Cloud Overview

Workload Manager manages clouds on a per region basis, and the main point of that control is the cloud region API endpoint. In the case of public VM-based clouds, such as AWS, GCP and AzureRM, each cloud can have multiple regions which correspond to geographic regions supported by Workload Manager. OpenStack clouds also support multiple regions, but they are logical regions which do not have to be in different geographical areas. Kubernetes clouds and VMware vCenter clouds have only one region each. 

TermDescription
CloudAn instance of one of the supported cloud types. A cloud always has at least one cloud region and one cloud account. vCenter and Kubernetes clouds only have one region.
Cloud accountCredentials for logging in to a cloud provider.
Cloud family or Cloud typeThe cloud provider as identified in Public Clouds, Datacenters and Private Clouds, and Container Clouds.
Cloud regionThe infrastructure that can be managed from a single cloud API endpoint

Cloud agnostic

Property of an application profile that indicates if it can be deployed on any Workload Manager-supported cloud environment without modifying or refactoring code.

Cloud-Independent

Reference to Workload Manager's flexibility with not hard wiring the application profile to any cloud infrastructure.
ContainerThe container infrastructure as identified in Container Clouds.
Datacenter and Private Clouds

The cloud provider identified in Datacenters and Private Clouds.

Hybrid CloudIncludes containers, datacenter, private cloud, and public cloud environments. 
Public CloudThe cloud provider identified in Public Clouds.

For public clouds, a cloud region is associated with a geographic region defined by the cloud provider. For OpenStack clouds, a cloud region is a logical region defined within OpenStack. For VMware vCenter clouds, each instance of vCenter is considered a region. For Kubernetes clouds, each Kubernetes cluster is considered a region unto itself. The following table summarizes the scope of a region for each of the supported cloud types.

Cloud Family

Cloud Region Mapping

Supports any number of these per region

AWS

Geographical Region

  • Accounts

  • Sub-Accounts

  • Identity and Access Management (IAM)

VMware vCenter

vCenter instance

  • Datacenter

  • Clusters

  • Resource pools

  • Accounts

  • Datastores

  • Datastore clusters

Azure RM

Geographical Region

  • Networks

  • Cloud services

  • Accounts

Google Cloud

Geographical Region

  • Projects

  • Accounts

OpenStack

Logical Region

  • Tenants

  • Networks

  • Accounts

Kubernetes

Kubernetes cluster

  • Accounts
  • Namespaces
  • VPCs
  • IAM policies

Minimum Permissions for Public Clouds

The following table lists the minimum permissions for public cloud accounts supported in Cost Optimizer and Workload Manager modules of CloudCenter Suite Release 5.0.

Product

Function

AWS (IAM or root user)

Azure RM (Application)

Google (Service Account)

Cost Optimizer and Workload Manager

Discover billing units

iam:Get*

iam:List*

organizations:Describe*

organizations:List*

The permissions – organizations:Describe* and organizations:List* – are required in permissions in CloudCenter Suite 5.0, not in CloudCenter Suite 5.0.1.

Cost Management Reader

resourcemanager.projects.get,list

Cost Optimizer

Discover organization hierarchy

organizations:Describe*

organizations:List*

N/A

billing.accounts.get,list

orgpolicy.policy.get

resourcemanager.folders.get,list

resourcemanager.organizations.get

Cost Optimizer

Collect invoice data

ce:*

cur:Describe*

The following permission is required on AWS IAM:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow"             
     "Action": [
       "ce:*", 
       "cur:Describe*"
     ],
     "Resource": "*",
   }
 ]
}

Non-EA Account: Billing Reader.

For Enterprise Agreement (EA) accounts, an EA API access key generated by the EA Admin must be provided when configuring AzureRM EA accounts as cloud accounts in CloudCenter Suite.

storage.objects.get,list

storage.buckets.get,list

Cost Optimizer and Workload Manager

Collect VMs and volumes

ec2:DescribeInstances

ec2:DescribeVolumes

VM: VM contributor

Volume: Reader

Reader role must be used because no built-in role is provided for disk resource read permission.

compute.instances.get,list

compute.disks.get,list

Cost Optimizer

Collect PAAS services

rds:Describe*

elasticloadbalancing:Describe*

SQL Server and SQL database: SQL Server contributor

MySQL and PostgreSQL Server: Reader

Reader role must be used because no built-in role is provided for disk resource read permission.

cloudsql.databases.get,list

cloudsql.instances.get,list

compute.forwardingRules.get,list

compute.targetPools.get,list

Cost Optimizer and Workload Manager

Collect VM metrics

cloudwatch:Describe*

cloudwatch:Get*

cloudwatch:List*

Monitoring reader or VM contributor 

monitoring.metricsDescriptors.get,list

monitoring.timeSeries.list

Cost Optimizer

Collect resource usage

s3:Get*

s3:List*

N/A

N/A

Cost Optimizer

Collect RI subscriptions

ec2:DescribeReservedInstances*

N/A

N/A

Cost Optimizer and Workload Manager

Collect RI subscription data for AWS member account

On Master Account user, add following permission:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "sts:assumerole"
     ],
     "Resource": "*"
   }
 ]
}

On Member Account:

Create a new role with required permissions for the Inventory, Invoice and VM metrics collection as specified above (depending on products you use). And add Trust Relationship to the master account:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam::<master account number>:root"
     },
     "Action": "sts:AssumeRole",
     "Condition": {}
   }
 ]
}

N/A

N/A

Workload Manager

Manage VMs and Volumes

ec2:AssignPrivateIpAddresses

ec2:AttachNetworkInterface

ec2:AttachVolume

ec2:AuthorizeSecurityGroupEgress

ec2:AuthorizeSecurityGroupIngress

ec2:CreateImage

ec2:CreateKeyPair

ec2:CreateNetworkInterface

ec2:CreateSecurityGroup

ec2:CreateSnapshot

ec2:CreateTags

ec2:CreateVolume

ec2:DeleteKeyPair

ec2:DeleteNetworkInterface

ec2:DeleteSecurityGroup

ec2:DeleteSnapshot

ec2:DeleteTags

ec2:DeleteVolume

ec2:DescribeAccountAttributes

ec2:DescribeAvailabilityZones

ec2:DescribeDhcpOptions

ec2:DescribeImageAttribute

ec2:DescribeImages

ec2:DescribeInstanceAttribute

ec2:DescribeInstances

ec2:DescribeInstanceStatus

ec2:DescribeKeyPairs

ec2:DescribeNetworkInterfaceAttribute

ec2:DescribeNetworkInterfaces

ec2:DescribeRegions

ec2:DescribeSecurityGroups

ec2:DescribeSnapshotAttribute

ec2:DescribeSnapshots

ec2:DescribeStaleSecurityGroups

ec2:DescribeSubnets

ec2:DescribeTags

ec2:DescribeVolumeAttribute

ec2:DescribeVolumes

ec2:DescribeVolumesModifications

ec2:DescribeVolumeStatus

ec2:DescribeVpcAttribute

ec2:DescribeVpcs

ec2:DetachNetworkInterface

ec2:DetachVolume

ec2:EnableVolumeIO

ec2:GetConsoleOutput

ec2:GetConsoleScreenshot

ec2:GetPasswordData

ec2:ImportKeyPair

ec2:ImportVolume

ec2:ModifyImageAttribute

ec2:ModifyInstanceAttribute

ec2:ModifyNetworkInterfaceAttribute

ec2:ModifyVolume

ec2:ModifyVolumeAttribute

ec2:RebootInstances

ec2:RevokeSecurityGroupEgress

ec2:RevokeSecurityGroupIngress

ec2:RunInstances

ec2:StartInstances

ec2:StopInstances

ec2:TerminateInstances

ec2:UnassignPrivateIpAddresses

Create, modify, or delete NIC, public IP, security group: Network contributor

Create, modify, or delete diagnostics: Storage account contributor

Create, modify, or delete unmanaged data disk: Storage account contributor

Create, modify, or delete managed data disks: Owner

Owner role must be used because no built-in role is provided for disk resource write permission.

VM with managed data disks: Owner Create, modify, or delete VM with unmanaged data disks and diagnostic log: Virtual machine contributor, network contributor, and storage account contributor

VM with no data disks: Virtual machine contributor and network contributor

Predefined role: Project Editor

OR

compute.addresses.create,delete,get,list,use

compute.disks.create,delete,get,list,update,use

compute.firewalls.create,delete,get,list,update

compute.instances.*

compute.machineTypes.get

compute.neworks.get,list,use

compute.projects.get

compute.regions.get

compute.subnetworks.get,list,use,useExternalIp

compute.zones.get

iam.serviceaccounts.get,list

  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved