Cloud Services

Cost & Asset Management

Onboarding a GCP account in CAM
Published On Oct 22, 2024 - 11:35 AM

Onboarding a GCP account in CAM

This page details the steps needed to onboard aa GCP account into CAM
Kyndryl's Cost and Asset Manager (CAM) provides a comprehensive solution for monitoring and analyzing cost and usage data through GCP billing and resource metrics. This guide offers detailed instructions for configuring GCP accounts to integrate seamlessly with CAM, ensuring effective cost and asset management. You can securely manage and access data by leveraging delegated access and role-based access control while adhering to compliance requirements. Following this guide will enable you to utilize CAM's features effectively, optimize costs, and enhance resource utilization across your GCP accounts.
Prerequisites
Before starting the onboarding process, ensure you have:
  • Be a CAM Administrator or have the appropriate permissions to perform all steps.
  • A GCP account with the necessary permissions.
  • The billing account number and the subscription details.
  • The project ID and other details for setting up credentials.
  • Details for creating the credentials: Service Account Key.
  • Admin/Co-admin access is required to set up the delegated access, run the scripts for implementation, and obtain configuration information.
Overview
This documentation aims to help ingest GCP data into CAM securely using best practices and without asking for customer credentials. The recommendation is to use delegated access and role-based access control to pull Cost Asset Metrics and Recommendation data to support the Inform and Optimize data of the FinOps lifecycle.
Configuration
Set Up a Service Account
The Service Account should be separate from Billing or Asset Accounts. Follow these steps to set up the Service Account:
  1. Login to your Kyndryl application console
  2. Navigate to Admin - Provider Account
  3. Click on New Master Account and select GCP
  4. Enter a Name and Account number
  5. Click on Add Credentials
    • Provide the name, purpose, credential values (account number and API key), and context, then save it.
Adding Asset Accounts
Follow these steps to add asset accounts:
  1. Login to your Kyndryl application console
  2. Navigate to Admin - Provider Account
  3. Click on New Asset Account and select GCP
  4. Enter a Name and Account number
  5. Click on Add Credentials
    • Provide the name, purpose, credential values (account number and API key), and context, then save it.
Data Ingestion
Manual Ingestion
Use the Manual Ingestion screen to ingest and enrich data from either a public or a custom provider.
  1. Navigate to
    Cost & Asset Management
     >
    Settings
    .
  2. Select
    Manual Ingestion
     from the list.
  3. Select the
    Public Provider
     tab.
  4. Select the provider
    'GCP'
     from the list with the data needed for the ingestion.
  5. Click
    Start Ingestion.
Nightly (Automated) Ingestion
Users can initiate and schedule the provider's ingestion directly on the Cost and Assets Management Platform.
  1. Click on the ellipsis located on the left side of your Kyndryl application screen and go to the Cost & Asset Management drop-down menu.
  2. Click on the
    Settings
     drop-down menu and select
    Scheduled Jobs
    .
  3. A new window will display with the Scheduled Ingestion List, which contains the name of the ingestion, creation date, next run time, name of the user that initiated the ingestion, recurring, and status.
  4. To create a new Scheduled Job, click
    Add Schedule
    .
  5. Add a name on the Job Name bar and select a provider from the drop-down menu on the Provider bar.
  6. Select the schedule frequency by entering the Minute, Hour, Day, Month, and Week in all the cron fields and then click
    Schedule
    . The default schedule is 12:00 am (midnight) GMT.
  7. To Edit, Pause, or Delete any scheduled ingestion, click on the three-dot menu on the right side of the Scheduled Ingestion name.
GCP configuration
The below steps need to be performed on the GCP Portal:
Enable Billing
To enable the billing account, please follow the instructions in the link below:
Service Account Setup
  • Create a new Service Account in GCP. This Service Account will be used for enabling Cloud billing export to BigQuery dataset. (We refer to this service account as "KYNDRYL Service Account" further in the document)
  • Enable the following permissions for the KYNDRYL Service Account:
    • BigQuery User
    • BigQuery Data Viewer
    • Compute Viewer
    • Monitor Viewer
    • ApiGateway Viewer
Refer to: Export Data BigQuery Setup
  • For GCP labeling job, enable the following permissions for the Service account:
    • BigQuery Admin
    • BigQuery Data Owner
    • Editor
Refer to: Updating Label
Before you enable your Cloud Billing data to export to BigQuery, you must create at least one BigQuery dataset to manage your exported data. You can use the same dataset to contain your standard usage cost data, detailed usage cost data, and your pricing data.
Dataset Creation
Create a Dataset in BigQuery within the GCP portal:
  1. Open the console Navigation menu and select BigQuery.
  2. Open SQL workspace, you will get the project name from where you wish to capture the cost and usage data.
  3. Click on the vertical dots, you will see an option to Create dataset.
  4. Enter the Data set ID, select data location. Click on Create Data set button. Note: We support US multi-region as a default one.
Billing Export to BigQuery
  1. Open the console Navigation menu, and then select Billing.
  2. In the Billing navigation menu, select Billing export.
  3. Select the
    Big Query export
     tab.
  4. Click Edit settings for the ‘Standard usage cost’ section to enable the export and update the export settings.
  5. From the Project list, select the project where your BigQuery dataset is stored.
  6. The project you select is used to store the exported Cloud Billing data in the BigQuery dataset. The Cloud Billing data includes usage/cost data for all projects related to the Cloud Billing account.
  7. From the Billing export dataset list, specify the dataset to export data that was created in step 3 above.
  8. Click
    Save
    .
Enable Asset Collection
Enable the following set of APIs in the GCP portal by following the steps below:
  1. In the GCP portal, Select option “
    API’s and services
  2. Choose “
    Library
  3. Search for the below APIs and choose enable button if the API is not enabled already. Screenshots are provided only for reference:
API List
Details fetched
Google Compute Engine API
For CPU utilization
BigQuery API
Asset status (on/off/terminate), Provisioned date, Region
Container Registry API
Asset status (on/off/terminate), Provisioned date, Region
Google App Engine Admin API
Asset status (on/off/terminate), Provisioned date, Region
Google Cloud APIs
Asset status (on/off/terminate), Provisioned date, Region
Google Cloud Datastore API
Asset status (on/off/terminate), Provisioned date, Region
Google Cloud Deployment Manager V2 API
Asset status (on/off/terminate), Provisioned date, Region
Google Cloud Pub/Sub API
Asset status (on/off/terminate), Provisioned date, Region
Google Cloud SQL
Asset status (on/off/terminate), Provisioned date, Region
Google Cloud SQL Admin API
Asset status (on/off/terminate), Provisioned date, Region
Google Cloud Storage
Asset status (on/off/terminate), Provisioned date, Region
Google Cloud Storage JSON API
Asset status (on/off/terminate), Provisioned date, Region
Google Kubernetes Engine API
Asset status (on/off/terminate), Provisioned date, Region
Google Service Management API
Asset status (on/off/terminate), Provisioned date, Region
Google Resource Manager API
Asset status (on/off/terminate), Provisioned date, Region
Google Cloud DNS API
Asset status (on/off/terminate), Provisioned date, Region
Google API Gateway API
Asset status (on/off/terminate), Provisioned date, Region
Google AI Platform Training & Prediction API
Asset status (on/off/terminate), Provisioned date, Region. This permission is required for GCP labeling job
Google Artifact Registry API
Asset status (on/off/terminate), Provisioned date, Region. This permission is required for GCP labeling job
Google Certificate Authority API
Asset status (on/off/terminate), Provisioned date, Region. This permission is required for GCP labeling job
Google Cloud Bigtable API
Asset status (on/off/terminate), Provisioned date, Region. This permission is required for GCP labeling job
Google Cloud Composer API
Asset status (on/off/terminate), Provisioned date, Region. This permission is required for GCP labeling job
Google Cloud Functions API
Asset status (on/off/terminate), Provisioned date, Region. This permission is required for GCP labeling job
Google Cloud Healthcare API
Asset status (on/off/terminate), Provisioned date, Region. This permission is required for GCP labeling job
Google Cloud Key Management Service (KMS) API
Asset status (on/off/terminate), Provisioned date, Region. This permission is required for GCP labeling job
Google Cloud Run Admin API
Asset status (on/off/terminate), Provisioned date, Region. This permission is required for GCP labeling job
Google Cloud Spanner API
Asset status (on/off/terminate), Provisioned date, Region. This permission is required for GCP labeling job
Google Cloud Dataproc API
Asset status (on/off/terminate), Provisioned date, Region. This permission is required for GCP labeling job
Google Cloud Filestore API
Asset status (on/off/terminate), Provisioned date, Region. This permission is required for GCP labeling job
Google Cloud Memorystore for Memcached API
Asset status, Provisioned date, Region
For Asset ingestion, capture the Project ID and Service Key (Private Key of the Service Account) of the project you want to ingest. Both fields are mandatory for asset ingestion in CAM.
Do you have two minutes for a quick survey?
Take Survey