Cloud Overview

Workload Manager and Cost Optimizer manage clouds on a per-region basis. The main point of that control for a cloud region is the cloud region API endpoint. In the case of public VM-based clouds, such as AWS, GCP, and AzureRM, each cloud can have multiple regions that correspond to different geographic regions. OpenStack clouds also support multiple regions, but they are logical regions that do not have to be in different geographical areas. Kubernetes clouds and VMware vCenter clouds have only one region each. 

For public clouds, a cloud region is associated with a geographic region defined by the cloud provider. For OpenStack clouds, a cloud region is a logical region defined within OpenStack. For VMware vCenter and vCD clouds, each instance of vCenter or vCD is considered a region. For Kubernetes clouds, each Kubernetes cluster is considered a region unto itself. The following table summarizes the scope of a region for each of the supported cloud types.

Cloud Family

Cloud Region Mapping

Supports any number of these per region

AWS

Geographical Region

  • Accounts

  • Sub-Accounts

  • Identity and Access Management (IAM)

VMware vCenter

vCenter instance

  • Datacenter

  • Clusters

  • Resource pools

  • Accounts

  • Datastores

  • Datastore clusters

VMware vCloud Director

vCD instance

  • Datacenter

  • Clusters

  • Resource pools

  • Accounts

  • Datastores

  • Datastore clusters

Azure RM

Geographical Region

  • Networks

  • Cloud services

  • Accounts

Google Cloud

Geographical Region

  • Projects

  • Accounts

IBM Cloud

Geographical Region

  • Accounts

OpenStack

Logical Region

  • Tenants

  • Networks

  • Accounts

Kubernetes

Kubernetes cluster

  • Accounts
  • Namespaces
  • VPCs
  • IAM policies

Minimum Permissions for Public Clouds

The following table lists the minimum permissions required for supported public cloud accounts in Cost Optimizer and Workload Manager.

You must enable AWS Cost Explorer to view AWS-specific costs on the Cost Optimizer dashboard. For additional details on enabling AWS Cost Explorer, see https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/ce-enable.html.

Product

Function

AWS (IAM or root user)

Azure RM (Application)

Google (Service Account)

Cost Optimizer and Workload Manager

Billing unit discovery

iam:Get*

iam:List*

The permissions – organizations:Describe* and organizations:List* – are required in permissions in CloudCenter Suite 5.0.0, not in CloudCenter Suite 5.0.1.

Cost Management Reader

resourcemanager.projects.get,list

Cost Optimizer

Organization hierarchy discovery

organizations:Describe*

organizations:List*

N/A

billing.accounts.get,list

orgpolicy.policy.get

resourcemanager.folders.get,list

resourcemanager.organizations.get

Cost Optimizer

Invoice data collection

ce:*

cur:Describe*

The following permission is required on AWS IAM:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow"             
     "Action": [
       "ce:*", 
       "cur:Describe*"
     ],
     "Resource": "*",
   }
 ]
}

Non-EA Account: Billing Reader.

For EA accounts, EA API access is needed. EA API access key must be generated by EA Admin. EA-Enterprise Agreement. EA API Access has to be provided while creating the cloud account.

storage.objects.get,list

storage.buckets.get,list

Cost Optimizer and Workload Manager

Inventory collection of VM and Volumes

ec2:DescribeInstances

ec2:DescribeVolumes

tag:getTagKeys

tag:getTagValues

The tags permissions are required for tag-based reporting and only applicable to Cost Optimizer.


VM: VM contributor

Volume: Reader

Reader role must be used because no built-in role is provided for disk resource read permission.

compute.instances.get,list

compute.disks.get,list

Cost Optimizer

Inventory collection of PAAS services

rds:Describe*

elasticloadbalancing:Describe*

SQL Server and SQL database: SQL Server contributor

MySQL and PostgreSQL Server: Reader

Reader role must be used because no built-in role is provided for disk resource read permission.

cloudsql.databases.get,list

cloudsql.instances.get,list

compute.forwardingRules.get,list

compute.targetPools.get,list

Cost Optimizer and Workload Manager

VM metrics collection

cloudwatch:Describe*

cloudwatch:Get*

cloudwatch:List*

Monitoring reader or VM contributor 

monitoring.metricsDescriptors.get,list

monitoring.timeSeries.list

Cost Optimizer

Resource usage

s3:Get*

s3:List*

N/A

N/A

Cost Optimizer

RI subscriptions

ec2:DescribeReservedInstances*

N/A

N/A

Cost Optimizer and Workload Manager

Collect data for member account

On Master Account user, add following permission:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "sts:assumerole"
     ],
     "Resource": "*"
   }
 ]
}

On Member Account:

Create a new role with required permissions for the Inventory, Invoice and VM metrics collection as specified above (depending on products you use). And add Trust Relationship to the master account:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam::<master account number>:root"
     },
     "Action": "sts:AssumeRole",
     "Condition": {}
   }
 ]
}

N/A

N/A

Workload Manager

Manage VMs and Volumes

ec2:AssignPrivateIpAddresses

ec2:AttachNetworkInterface

ec2:AttachVolume

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:CreateImage

ec2:CreateKeyPair

ec2:CreateNetworkInterface

ec2:CreateSecurityGroup

ec2:CreateSnapshot

ec2:CreateTags

ec2:CreateVolume

ec2:DeleteKeyPair

ec2:DeleteNetworkInterface

ec2:DeleteSecurityGroup

ec2:DeleteSnapshot

ec2:DeleteTags

ec2:DeleteVolume

ec2:DescribeAccountAttributes

ec2:DescribeAvailabilityZones

ec2:DescribeDhcpOptions

ec2:DescribeImageAttribute

ec2:DescribeImages

ec2:DescribeInstanceAttribute

ec2:DescribeInstances

ec2:DescribeInstanceStatus

ec2:DescribeKeyPairs

ec2:DescribeNetworkInterfaceAttribute

ec2:DescribeNetworkInterfaces

ec2:DescribeRegions

ec2:DescribeSecurityGroups

ec2:DescribeSnapshotAttribute

ec2:DescribeSnapshots

ec2:DescribeStaleSecurityGroups

ec2:DescribeSubnets

ec2:DescribeTags

ec2:DescribeVolumeAttribute

ec2:DescribeVolumes

ec2:DescribeVolumesModifications

ec2:DescribeVolumeStatus

ec2:DescribeVpcAttribute

ec2:DescribeVpcs

ec2:DetachNetworkInterface

ec2:DetachVolume

ec2:EnableVolumeIO

ec2:GetConsoleOutput

ec2:GetConsoleScreenshot

ec2:GetPasswordData

ec2:ImportKeyPair

ec2:ImportVolume

ec2:ModifyImageAttribute

ec2:ModifyInstanceAttribute

ec2:ModifyNetworkInterfaceAttribute

ec2:ModifyVolume

ec2:ModifyVolumeAttribute

ec2:RebootInstances

ec2:RevokeSecurityGroupEgress

ec2:RevokeSecurityGroupIngress

ec2:RunInstances

ec2:StartInstances

ec2:StopInstances

ec2:TerminateInstances

ec2:UnassignPrivateIpAddresses

Create, modify, or delete NIC, public IP, security group: Network contributor

Create, modify, or delete diagnostics: Storage account contributor

Create, modify, or delete unmanaged data disk: Storage account contributor

Create, modify, or delete managed data disks: Owner

Owner role must be used because no built-in role is provided for disk resource write permission.

VM with managed data disks: Owner Create, modify, or delete VM with unmanaged data disks and diagnostic log: Virtual machine contributor, network contributor, and storage account contributor

VM with no data disks: Virtual machine contributor and network contributor

Predefined role: Project Editor

OR

compute.addresses.create,delete,get,list,use

compute.disks.create,delete,get,list,update,use

compute.firewalls.create,delete,get,list,update

compute.instances.*

compute.machineTypes.get

compute.neworks.get,list,use

compute.projects.get

compute.regions.get

compute.subnetworks.get,list,use,useExternalIp

compute.zones.get

iam.serviceaccounts.get,list

  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved