CSE/EA Billing Settings
SpaceONE supports using Credential
to query Azure Billing data.
The Credential
method requires the following 4 key values:
- Billing Account ID(Azure Docs )
The Billing Account ID is created when you sign up for Azure. You can use the billing account to manage invoices, payments, and track costs across multiple billing accounts.
- Owner:
Customer(Access Azure Portal withCustomeraccount)- Azure Account Setup Process:
Customer
- Tenant ID
Tenant ID is a unique identifier for your organization provided by Azure Active Directory(AD). Azure AD is a cloud-based identity and access management service used to manage users at the organizational level.
- Client ID
Client ID is the Application ID issued when creating an Azure app. Azure App is used to manage application credentials and IAM users.
- Client Secret
Client Secret key obtained through Azure app registration. It is required for token issuance to use Azure’s API and support access.
Now we will guide you through the process of creating or confirming these 4 values. You can skip any steps for information or services that have already been created.
1. Create Active Directory Enterprise App
Navigate to [Azure Active Directory] service
Access Azure Portal
,
Enter ‘Azure Active Directory’ in the search bar and click [Azure Active Directory] service.
Click [Add] button and select [Enterprise applications]
Click [Add] button and select [Enterprise applications].
Register enterprise application
(1) Enter an application name (e.g., SpaceONE App for Billing)
(2) Click the [Non-gallery application] radio button
(3) Click the [Create] button at the bottom right
2. Create and View Client ID, Client Secret
Navigate to [App registrations] page
Enter ‘App registrations’ in the search bar and click [App registrations] service
Select application from [All applications]
Search for ‘SpaceONE App for Billing’ in the search box below the category and select it.
Navigate to [Certificates & secrets] menu
Add client secret in [Client secrets] menu
(1) After clicking, enter a description and set expiration time in the right menu
(2) Click the [Add] button at the bottom right
Copy client secret value
Copy the client secret value as it can only be viewed once upon creation. This value is the Client Secret that needs to be forwarded to your SpaceONE representative.
View Client ID in [Overview] menu
Check the Application (client) ID value. This value is the Client ID that needs to be forwarded to your SpaceONE representative.
3. View Tenant ID
Navigate to [Azure Active Directory] page
Enter ‘Azure Active Directory’ in the search bar and click [Azure Active Directory] service.
View Tenant ID in [Overview] menu
Check the [Tenant ID] value. This value is the Tenant ID that needs to be forwarded to your SpaceONE representative.
4. View Billing Account ID
Navigate to [Cost Management + Billing] page
Enter ‘Cost Management + Billing’ in the search bar and click [Cost Management + Billing] service.
View Billing Account ID in [Properties] menu
Navigate to [Properties] menu and check the [ID] or [Billing Account ID] value in the [General] tab.
This value is the Billing Account ID that needs to be forwarded to your SpaceONE representative.
5. Assign Cost Viewing Role
To assign roles in Azure Enterprise Agreement, you need to use the API. To view cost data in SpaceONE, you need to assign the EnrollmentReader role which has read permissions.
The following information is required when assigning the cost viewing role. The billing_account_id and tenant_id are the same as the information confirmed in the previous steps.
- billing_account_id (value confirmed in previous steps)
- tenant_id (value confirmed in previous steps)
- object_id
- role_definition_id
- guid
Also, the account requesting the role assignment API must have the EA Admin role. First, check if you have the EA Admin role, then confirm the required information and proceed with the role assignment.
Navigate to [Cost Management + Billing] service
Enter ‘Cost Management + Billing’ in the search bar and click [Cost Management + Billing] service.
Check login account role
Click [Access control (IAM)], click [···] for the email matching your login account, then click the [Edit] button.
Verify that the role is Enterprise Administrator. Also, check that [Provide read-only access] is unchecked.
Check [Object ID] value
(1) Navigate to [Azure Active Directory] service
Enter ‘Azure Active Directory’ in the search bar and click [Azure Active Directory] service.
(2) Select [Enterprise applications] menu
(3) Select the application created in previous steps
(4) Check [Object ID] value
Check the [Object ID] value. This value is the object_id that needs to be forwarded to your SpaceONE representative.
Assign EnrollmentReader role
Check the role_definition_id which is 24f8edb6-1668-4659-b5e2-40bb5f3a7d7e.
Generate GUID
Generate a GUID at GUID / UUID Generator
.
(1) Click the [Generate some GUIDs!] button
(2) Click the [Copy to Clipboard] button
(3) Note down the GUID value
Assign role
Proceed with the final step of role assignment.
(1) First, go to Microsoft’s Role Assignments site.
(2) Click the [Try It] button and proceed with login. The login account must have the Enterprise Administrator (EA Admin) role as confirmed earlier.
(3) Enter the parameters. Enter the billing_account_id value in the [billingAccountName] field and the guid value in the [billingRoleAssignmentName] field.
(4) Modify the {} values to write the body content.
- object_id
- tenant_id
- billing_account_id
- role_definition_id
{
"properties": {
"principalId": "{object_id}",
"principalTenantId": "{tenant_id}",
"roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/{billing_account_id}/billingRoleDefinitions/{role_definition_id}"
}
}