Limited IAM Permissions for an Azure Savings Analysis
Follow along with our walkthrough guide, plus enable IAM permissions via script or manually
To perform our Savings Analysis, we require limited IAM permissions on your Azure billing scope. We're firm believers in the security principle of least privilege, so our permission set includes the minimum amount of access we need to run our analysis and nothing more.
At no point in time do we have access to:
- The Azure data plane (e.g., instances, clusters, containers)
- Manipulate the Azure control plane (e.g., start or terminate an instance, cluster, or task)
- Your data, whether local or in a managed storage/datastore service
These permissions will allow us to:
- Access billing metadata, which we use to analyze 12 months of historical cost and usage data
- Setup and access billing exports, which we use to analyze recent hourly volatility patterns
- Understand billing scope metadata and Azure account structure
- Verify our permissions are applied correctly
ProsperOps requires the following Azure roles:
- Enrollment Reader on the billing account (for Enterprise Agreements) or Billing Profile Reader on the billing profile (for Microsoft Customer Agreements)
- Enable billing exports
- Read aggregated compute service cost and usage history
- Billing Reader on the root management group
- Read hourly subscription cost and usage data
- Owner on a dedicated ProsperOps billing export storage account
- Configure and read billing export data
Enabling permissions overview
-
Register a ProsperOps application in your Azure portal and copy the resulting application (client) ID and directory (tenant) ID
-
Copy Billing Account ID and Billing Profile ID (MCA Agreement Type only)
-
Determine subscription where the storage account that the service principal will export the billing data to and copy the subscription ID --> Help article for finding this information in your Azure Portal.
-
Create an account in the ProsperOps Console and select Add Azure Billing Scope
-
Enter the information gathered to in your Azure Portal into the ProsperOps Console
Note: The resource group name and storage account name can be changed to follow your naming policies. The resource group and storage account do not need to exist in your environment at this step. They will be created by the script or manual steps in the configuration process.
Multi Tenant Note: If your billing scope has multiple tenants, you will need to create the ProsperOps service principal in the tenant that has the most spend. The service principle will need to be configured on each additional tenant to allow the service principal to view the hourly volatility and estimate coverage for the subscriptions in the tenant. After the initial configuration is complete, the ProsperOps console will provide instructions to configure the additional tenants.
Run a script or execute steps on Azure Portal
ProsperOps will be using a service principal in your Azure Billing scope to gather the necessary billing meta data to run the savings analysis.
There are two options to enable the necessary permissions for ProsperOps service principal
- A script run in your Azure Portal that grants the service principal the necessary permissions and creates the resource group and storage account in the designated subscription
- Tagging policies can cause the resource group and storage account to fail. It is not necessary to create these prior to running the script, but it is recommended if you have tagging policies in place
- The person running the script must have the required permissions
- Once you have an account in ProsperOps and the required info, ProsperOps will provide you with the script.
- A sequence of manual steps to configure in your Azure Portal
- The manual steps are recommended if there are several people required to have the necessary permissions to execute the steps
- If the script fails to complete, validate and run through the manual steps to understand where the script failed