Agent Configuration for Azure AKS

We calculate the cost of Azure assets based on generally available prices. If your organization has custom prices due to an Enterprise Agreement (EA) with Azure, please follow the steps below:

1) Credentials setup on Azure

Prerequisites and requirements

The user performing these actions must have the useraccessadministrator or owner permission
You'll need the following Azure IDs:
- AD App ID
- AD Client Secret
- AD Tenant ID
- Billing ID
- Offer ID
- Subscription ID

Step 1.1 - Create a Custom Azure Role

Save the following JSON as myrole.json, replacing YOUR_SUBSCRIPTION_ID with your own subscription ID:

{
    "Name": "RandoliCostRole",
    "IsCustom": true,
    "Description": "Rate Card query role",
    "Actions": [
        "Microsoft.Compute/virtualMachines/vmSizes/read",
        "Microsoft.Resources/subscriptions/locations/read",
        "Microsoft.Resources/providers/read",
        "Microsoft.ContainerService/containerServices/read",
        "Microsoft.Commerce/RateCard/read"
    ],
    "AssignableScopes": ["/subscriptions/YOUR_SUBSCRIPTION_ID"]
}

Then register that role:

az role definition create --verbose --role-definition @myrole.json

Step 1.2 - Create an Azure Service Principal

Create the service principal, replacing YOUR_SUBSCRIPTION_ID with the same subscription ID used in the previous step:

az ad sp create-for-rbac --name "RandoliCostAccess" --role "RandoliCostRole" --scope "/subscriptions/YOUR_SUBSCRIPTION_ID" --output json

Step 1.3 - Grant Billing Access to Your Service Principal

Save the script below as assign-billing-role.bash:

#!/bin/bash

# Helper to assign the billing EnrollmentReader role to a service principal
# Needs the billing account name variable set

set -euo pipefail
SP_NAME=RandoliCostAccess

if [[ -z "${BILLING_ACCOUNT_ID}" ]]; then
  echo "BILLING_ACCOUNT_ID is not set"
  exit 1
fi

# Generate a unique name for the assignment.
ROLE_ASSIGNMENT_NAME="$(uuidgen)"

# Work out the SP id and tenant id from the name.
read -r SP_ID TENANT_ID < <(az ad sp list --display-name "${SP_NAME}" --query '[0].{id:id,tenantId:appOwnerOrganizationId}' -o tsv)

# Get bearer token for talking to API.
ACCESS_TOKEN="$(az account get-access-token --query accessToken -o tsv)"

URL="https://management.azure.com/providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}/billingRoleAssignments/${ROLE_ASSIGNMENT_NAME}?api-version=2019-10-01-preview"

echo "Creating EnrollmentReader role assignment for SP ${SP_NAME} (${SP_ID}) in billing account ${BILLING_ACCOUNT_ID}"
echo "Role assignment name: ${ROLE_ASSIGNMENT_NAME}"

# This is the role definition ID for EnrollmentReader
ENROLLMENT_READER_ROLE="24f8edb6-1668-4659-b5e2-40bb5f3a7d7e"
RESPONSE="$(curl --silent --show-error -X PUT "${URL}" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
-H "Content-type: application/json" \
-d "{
  \"properties\": {
    \"principalId\": \"${SP_ID}\",
    \"principalTenantId\": \"${TENANT_ID}\",
    \"roleDefinitionId\": \"/providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}/billingRoleDefinitions/${ENROLLMENT_READER_ROLE}\"
  }
}")"

echo "Response: ${RESPONSE}"

Once the script is saved, run it as follows, replacing YOUR_BILLING_ACCOUNT_ID with your own billing ID:

export BILLING_ACCOUNT_ID=YOUR_BILLING_ACCOUNT_ID
chmod +x assign-billing-role.bash
./assign-billing-role.bash

2) Setup the Randoli Agent agent to use the Azure credentials

Step 2.1 - Create a Secret for the Azure Service Principal

Save the json below as service-key.json, replacing the placeholders with the correct values:

{
    "subscriptionId": "<Azure Subscription ID>",
    "serviceKey": {
        "appId": "<Azure AD App ID>",
        "displayName": "RandoliCostAccess",
        "password": "<Azure AD Client Secret>",
        "tenant": "<Azure AD Tenant ID>"
    }
}

Then create a secret from that file:

kubectl create secret generic azure-service-key -n randoli-agents --from-file=service-key.json

Step 2.2 - Update the Randoli Agent helm chart installation

Save the yaml below as azure-secret-values.yaml, replacing the placeholders with the correct values:

costManagement:
  extraVolumes:
    - name: service-key-secret
      secret:
        secretName: azure-service-key
  opencost:
    exporter:
      extraEnv:
        AZURE_BILLING_ACCOUNT: <your billing account id>
        AZURE_OFFER_ID: <your offer id>
      extraVolumeMounts:
        - mountPath: /var/secrets
          name: service-key-secret

Then update your Randoli Agent installation:

helm upgrade randoli randoli/randoli-agent --namespace randoli-agents --reuse-values -f azure-secret-values.yaml

FAQ

1) How can I find my Azure billing ID?

You can run this command in the terminal:

az billing account list --query "[].{name:name, displayName:displayName}"

2) How can I find my Azure offer ID?

Retrieve the Offer ID from your subscription page in the Azure portal.

1) Credentials setup on Azure​

Step 1.1 - Create a Custom Azure Role​

Step 1.2 - Create an Azure Service Principal​

Step 1.3 - Grant Billing Access to Your Service Principal​

2) Setup the Randoli Agent agent to use the Azure credentials​

Step 2.1 - Create a Secret for the Azure Service Principal​

Step 2.2 - Update the Randoli Agent helm chart installation​

FAQ​

1) How can I find my Azure billing ID?​

2) How can I find my Azure offer ID?​