookies Trademarks