Klarity

Onboarding Estates

Page Sections

In Klarity, for each account, we combine the data from two different sources (the Billing API, and the Cloud Estate APIs) into one Klarity Estate. In this way, Klarity ensures that it has all the data needed to provide users with cost visibility, extended capabilities for estates, and for searching estates.

Onboarding: Prerequisites & Credentials

Onboarding procedure

In Klarity, for all Cloud Providers, you onboard all cloud accounts directly in the relevant in-app procedure.

To onboard an account in Klarity, in Menu, go to Accounts, click on Add New Account, and then complete the 4-stage procedure that applies to your Cloud Provider.

Preparing for onboarding (FYIs)

For each Cloud Provider, this section contains information about the in-app onboarding procedure described above. Before following the in-app onboarding procedure, we recommend that you read through the FYIs (Prerequisites and Credentials Required) below that apply to your Cloud Provider.

To go directly to the FYIs for your Cloud Provider, in the sidebar, click the name of your Cloud Provider.

IBM Cloud

In Klarity, you onboard an IBM Cloud account directly in the UI, as described in Onboarding procedure above. In stage 1 of the procedure, for provider, click on IBMCLOUD.

Prerequisites (FYI)

Before you start the onboarding procedure, you must first set up two IBM Cloud accounts (one main account, and one proxy account). The main account is the account with resources, and provides you with user access. You use the proxy account to create the API Key you need to carry out the scanning of resources.

  1. Sign in to IBM Cloud Platform, with the credentials for the main account.

  2. On the Account Overview page, find and record the ID of the main account. Add the ID Main Account number to the relevant field box in the UI.

  3. On the IAM User page, invite the proxy account.

  4. In a separate browser, sign in to IBM Cloud Platform with the proxy account. Then, on the IBM Cloud Notification page, accept the invitation you sent from the main account.

  5. In the page for the main account, grant Reader access, and Viewer access, to the proxy account:

  • Select Manage, then Access(IAM), and then click the User tab. Select proxy account, click Access policies, and then click Assign access.

  • On the Assign access page, select IAM services, then All Identity, and then Access enabled services. Then select Viewer and Reader for All resources: Platform access, Service access and Resource group access. Then, click Add.

  • Select Account Management, then All Account management Service, and then Viewer access. Then, click Add.

  • Select Cloud foundry, then select your current organization, and then select Viewer access. Then click Add and Assign.

  • Select Class infrastructure, then click Manage user infrastructure access page, and then set view only permission. Then click Apply.

As a result, on the Access Policies tab, you now see the Viewer, Viewer role, and the Viewer, Reader role.

  1. Switch to the page for the proxy account, and create the API Key. For more information, see: https://cloud.ibm.com/iam/apikeys.

  2. Add the API key from the proxy account to the relevant field box in the in-app procedure.

  3. Finally, click Add IBMCLOUD Account.

Amazon Web Services

In Klarity, you onboard an AWS account directly in the UI, as described in Onboarding procedure above. In stage 1 of the procedure, for provider, click on AWS.

Prerequisites (FYI)

For onboarding, each account must have an IAM role created:

  • with read-only permissions
  • and with trust relationship set to Nordcloud’s AWS account.

For your convenience, please use the Cloudformation template provided below. You do not need to add a deployment region, but we recommend adding eu-west-1.

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  CustomerExternalId:
    Description: External ID
    Type: String
    MinLength: 10
    MaxLength: 20
    AllowedPattern: "^[0-9A-Za-z]*$"
Resources:
  ScannerIAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: NordcloudKlarityScannerServiceRole
      AssumeRolePolicyDocument:
        Statement:
        - Action: sts:AssumeRole
          Effect: Allow
          Principal:
            AWS: 855341727128
          Condition:
            StringEquals:
              'sts:ExternalId': !Ref CustomerExternalId
        Version: '2012-10-17'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
        - arn:aws:iam::aws:policy/ReadOnlyAccess
        - arn:aws:iam::aws:policy/IAMReadOnlyAccess

Generate an ExternalID as a parameter, and record that ID for future use. For more information on External IDs, see: https://aws.amazon.com/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/

Credentials required (FYI)

Send to Nordcloud:

  • the AWS account number
  • the External ID

Microsoft Azure

In Klarity, you onboard an Azure account directly in the UI, as described in Onboarding procedure above. In stage 1 of the procedure, for provider, click on AZURE.

Prerequisites (FYI)

To onboard a subscription, you must create a Service Principal. In the Azure CLI, you can create a Service Principal by executing the following command. Change the name of the Service Principal to the correct name.

az ad sp create-for-rbac --name "nordcloud-klarity" --skip-assignment

Credentials required (FYI)

Record the output from the above command, and send this output to Nordcloud, along with your subscription id(s). Add the created Service Principal to your subscription with Reader role.

Google Cloud

In Klarity, you onboard an GCP account directly in the UI, as described in Onboarding procedure above. In stage 1 of the procedure, for provider, click on GCP.

Prerequisites (FYI)

Create a project for Klarity.

In the project, create:

  • A storage bucket with the label.
    • The key and value of the label are:
      • key: nordcloud-purpose
      • value: scanner
  • A Service Account

Generate a JSON key for the Service Account, record the key, and send the key to Nordcloud.

Add the following roles to the Service Account:

  • On project level (the same one that the Service Account was created in):

    • Service Usage Admin (roles/serviceusage.serviceUsageAdmin)

  • In the Service Account:

    • Service Account Token Creator

  • In the bucket:

    • Storage Object Creator

  • On organization level

    • Cloud Asset Viewer
    • Viewer

Credentials required (FYI)

Find your Organization ID in one of:

  • in IAM & Admin, in the Settings section
  • via gcloud (gcloud organizations list)

Send Organization Id to Nordcloud.

Edit this page on GitHub

Prev

FAQ

Next

~ Billing Data