Setting up GCP Account

Depending on the level of your GCP accounts, you can configure Tanzu CloudHealth to populate complete cost and usage information.

GCP Account at Project level using gcloud

Tanzu CloudHealth is granted access to all the projects in the billing account at the project level.

  1. Locate Project ID
  2. Create a Dataset for BigQuery
  3. Enable BigQuery API
  4. Enable APIs for all projects
  5. Create Service Account and download Service Account key
  6. Create all IAM members in all projects
  7. Enable BigQuery in Google console
  8. Configure billing account

For detailed instructions, refer to the Configuring GCP Accounts at the Project Level using gcloud section below.

GCP Account at Project level

  1. Create Service Account
  2. Assign Service Account as IAM Member to all projects
  3. Enable BigQuery
  4. Enable APIs for all projects
  5. Configure automated billing account

Use When:

  • You do not want to grant this Tanzu CloudHealth account access to all projects in an organization.
  • You do not want to grant Tanzu CloudHealth the same level of asset access to all projects.
  • You are concerned about security and want to grant Tanzu CloudHealth access to your GCP projects at a more managed level.

For detailed instructions, refer to the Configuring GCP Accounts at the Project Level section below.

GCP Account at Organization Level using gcloud

Tanzu CloudHealth is granted access to all projects in the billing account at the organization level.

  1. Locate Project ID and Organization ID
  2. Create a Custom Role
  3. Create a Dataset for BigQuery
  4. Enable APIs for all Projects
  5. Enable BigQuery API
  6. Create a Service Account and Service Account key
  7. Download the Service Account key
  8. Assign the Custom Role to the Service Account
  9. Create an IAM Member at the Organization Level
  10. Enable BigQuery in the Google Console
  11. Configure Billing Account

For detailed instructions, refer to the Configuring GCP Accounts at the Organization Level using gcloud section below.

GCP Account at Organization Level

  1. Create a Custom Role
  2. Create Service Account
  3. Assign Service Account as IAM Member
  4. Enable APIs for all Projects
  5. Enable BigQuery API
  6. Configure Automated Billing Account

Use When:

  • You want easy maintenance.
  • You do not want to create a new custom role or IAM member for each newly created project.
  • You want to update only the organization-level role each time Tanzu CloudHealth adds support for a new service.

For detailed instructions, refer to the Configuring GCP Accounts at the Organization Level section below.

Roles and Permissions in GCP

The following table lists the required permission in GCP for VMware Tanzu CloudHealth configuration:

Tanzu CloudHealth Configuration Permission Required
Enable BigQuery export Billing Account Admin or Billing Account Costs Manager
View BigQuery export configuration Billing Account Admin, Billing Account Costs Manager, or Billing Viewer
Create IAM member and IAM role at Organization level Organization Admin
Enable APIs across all projects Project Owner (at organization level)

Custom Roles in GCP

Google IAM Roles

When you configure your Google cloud with the Tanzu CloudHealth Platform, you need to create a service account in the Google Console and assign the service account an IAM role.

You can assign one of two roles:

  • Custom: Create and assign a custom role if you are configuring your cloud on the organization level or if you are configuring your cloud on the project level and want to customize which permissions and assets Tanzu CloudHealth has access to.
  • Editor: Assign a default Editor role if you are configuring your cloud on the project level and want to take advantage of default roles’ ease of maintenance.

For example, if you are concerned about security, you can create a custom role that only grants Tanzu CloudHealth access to specific assets.

Required Custom Role APIs and Permissions

Custom roles must, at minimum, include the following permissions for the given asset.

  • Without the permissions, Tanzu CloudHealth is unable to provide reports and recommendations on how to save costs.
  • If you configure your custom role using gcloud command, download the Least Privileged Custom Role YAML file and edit the file as needed.

For BigQuery Cost Data

Field Details
Required IAM Permissions resourcemanager.projects.get, bigquery.datasets.get, bigquery.jobs.create, bigquery.tables.get, bigquery.tables.getData
Required APIs bigquery-json.googleapis.com, cloudresourcemanager.googleapis.com
Reports That Require the Permissions History Invoice Report, Cost History Report
Collection Frequency Every 12 Hours: History Invoice Cost, History Invoice Metadata,Cost History Cost (By Partition),Cost History Metadata. Every 24 Hours: SKU Discovery

For GCE Disks

Field Details
Required IAM Permissions compute.disks.get, compute.disks.list, compute.projects.get, compute.regions.get, compute.regions.list, compute.zones.get, compute.zones.list
Optional IAM Permissions compute.disks.delete -To delete GCE disks.
Required APIs compute.googleapis.com
Reports That Require the Permissions GCE Disk Asset Report
Collection Frequency Every 15 minutes

For GCE Images

Field Details
Required IAM Permissions compute.images.get, compute.images.list, compute.projects.get, compute.regions.get, compute.regions.list, compute.zones.get, compute.zones.list
Required APIs compute.googleapis.com
Reports That Require the Permissions GCE Image Asset Report
Collection Frequency Every 15 minutes

For GCE Instances

Field Details
Required IAM Permissions compute.instances.get, compute.instances.list, compute.projects.get, compute.regions.get, compute.regions.list, compute.zones.get, compute.zones.list
Required APIs compute.googleapis.com
Reports That Require the Permissions GCE Asset Report, GCE Rightsizing Report, Attached Disks Asset Report
Collection Frequency Every 15 minutes

For GCE Snapshots

Field Details
Required IAM Permissions compute.snapshots.get, compute.snapshots.list, compute.projects.get, compute.regions.get, compute.regions.list, compute.zones.get, compute.zones.list
Optional IAM Permissions compute.snapshots.delete -To delete GCE snapshots.
Required APIs compute.googleapis.com
Reports That Require the Permissions GCE Snapshot Asset Report
Collection Frequency Every 15 minutes

For GCE Static IPs

Field Details
Required IAM Permissions compute.addresses.list, compute.projects.get, compute.regions.get, compute.regions.list, compute.zones.get, compute.zones.list
Optional IAM Permissions compute.addresses.delete -To release unattached static IP addresses.
Required APIs compute.googleapis.com
Reports That Require the Permissions GCE Static IP Asset Report
Collection Frequency Every 15 minutes

For GCS Bucket

Field Details
Required IAM Permissions storage.buckets.get, storage.buckets.list
Required APIs storage-component.googleapis.com
Reports That Require the Permissions GCS Bucket Asset Report
Collection Frequency Every 15 minutes

For Dataproc Clusters

Field Details
Required IAM Permissions dataproc.clusters.list, compute.regions.get, compute.regions.list, compute.zones.get, compute.zones.list
Required APIs dataproc.googleapis.com
Reports That Require the Permissions Dataproc Cluster Asset Report
Collection Frequency Every 4 hours

For GKE Clusters

Field Details
Required IAM Permissions container.clusters.list
Required APIs container.googleapis.com
Reports That Require the Permissions GKE Cluster Asset Report
Collection Frequency Every 15 minutes

For GCE Rightsizing Recommendations

Field Details
Required IAM Permissions recommender.computeInstanceMachineTypeRecommendations.get, recommender.computeInstanceMachineTypeRecommendations.list, recommender.computeInstanceMachineTypeRecommendations.update, recommender.locations.get, recommender.locations.list
Required APIs recommender.googleapis.com
Reports That Require the Permissions GCE Rightsizing Report
Collection Frequency Every 12 hours

For Project Health Status

Field Details
Required IAM Permissions resourcemanager.projects.get
Required APIs cloudresourcemanager.googleapis.com
Collection Frequency Project Test Access (Validate Project Credentials)- Every 4 hours

For Attached Disks

Field Details
Required IAM Permissions compute.disks.get, compute.disks.list
Required APIs compute.googleapis.com
Reports That Require the Permissions Attached Disks Asset Report
Collection Frequency Every 15 minutes

For Zones

Field Details
Required IAM Permissions compute.zones.get, compute.zones.list
Required APIs compute.googleapis.com
Reports That Require the Permissions Zones Asset Report
Collection Frequency Every 15 minutes

For Machine Types

Field Details
Required IAM Permissions compute.instances.get, compute.instances.list
Required APIs compute.googleapis.com
Reports That Require the Permissions Machine Types Asset Report
Collection Frequency Every 24 hours

For Disk Types

Field Details
Required IAM Permissions compute.disks.get, compute.disks.list
Required APIs compute.googleapis.com
Reports That Require the Permissions Disk Types Asset Report
Collection Frequency Every 24 hours

For Regions

Field Details
Required IAM Permissions compute.regions.get, compute.regions.list
Required APIs compute.googleapis.com
Reports That Require the Permissions Regions Asset Report
Collection Frequency Every 24 hours

Configuring GCP Accounts at the Project Level using gcloud

Overview:
Create a custom role (or use the default Editor role) and IAM member at the project level and assign the role and IAM member to the service account. Identical roles and IAM members are automatically created and assigned to all projects in the billing account. If a new project is added to the billing account, a role and IAM member must be manually assigned to the new project.

Use When:

  • You don’t want to grant this Tanzu CloudHealth account access to all projects in an organization.
  • You don’t want to give Tanzu CloudHealth the same level of asset access to all projects.
  • You are concerned about security and want to grant Tanzu CloudHealth access to your GCP accounts at a more managed level.

Configuring GCP Accounts in gcloud
The gcloud command-line interface (CLI) is the primary CLI to the Google Cloud Platform. You can use this CLI in place of the Google Portal interface to programmatically configure your billing account in the Tanzu CloudHealth platform. To use gcloud, you can either use Cloud Shell in the Google Console or Download and install the Google Cloud SDK.

Step 1 - Locate Project ID

To configure the GCP billing account using gcloud CLI, you need the project ID of a project assigned to that billing account. When you complete configuration, all projects assigned to the billing account are pulled into the Tanzu CloudHealth Platform.

If you have already enabled BigQuery, use the project that contains your BigQuery dataset. Otherwise, you can use any project assigned to the billing account. To ensure that billing data isn’t lost, use the project ID of a project that won’t be deleted.

The project ID is located in the Project Info pane of the Dashboard in the Google Cloud Console.

Step 2 - Create a Dataset for BigQuery

Note - If you have already enabled BigQuery in the Google Console, skip this step.

Enter the following command in the gcloud CLI to create a dataset to use later when enabling BigQuery.

bq mk project id:dataset name
  • Replace project ID with your project ID.
  • Replace dataset name with your dataset name.

Step 3 - Enable APIs for All Projects using gcloud CLI

Enter the following command in the gcloud CLI to allow Tanzu CloudHealth to gather cost and tagging information for your projects.

        for project in $(gcloud projects list --format="value(projectId)")
        do
        if [[ $(gcloud beta billing projects describe $project --format="value(billingEnabled)") = "True" ]];
            then
            echo "ProjectId: $project - Enabling APIs..."
            gcloud services enable compute.googleapis.com \
            cloudresourcemanager.googleapis.com \
            storage-component.googleapis.com \
            recommender.googleapis.com \
            container.googleapis.com \
            dataproc.googleapis.com \
            --project $project
            fi;
        done

This command enables the following APIs:

  • Google Compute Engine API
  • Google Cloud Storage API
  • Google Cloud Resource Manager API
  • Google Cloud Storage JSON API
  • Recommender API
  • Kubernetes Engine API
  • Dataproc API
  • BigQuery API (See Step 4)

Note - This gcloud command only enables the APIs for existing projects. If you create new projects in the future, you must manually enable the above APIs for the new projects.

Step 4 - Enable BigQuery API

Enter the following command in the gcloud CLI to allow Tanzu CloudHealth to gather data from your BigQuery dataset. Replace project ID with your project ID.

gcloud services enable bigquery.googleapis.com --project project id

Step 5 - Create Service Account using gcloud CLI

Enter the following command in the gcloud CLI to create a service account.

gcloud iam service-accounts create service account name --project project id
  • Replace project ID with your project ID.
  • Replace service account name with your new service account name.

Step 6 - Create Service Account Key using gcloud CLI

Enter the following command in the gcloud CLI to create a private key for the newly created service account and to save the key to the $HOME directory of your instance.

gcloud iam service-accounts keys create \
--iam-account <insert service account name>@<insert project id>.iam.gserviceaccount.com <insert private key name>.json
  • Replace <insert project ID> with your project ID.
  • Replace <insert service account name> with your service account name.
  • Replace <insert private key name> with your new private key name.

Step 7 - Download Service Account Key

Enter the following command in the gcloud CLI to download the service account key to your local machine. Replace private key name with your private key name.

cloudshell download private key name.json

Step 8 - Assign role to Service Account

Depending on your cloud setup, you may choose to use the Editor role or create a custom role. Tanzu CloudHealth recommend using a custom role, but you can use the Editor role with Automated setup for easier maintenance.

To create a custom role, refer to the Create a Custom Role topic.

Enter the following command to assign your preferred role to the service account.

  • Replace service account name with your service account name.
  • Replace project ID with your project ID.
  • Replace role path with the file path to your preferred role:
  • roles/editor for the Editor role
  • projects/project id/roles/custom role name> for a custom role
gcloud projects add-iam-policy-binding project id --member=serviceAccount: service account name>@ project id.iam.gserviceaccount.com \
   --role role path

Step 9 - Create All IAM Members in All Projects

Create your IAM members with the preferred role from Step 8.

  • Replace service account name with your service account name.
  • Replace project ID with your project ID.
  • Replace role path with the file path to your preferred role:
    • roles/editor for the Editor role
    • projects/project id>/roles/custom role name for a custom role
     for project in  $(gcloud projects list --format="value(projectId)")
      do
     echo "ProjectId:  $project"
     gcloud config set project $project
     gcloud projects add-iam-policy-binding $project --member user:service account name>@project id>.iam.gserviceaccount.com \
     --member serviceAccount:service account name>@project id>.iam.gserviceaccount.com \
     --role role path>  --project $project
     done

Step 10 - Enable BigQuery in the Google Console

Enabling BigQuery can only be completed in the Google Console.

Note - Use the dataset you created above as your BigQuery dataset. If you have already enabled BigQuery in the Google Console, skip this step.

Step 11 - Configure Billing Account in Tanzu CloudHealth

  1. Log in to the Tanzu CloudHealth platform and from the left menu, select Setup > Accounts > GCP Billing. Then click Add Account.
  2. Enter your billing account, BigQuery, billing export, and service account information into the form. If needed, you can locate this information in the Google Cloud Console.
  3. In Service Account section, select Choose file and upload the JSON private key. When you use a JSON key, Tanzu CloudHealth verifies that the project ID in the JSON key matches the ID of the project to which you are attaching the credentials.
  4. If you want to use different service accounts to collect billing statements, select the Enable a separate service account for projects linked to this billing account. (Optional) checkbox. Select Choose file and upload the JSON private key for the derived projects. This option should be used if you want to use different service accounts for billing data collection and asset metadata collection.
  5. Click Save Account.

Tanzu CloudHealth validates new Google Service Accounts and derived projects every 4 hours. You can view derived projects by going to Setup > Accounts > GCP Project. Projects you enable in the Tanzu CloudHealth Platform change status from Not Configured to Green, Yellow, Red, or Pending. See Status of Google Project to learn more about what each status represents.

Note - The newly configured GCP billing accounts will be onboarded automatically, and within 48 hrs, you will see the cost data in the Tanzu CloudHealth platform.

Configuring GCP Accounts at the Project Level

Overview: Create a custom role (or use the default Editor role) and IAM member at the project level and assign the role and IAM member to the service account. Identical roles and IAM members are automatically created and assigned to all projects in the billing account. If a new project is added to the billing account, a role and IAM member must be manually assigned to the new project.

Configuring GCP Accounts in the Google Console You can configure your GCP account using the Google Console. Tanzu CloudHealth recommends using the Google Console if you are a new Google Cloud user or are unfamiliar with gcloud.

Step 1 - Create Service Account

  1. Open a text document, such as TextEdit or NotePad, so that you can store specific parameters that you need to provide in the Tanzu CloudHealth Platform.
  2. Log in to the Google Cloud Console, and select a project assigned to the billing account you want to add to Tanzu CloudHealth. Tanzu CloudHealth is connecting to your Google billing account via the selected project, do not select a project that might be deleted in the future.
  3. From the left menu, go to Billing and open the billing account associated with the project, and then click Account management. Copy the alphanumeric Billing account ID into the text document.
  4. From the left menu, click IAM & admin > Service accounts.
  5. On the Service Accounts page, click Create Service Account.
  6. Name the account and from the Role dropdown, select a role:
    • Custom Role (Recommended): Create a custom role with the permissions Tanzu CloudHealth requires to report on your billing data.
    • Project > Editor: Use an Editor role for ease of maintenance.
  7. Copy the full service account ID, including the @ suffix, into the text document.
  8. Select Furnish a new private key. Then select JSON as key type, and click Create. The key is downloaded to your computer.
  9. Open the downloaded file. Copy the private key into the text document.

Checkpoint: At this point, you have the following information in the text document.

  • Billing Account ID
  • Service Account ID
  • Private Key

Step 2 - Assign Service Account as IAM Member to All Projects

Repeat this process for all derived projects.

  1. Switch to a project that is linked to the billing account.
  2. From the left menu, select IAM and click Add IAM.
  3. In the Members field, paste the ID of the service account you created. From the Role dropdown, select Project > Editor. Click Add.

Step 3 - Enable BigQuery with Tanzu CloudHealth

Note

Tanzu CloudHealth requires your service account role to be enabled with certain permissions to properly access and report on your BigQuery data. These permissions are not included in the default Viewer role in the Google Console. If you have assigned your service account a Viewer role, you cannot view your BigQuery data in Tanzu CloudHealth and must change your service account role to a custom role.

BigQuery is Google’s enterprise data warehouse. BigQuery provides billing data that contains more information on customer datasets and is easier to use for custom reporting than daily CSV exports.

BigQuery must be enabled for billing export in the Google Console before you can enable BigQuery in the Tanzu CloudHealth platform. Complete these instructions to do so.

  1. In the Google Cloud Console, and switch to a project associated with your billing account. Copy the Project ID from the Project info section, and paste it in the text document.
  2. From the left menu, select Billing, and select your billing account.
  3. From the left menu, select Billing export. Copy the Dataset name, and paste it in the text document.

Once you enable Billing export to Tanzu CloudHealth, ensure your GCP BigQuery table is not empty. To verify whether the table contains cost data, click the BigQuery table name from the left navigation and select the Preview tab. For the successful configuration of the GCP accounts, the GCP BigQuery table must include the cost data.

Note

The Tanzu CloudHealth platform supports enabling both Standard usage cost and Detailed usage cost. The Standard option with the database table name gcp_billing_export_v1_billing_account_ID is selected by default. If you enable the Detailed option, you must update the database table name to gcp_billing_export_resource_v1_BILLING_ACCOUNT_ID using the Tanzu CloudHealth UI or API. Note that, currently, the Tanzu CloudHealth supports detailed data export only through FlexReports. For more details, see the Detailed Data Export topic.

Step 4 - Enable APIs for All Projects

Enable APIs that allow Tanzu CloudHealth to gather cost and tagging information.

  1. In the Google Cloud Console, select a project associated with your billing account. From the left menu, select APIs & Services > Dashboards.
  2. Search for and locate the following APIs. Then click Enable APIs and Services on the landing page of each API.
    • Compute Engine API
    • Cloud Billing API
    • Cloud Storage API
    • Cloud Resource Manager API
    • Google Cloud Storage JSON API
    • BigQuery API
    • Recommender API
    • Kubernetes Engine API
    • Cloud Dataproc API
  3. Repeat steps 1-3 for all projects.

Step 5 - Configure Automated Billing Account in Tanzu CloudHealth

You need to configure only the billing account. Tanzu CloudHealth discovers all derived projects associated with the billing account that have incurred costs.

  1. Log in to the Tanzu CloudHealth platform and from the left menu, select Setup > Accounts > GCP Billing. Then click Add Account.
  2. Enter all the information from the text document into the appropriate fields.
  3. In Service Account section, select Choose file and upload the JSON private key. When you use a JSON key, Tanzu CloudHealth verifies that the project ID in the JSON key matches the ID of the project to which you are attaching the credentials.
  4. If you want to use different service accounts to collect billing statements, select the Enable a separate service account for projects linked to this billing account. (Optional) checkbox. Select Choose file and upload the JSON private key for the derived projects. This option should be used if you want to use different service accounts for billing data collection and asset metadata collection.
  5. Click Save Account.

Tanzu CloudHealth validates new Google Service Accounts and derived projects every 4 hours. You can view derived projects by going to Setup > Accounts > GCP Project. Projects you enable in the Tanzu CloudHealth Platform change status from Not Configured to Green, Yellow, Red, or Pending.

Note The newly configured GCP billing accounts will be onboarded automatically, and within 48 hrs, you will see the cost data in the Tanzu CloudHealth platform.

Configuring GCP Accounts at the Organization Level using gcloud

Overview: Create a custom role and IAM member at the organization level and assign the role and IAM member to the service account. When new projects are added to the billing account, the organization-level role and IAM member are automatically inherited by the new projects.

Note - You must create a new custom role for the organization level setup, even if you already have created a Owner role or your default Editor role has all the permissions.

Use When:

  • You want easy maintenance.
  • You don’t want to create a new custom role or IAM member for each newly created project.
  • You want to update only the organization-level role each time Tanzu CloudHealth adds support for a new service.

Configuring GCP Accounts in gcloud The gcloud command-line interface (CLI) is the primary CLI to the Google Cloud Platform. You can use this CLI in place of the Google Portal interface to programmatically configure your billing account in the Tanzu CloudHealth platform. To use gcloud, you can either use Cloud Shell in the Google Console or Download and install the Google Cloud SDK.

Step 1 - Locate Project ID and Organization ID (gcloud)

To configure the GCP billing account using gcloud CLI, you need the project ID of a project assigned to that billing account and your organization ID. When you complete configuration, all projects assigned to the billing account are pulled into the Tanzu CloudHealth Platform.

If you have already enabled BigQuery, use the project that contains your BigQuery dataset. Otherwise, you can use any project assigned to the billing account. To ensure that billing data isn’t lost, use the project ID of a project that won’t be deleted.

The project ID is located in the Project Info pane of the Dashboard in the Google Cloud Console.

The organization ID is located in IAM & admin > Manage resources in the Google Console.

Step 2 - Create a Custom Role (gcloud)

Enter the following command to create a custom role with the permissions Tanzu CloudHealth requires at the organization level. * Replace org id with the ID of your organization. * Replace custom role name with the name of the new custom role.

    ```
    gcloud iam roles create custom role name> --organization org id \
        --title custom role name --description \
            "Used to collect Tanzu CloudHealth Billing and Usage data" --permissions \
            resourcemanager.projects.get,compute.disks.get,compute.disks.list,compute.images.get,compute.images.list,compute.instances.get,compute.instances.list,compute.projects.get,compute.regions.get,compute.regions.list,storage.buckets.get,storage.buckets.list,bigquery.datasets.get,bigquery.jobs.create,dataproc.clusters.list,compute.addresses.list,container.clusters.list,bigquery.tables.get,bigquery.tables.getData,compute.snapshots.get,compute.snapshots.list,compute.zones.get,compute.zones.list,recommender.computeInstanceMachineTypeRecommendations.get,recommender.computeInstanceMachineTypeRecommendations.list,recommender.computeInstanceMachineTypeRecommendations.update,recommender.locations.get,recommender.locations.list \
            --stage GA
    ```

Step 3 - Create a Dataset for BigQuery (gcloud)

Note - If you have already enabled BigQuery in the Google Console, skip this step.

Enter the following command in the gcloud CLI to create a dataset to use later when enabling BigQuery.

  • Replace project ID with your project ID.
  • Replace dataset name with your dataset name.
    bq mk project id:dataset name
    

Step 4 - Enable APIs for All Projects (gcloud)

Enter the following command in the gcloud CLI to allow Tanzu CloudHealth to gather cost and tagging information for your projects. This command enables the following APIs:

  • Google Compute Engine API
  • Google Cloud Storage API
  • Google Cloud Resource Manager API
  • Google Cloud Storage JSON API
  • Recommender API
  • Kubernetes Engine API
  • Dataproc API
  • BigQuery API (See Step 5)
for project in $(gcloud projects list --format="value(projectId)")
do
if [[ $(gcloud beta billing projects describe $project --format="value(billingEnabled)") = "True" ]];
then
echo "ProjectId: $project - Enabling APIs..."
gcloud services enable compute.googleapis.com \
cloudresourcemanager.googleapis.com \
storage-component.googleapis.com \
recommender.googleapis.com \
container.googleapis.com \
dataproc.googleapis.com \
--project $project
fi;
done
Note

This gcloud command only enables the APIs for existing projects. If you create new projects in the future, you must manually enable the above APIs for the new projects. Allow about 32 hours for the platform to collect and process the data from GCP to project the cost.

Step 5 - Enable BigQuery API (gcloud)

Enter the following command in the gcloud CLI to allow Tanzu CloudHealth to gather data from your BigQuery dataset. Replace project ID with your project ID.

gcloud services enable bigquery-json.googleapis.com --project project id

Step 6 - Create a Service Account (gcloud)

Enter the following command in the gcloud CLI to create a service account.

  • Replace project ID with your project ID.
  • Replace service account name with your new service account name.

    gcloud iam service-accounts create service account name --project project id
    

Step 7 - Create a Service Account Key (gcloud)

Enter the following command in the gcloud CLI to create a private key for the newly created service account and to save the key to the $HOME directory of your instance.

  • Replace project ID with your project ID.
  • Replace service account name with your service account name.
  • Replace private key name with your new private key name.

    gcloud iam service-accounts keys create \
    --iam-account service account name@project id>.iam.gserviceaccount.com private key name.json
    

Step 8 - Download the Service Account Key (gcloud)

Enter the following command in the gcloud CLI to download the service account key to your local machine. Replace private key name with your private key name.

```
cloudshell download private key name.json
```

Step 9 - Assign Custom Role to the Service Account (gcloud)

Enter the following command to assign the custom role you created in Step 2 to the service account.

  • Replace service account name with your service account name.
  • Replace project ID with your project ID.
  • Replace org id with your organization ID.
  • Replace custom role name with the custom role name.

    gcloud projects add-iam-policy-binding project id --member serviceAccount:service account name>@project id.iam.gserviceaccount.com \
    --role organizations/org id>/roles/custom role name
    

Step 10 - Create an IAM Member at the Organization Level (gcloud)

Create an IAM member for your organization with the custom role you created in Step 2.

  • Replace service account name with your service account name.
  • Replace org id with the ID of your organization.
  • Replace project ID with your project ID.
  • Replace custom role name with the name of the new custom role.

    gcloud organizations add-iam-policy-binding org id --member user:service account name>@project id.iam.gserviceaccount.com \
    --member serviceAccount:service account name@project id.iam.gserviceaccount.com \
    --role organizations/org id/roles/custom role name
    

Step 11 - Enable BigQuery in the Google Console (gcloud)

Enabling BigQuery can only be completed in the Google Console.

Use the dataset you created previously as your BigQuery dataset. If you have already enabled BigQuery in the Google Console, skip this step.

Step 12 - Configure Billing Account in Tanzu CloudHealth (gcloud)

You need to configure only the billing account. Tanzu CloudHealth discovers all derived projects associated with the billing account that have incurred costs.

  1. Log in to the Tanzu CloudHealth platform and from the left menu, select Setup > Accounts > GCP Billing. Then click Add Account.
  2. Enter your billing account, BigQuery, billing export, and service account information into the form. If needed, you can locate this information in the Google Cloud Console.
  3. In Service Account section, select Choose file and upload the JSON private key. When you use a JSON key, Tanzu CloudHealth verifies that the project ID in the JSON key matches the ID of the project to which you are attaching the credentials.
  4. If you want to use different service accounts to collect billing statements, select the Enable a separate service account for projects linked to this billing account. (Optional) checkbox. Select Choose file and upload the JSON private key. This option should be used if you want to use different service accounts for billing data collection and asset metadata collection.
  5. Click Save Account.

Tanzu CloudHealth validates new Google Service Accounts and derived projects every 4 hours. You can view derived projects by going to Setup > Accounts > GCP Project. Projects you enable in the Tanzu CloudHealth Platform change status from Not Configured to Green, Yellow, Red, or Pending.

The newly configured GCP billing accounts will be onboarded automatically, and within 48 hrs, you will see the cost data in the Tanzu CloudHealth platform.

Configuring GCP Accounts at the Organization Level

Benefit: Tanzu CloudHealth is granted access to all projects in the billing account at the organization level. Overview: Create a custom role and IAM member at the organization level and assign the role and IAM member to the service account. When new projects are added to the billing account, the organization-level role and IAM member are automatically inherited by the new projects.

Note

You must create a new custom role for the organization level setup, even if you already have created a Owner role or your default Editor role has all the permissions.

Configuring GCP Accounts in the Google Console

You can configure your GCP account using the Google Console. Tanzu CloudHealth recommends using the Google Console if you are a new Google Cloud user or are unfamiliar with gcloud.

Step 1 - Create a Custom Role

Create a custom role in the Google Console that you can later assign to your service account.2w

  1. Log in to the Google Console and select the organization associated with the billing account.
  2. In the left menu, go to IAM & admin > Roles and select Create Role.
  3. Give your custom role a unique name in the Title field.
  4. Select Add Permissions.
  5. Download Least Privileged Custom Role YAML file. Select, at minimum, the permissions specified in the YAML file. Without these permissions, Tanzu CloudHealth is unable to provide reports and recommendations on how to save costs. You can assign additional permissions beyond the above list as needed.
  6. Click Add.
  7. Click Create.

Step 2 - Create Service Account

  1. Open a text document, such as TextEdit or NotePad, so that you can store specific parameters that you need to provide in the Tanzu CloudHealth Platform.
  2. Log in to the Google Cloud Console, and select a project assigned to the billing account you want to add to Tanzu CloudHealth. Tanzu CloudHealth is connecting to your Google billing account via the selected project, do not select a project that might be deleted in the future.
  3. From the left menu, go to Billing and open the billing account associated with the project, and then click Account management. Copy the billing account ID into the text document.
  4. From the left menu, click IAM & Admin > Service Accounts.
  5. On the Service accounts page, click Create Service Account.
  6. In the Service account details section, name the Service account, add a description, and click Create and Continue.
  7. In the Grant this service account access to project section, select the custom role you created from the Role dropdown, and then click Continue.
  8. Click Done to finish creating the service account. The newly created account is listed on the Service accounts page.
  9. Find and copy the complete email address of the newly created service account, including the @suffix. Copy this service account ID in the text document.
  10. In the Actions column, click More Options icon, and select Manage keys.
  11. Click Add Key > Create New Key.
  12. Tanzu CloudHealth supports only JSON key type. Click Create. The key is downloaded to your computer.

Checkpoint: At this point, you have the following information in the text document.

  • Billing Account ID
  • Service Account ID
  • Private Key

Step 3 - Assign Service Account as IAM Member to Organization

  1. Select the organization associated with the billing account.
  2. From the left menu, select IAM and Admin and click Add.
  3. In the Members field, paste the ID of the service account you created. From the Role dropdown, select the custom role you created. Click Add.

Step 4 - Enable APIs for All Projects

Enable APIs that allow Tanzu CloudHealth to gather cost and tagging information.

  1. In the Google Cloud Console, select a project associated with your billing account. From the left menu, select APIs & Service> Dashboards.
  2. Search for and locate the following APIs. Then click Enable APIs and Services on the landing page of each API.
    • Compute Engine API
    • Cloud Billing API
    • Cloud Storage API
    • Cloud Resource Manager API
    • Google Cloud Storage JSON API
    • BigQuery API
    • Recommender API
    • Kubernetes Engine API
    • Cloud Dataproc API
  3. Repeat steps 1-3 for all projects.

Step 5 - Enable BigQuery with Tanzu CloudHealth

Note - Tanzu CloudHealth requires your service account role to be enabled with certain permissions to properly access and report on your BigQuery data. These permissions are not included in the default Viewer role in the Google Console. If you have assigned your service account a Viewer role, you cannot view your BigQuery data in Tanzu CloudHealth and must change your service account role to a custom role.

BigQuery is Google’s enterprise data warehouse. BigQuery provides billing data that contains more information on customer datasets and is easier to use for custom reporting than daily CSV exports.

Note

BigQuery must be enabled for billing export in the Google Console before you can enable BigQuery in the Tanzu CloudHealth Platform. Complete these instructions to do so.

  1. In the Google Cloud Console, and switch to a project associated with your billing account. Copy the Project ID from the Project info section, and paste it in the text document.
  2. From the left menu, select Billing, and select your billing account.
  3. From the left menu, select Billing export. Copy the Dataset name, and paste it in the text document.

Once you enable Billing export to Tanzu CloudHealth, ensure your GCP BigQuery table is not empty. To verify whether the table contains cost data, click the BigQuery table name from the left navigation and select the Preview tab. For the successful configuration of the GCP accounts, the GCP BigQuery table must include the cost data.

Note

The Tanzu CloudHealth platform supports enabling both Standard usage cost and Detailed usage cost. The Standard option with the database table name gcp_billing_export_v1_billing_account_ID is selected by default. If you enable the Detailed option, you must update the database table name to gcp_billing_export_resource_v1_BILLING_ACCOUNT_ID using the Tanzu CloudHealth UI or API. Note that, currently, the Tanzu CloudHealth supports detailed data export only through FlexReports. For more details, see the Detailed Data Export topic.

Step 6 - Configure Automated Billing Account in Tanzu CloudHealth

You need to configure only the billing account. Tanzu CloudHealth discovers all derived projects associated with the billing account that have incurred costs.

  1. Log in to the Tanzu CloudHealth platform and from the left menu, select Setup > Accounts > GCP Billing. Then click Add Account.
  2. Enter all the information from the text document into the appropriate fields.
  3. In Service Account section, select Choose file and upload the JSON private key. When you use a JSON key, Tanzu CloudHealth verifies that the project ID in the JSON key matches the ID of the project to which you are attaching the credentials.
  4. If you want to use different service accounts to collect billing statements, select the Enable a separate service account for projects linked to this billing account. (Optional) checkbox. Select Choose file and upload the JSON private key for the derived projects. This option should be used if you want to use different service accounts for billing data collection and asset metadata collection.
  5. Click Save Account.

Tanzu CloudHealth validates new Google Service Accounts and derived projects every 4 hours. You can view derived projects by going to Setup > Accounts > GCP Project. Projects you enable in the Tanzu CloudHealth Platform change status from Not Configured to Green, Yellow, Red, or Pending.

Note The newly configured GCP billing accounts will be onboarded automatically, and within 48 hrs, you will see the cost data in the Tanzu CloudHealth platform.

check-circle-line exclamation-circle-line close-line
Scroll to top icon