Configure Storage for Exports (CSP)
This scribe is only for CSP customers which install Cloudmonitor in different tenants.
Step 1
Section titled “Step 1”In Azure Portal, navigate to the Storage accounts - Microsoft Azure and click “Create”.
Step 2
Section titled “Step 2”Select a Resource Group in which to create the new Storage Account. We recommend setting up a new Resource Group.
If you are a NonCSP Customer, the chosen Subscription MUST be in the same Subscription as the CloudMonitor Engine.
If you are a CSP Customer, your Customer may choose any Subscription, the new Storage Account MUST be created in their tenancy.
Step 3
Section titled “Step 3”Name the Storage Account in accordance with your existing organisational tagging standards and naming conventions.
Step 4
Section titled “Step 4”To avoid paying egress fees select the same region that contains the CloudMonitor engine.
Step 5
Section titled “Step 5”Choose LRS for storage redundancy, then click “Advanced”.
Step 6
Section titled “Step 6”Make sure Hierarchical Namespace is unticked. then click “Review” and “Create”.
Step 7
Section titled “Step 7”You will receive a notification for when the Storage Account has been successfully deployed. Click “Go to resource” in preparation for the next section.
Step 8
Section titled “Step 8”Navigate to Subscriptions - Microsoft Azure and select the same Subscription the Storage Account will be located in.
Step 9
Section titled “Step 9”Click “Resource providers”.
Step 10
Section titled “Step 10”Filter by and select “Microsoft.CostManagementExports” and then click “Register”.
Step 11
Section titled “Step 11”You will receive a notification for successfully registering the Resource Provider.
Step 12
Section titled “Step 12”Navigate to the Storage Account Resource we just created.
Step 13
Section titled “Step 13”Navigate to Access Control (IAM) and click “Add > Add role assignment”.
Step 14
Section titled “Step 14”Under the Role tab, select “Storage Account Contributor” as the Role.
Step 15
Section titled “Step 15”Switch to the Members tab, and click “Select members”.
Step 16
Section titled “Step 16”Search and select your CloudMonitor Service Principal name.
Step 17
Section titled “Step 17”Switch to the Review + assign tab and “Review + assign”.
Step 18
Section titled “Step 18”You will receive a notification for successfully assigning the “Storage Account Contributor” role.
Step 19
Section titled “Step 19”Navigate to the Storage Account and Click “Configuration”
Step 20
Section titled “Step 20”Expand the drop down of “Permitted Scope for Copy Operation” and Click “From any storage account”
Step 21
Section titled “Step 21”Click “Save”.
Step 22
Section titled “Step 22”On the same Storage Account Resource, click “Shared access signature”.
Step 23
Section titled “Step 23”To ensure secure and minimal access configure the SAS with the following settings:
- Under Allowed Services, check ‘Blob’ to restrict access to Blob storage only.
- For Allowed Resource Types, select ‘Service’, ‘Container’ and ‘Object’ to permit operations at the service, container and blob level.
- Choose Allowed Permissions ‘Read’, ‘Write’, ‘Delete’, ‘List’, and ‘Create’ to exclusively manage blob content within the container.
- Do not enable any other services or permissions not specified here.
Apply these settings to provide CloudMonitor with the necessary permissions to manage blobs without overextending access rights.
Step 24
Section titled “Step 24”When setting the SAS expiration, it’s advised to choose a date two years from today to ensure continued access without frequent renewal.
Step 25
Section titled “Step 25”Click “Generate SAS and connection string”
Step 26
Section titled “Step 26”- Find the Blob Service SAS URL located at the bottom of the page. Copy this URL and store it securely.
- Also, copy the URL of this webpage. It contains the Storage Account Resource ID.
- Finally, send the copied information to our team via live chat and confirm that you have completed this Helpdesk Article.
