Setup Cloud Account

Help users to configure account to manage cloud platform.

The OneCloud platform supports the following cloud platforms

  • Public Clouds: AWS, Azure, Google, Alibaba Cloud, Huawei Cloud, Tencent Cloud, Ctyun, UCloud.

The following shows steps to add Azure and AWS account, to add more cloud platform, see Create Cloud Account in User Manual.

Setup an Azure Account

Step One: Get Azure account configuration parameters

Before OneCloud can manage your Azure account, you must complete a series actions in Azure to get related parameters.

Get Tenant ID, Client ID and Secret

  1. Login to the Azure console and click “Azure Active Directory/App registrations” menu item on the left navigation bar to enter the application registration page. It is recommended to create a new dedicated application for the cloud management platform to call the Azure API.

  2. Click the “New Registration” button, and on the registered application page, set the name to any value, set the supported account type to “Only accounts in this directory”, set the redirect URI to web, and enter a name starting with “https://” or “"http://localhost” and click the “Register” button.

  3. After successful creation, the system automatically displays the application details page just created. The application (client) ID on this page is the required client ID and the directory (tenant) ID is the required tenant ID.

  4. Click the “Certificates and secrets” menu item on the Application Details page. Go to the Certificates and secrets page. Click the “Create Client Password” button.

  5. In the Add Client dialog box that pops up, enter the password description, the expiration date as “Never”, and click the “Add” button to create a new client password.

  6. After successful saving, the value of the page password will be the required client password information.

Grant the resouse group permissions to application

  1. Login to Azure console, click “Resource Groups” menu item on the left navigation bar, view the list of resource groups, click the name of the resource group that needs to be authorized to enter the resource group management page. Click the “Access Control (IAM)" menu item to enter the Access Control (IAM) page.

  2. Click the Add Role Assignment button on the Access Control (IAM) page, set the role to “Owner” in the Add Role Assignment page, assign the access rights to the dialog box “User, group or service principal”, search for the name of the application created in the previous step in the Select Search box, and select the application. Search for the name of the application created in the previous step in the Select Search box, select the application, and click the “Save” button.

  3. On the Role Assignment page, The resource groups permissions have been granted to the application.

Grant subscription permissions to the application

  1. Login to the Azure console, click the “All Services” menu item in the left navigation bar, and click the “Subscriptions” menu item in the All Services list to enter the list of subscriptions.

  2. click on the subscriptions that need to be authorized to enter the subscription details page.

  3. Click “Access Control (IAM)" , and click the “Add Role Assignment” button on the Access Control (IAM) page to enter the Add Role Assignment page.

  4. On the Add Role Assignment page, set the role to “Owner” , assign the access rights to the dialog box “User, group or service principal”, search for the name of the application created in the previous step in the Select Search box, and select the application. Search for the name of the application created in the previous step in the Select Search box, select the application, and click the “Save” button.

  5. On the Role Assignment page, The aubscription permissions have been granted to the application.

API permissions setting

Make sure the application has the following permissions under the Azure Active Directory API.

Region API Permissions
Azure China Dictionary: Dictionary.Read.All, Dictionary.ReadWrite.All
Domain: Domain.Read.All
Azure Dictionary: Dictionary.Read.All, Dictionary.ReadWrite.All
Domain: Domain.Read.All, Domain.ReadWrite.All;
Member: Member.Read.Hidden;
Policy: Policy.Read.All;

View and setup steps

Take Azure Global as an example.

  1. In the Azure console, click the “Azure Active Directory/App registration” menu item in the left navigation bar to enter the application registration page.

  2. On the newly registered application details page, click “API Permissions” menu item to enter the API Permissions page and view the API permissions.

  3. Check whether the API permission of the application meets the above requirements, if not, click “Add a Permission” button to bring up the Request API Permissions dialog.

  4. Select “Azure Active Directory”, select “Application Permissions” for the application, and check all permissions under Dictionary and Domian, click “Add Permissions” button to complete the configuration.

Get Azure Enterprise Account (EA) Contract ID and key

  1. Login to Azure EA Portal China or EA Portal, after signing in the system, the number in the top left corner is the Contract ID.

  2. Click the “Reports” menu item on the left navigation bar, and select the “Download Usage > API Access Keys” tab, the main key on this page is the key.

Step Two: Setup Azure Account

  1. In the cloud management platform, click the top left corner of navigation menu, and click “Multicloud/Accounts/Accounts” menu item in the left menu bar that pops up to enter the cloud account page.

  2. Click the “Create” button at the top of the list on the cloud account page to enter the new cloud account page.

  3. Select the cloud platform as Azure, click “Next: Configure Cloud Account” button, and enter the Configure Accounts page.

  4. Set the following parameters.

    • Name: Name of Azure account
    • Account type: Currently, it supports managing Azure cloud accounts in Global Zone, China Zone, US Government Zone, and Germany Zone.
    • Tenant ID/Client ID/Client password: To get Tenant ID、Client ID、Client Password,see Get Tenant ID, Client ID and Secret.
    • Resource attribution project: Select the local project that synchronizes the resources on the cloud account to the OneCloud platform. If you want to categorize the resources on the cloud account according to the projects on the cloud, please specify the default resource attribution project first and check the box to create the project automatically. After checking the box, a local project with the same name as the project on the cloud will be created in the OneCloud platform and the resources will be synchronized to the corresponding project. Resources without project attribution on the cloud will be synchronized to the default resource attribution project.
    • Proxy: Set this item when the cloud account needs a proxy to access normally, leave it blank for direct connection. If there is no suitable proxy, click “Create” hyperlink directly and set relevant parameters in the pop-up Create Proxy dialog box to create a proxy.
    • Enable SSO Login: After enabling, the system becomes the identity provider for login on the cloud. The system enables single sign-on to the public cloud platform through this system. Currently, only Azure Global Zone supports the function of SSO login, in addition, you need to configure external identities on the Azure platform, please see Step Three: Login to Azure with SSO.
    • Auto sync: Set whether to automatically synchronize the information on Azure platform, and set the time interval for auto-sync.

  5. Click the “Connection Test” button to test whether the parameters entered are correct.

  6. Click the “OK” button to create an Azure cloud account and go to the Billing File Access Information page to configure the billing parameters for the cloud account so that users can view the billing information for the cloud account in Expenses.

  7. EA (Enterprise Agreement) account expenses get billing information through Contract ID and key, please configure relevant parameters, after the configuration is completed and tested successfully, click the “OK” button.

    • Contract ID: Unique identifier of the online Advanced Service Agreement association, a number starting with V570.
    • Key: API access key. For more details, please see Get Azure Enterprise Account (EA) Contract ID and key.
    • Collect bills immediately: OneCloud The platform automatically collects bills at 4am every day by default. When this item is enabled, bills will be collected immediately after the bill file access information is configured.
    • Time range: When collect bills immediately is enabled, it supports setting the time range to immediately collect bills within the time range, please make sure there is bill data within the selected time range. It is recommended to collect bills within 1~6 months, otherwise there will be too much data, which will cause much pressure on the system and affect the daily task of collecting bills.

  8. Click the “Connection Test” button to test if the parameters entered are correct.

  9. Click “Skip” button for Not an EA account or when you do not need to manage billing data on the OneCloud platform.

Step Three: Login to Azure with SSO

This function is used for OneCloud platform to login to public platform without password. Currently, it supports SSO login to Alibaba Cloud, Tencent Cloud, Huawei Cloud, AWS, and Azure platform (global zone). Other than Azure, you only need to enable SSO login when you create a new cloud account on the platform, and there is no need to configure it on the public cloud platform.

The following is an example of how to sign in Azure from the OneCloud platform with SSO. Currently, only Azure Global supports SSO login.

Enable SSO Login

  1. When configuring the parameters of Step Two: Setup Azure Account on OneCloud platform, select “Global Zone” for the account type and check “Enable SSO Login”.

  2. After the cloud account is created successfully, get the ID of the Azure cloud account.

  3. Enter “https:///api/saml/idp/metadata/” in the browser and save the content of the displayed XML file. For example: “[https://saml.test.cn/api/saml/idp/metadata/7c6c10d5-953a-444c-8685-d0b8f53984b2](#configure azure-external-identies) “, and save the xml file.

Configure External Identies on Azure

  1. In the Azure console, search for “External Identies” and go to this page.

  2. Click on the left menu item “All identity providers” to enter the “All identity providers” page.

  3. Click “New SAML/WS-Fed Idp” and configure the following parameters in the pop-up dialog box.

    • Identity provider protocol: Select SAML.
    • Domain name of federating IdP: Set it as the domain name of the platform. e.g. saml.test.cn.
    • Select a method for populating metadata: It is recommended to select “Parse metadata file”, upload the xml file saved in the above step, and click “Parse “, the following parameters will be filled automatically. If you choose “Input metadata manually”, you need to install the corresponding items in the screenshot above and fill them in respectively.Note that there are spaces in the directly copied Certificate item, so you need to remove them completely.

  4. In addition, you need to add user permissions for Azure applications, which can be found in Get Tenant ID, Client ID and Secret.

  5. In the application details page, click “API permission” to enter the API permission page, and make sure the application has “User.Invite.All” “ReadWrite.All” permission under Microsoft Graph, if not, you need to click “add a permission” to add the corresponding permission.

Setup Chrome

When signing in Azure platform with SSO on OneCloud platform, you need to carry cookies back to the OneCloud platform. Chrome does not allow cookies to be carried across websites by default, so the following configuration is required.

  1. Type “chrome://flags/” in the address of Chrome browser and search for “SameSite by default cookies”.

  2. Disabled “SameSite by default cookies” and “Cookies without SameSite must be secure”。

  3. Relaunch Chrome to make the change take effect.

Create SAML User

  1. Add a user on the platform as a SSO login user on the OneCloud platform’s “Accounts-Azure Account-Properties-SAML Users” page.

  2. Click the “Create” button, select the users on the platform and the corresponding cloud user group in the create SAML users dialog box, and click the “OK” button.

  3. SAML user can log in to the Azure platform without password by clicking the “SSO Login” button on the “User Information - Cloud SSO - SSO Login User” page in the upper right corner.

  4. In the pop-up prompt message dialog, click the “Copy and Sign In” button to jump to the Azure platform and enter the copied account to sign in to the Azure platform with SSO.

Setup an AWS account

Step One: Get AWS account configuration parameters

AWS account permission requirements

Policy Name Policy Description
AdministratorAccess Full access to the cloud resources. If you have this access, you have the rights to manage all resources and do not need to pay attention to other policies.
AmazonEC2FullAccess If you do not have an AdministratorAccess policy and need to manage servers (EC2), please enable this permission.

Get Access Key and Secret for AWS

  1. Login to the AWS Management Console using the AWS master account (or a sub-account with Administrator Access administrative privileges) and click the “IAM” menu item to access the IAM Control Panel page.

  2. Click the “Users” menu item on the left menu bar to enter the user management list, and click the user name item to enter the specified user details page. Note that you need to select a user with sufficient administrative privileges.

  3. Click on the “Security Certificate” tab.

  4. Click the “Create Access Key” button, and you can see the key information, i.e. the key ID (Access Key ID) and password (Access Key Secret) in the Create Access Key dialog box that pops up.

Get the Expense S3 Bucket URL

New Version

AWS accounts created after the 07/08/2019 must use this method to configure and obtain the URL and file prefix for the S3 bucket.

  1. Sign in to the AWS Management Console using the AWS master account and click the drop-down menu “My Billing Dashboard” menu item in the upper right corner of [username] to access the Billing and Cost Management Dashboard page.

  2. Click “Cost & Usage Reoports” on the left menu, and on the AWS Cost and Usage Reports page, click the “Create Report” button to enter the Create Report page.

  3. Configure the report name, check “Include resource IDs”, and click “Next” button to enter the Delivery Options page.

  4. Configure S3 storage buckets to support selecting existing buckets or creating new ones.

  5. Configure the report path prefix, choose “Hourly” for the time granularity, “Create new report version” for the report version, and “ZIP” for the compression type, and click the ” Next” button to enter the audit page.

  6. After confirming that the configuration is correct, record the S3 storage bucket and report path prefix in the red box, and click the “Review and Complete” button to complete the configuration and create the report.

  7. View the overview information of any billing file in the corresponding storage bucket in the S3 storage management page of the AWS console and record the object URL, the storage bucket URL is the URL with the file name removed from the back, as shown in the red box.

  8. The file prefix is the report path prefix in the red box in step 6.

Old Version

  1. Sign in to the AWS Management Console using the AWS master account and click the drop-down menu “My Billing Dashboard” menu item in the upper right corner of [username] to access the Billing and Cost Management Dashboard page.

  2. Click “Billing Preferences” on the left menu, and check and record the S3 oss bucket for “Receive Billing Reports” in “Cost Management Preferences” on the Preferences page you entered. If not configured, you need to check “Receive Billing Reports” and configure the S3 bucket and verify it, after the setting is completed, the incremental billing data will be stored to the corresponding S3 according to the set granularity. It is recommended that only billing files are stored in this bucket.

  3. View the overview information of any billing file in the corresponding oss bucket in the S3 storage management page of AWS console, and record the object URL, the oss bucket URL is the URL with the file name removed from the back, as shown in the red box.

  4. The AWS file prefix is the AWS account ID.

Step Two: Setup AWS account

  1. In the cloud management platform, click the top left corner of navigation menu, and click “Multicloud/Accounts/Accounts” menu item in the left menu bar that pops up to enter the cloud account page.

  2. Click the “Create” button at the top of the list on the cloud account page to enter the new cloud account page.

  3. Select the cloud platform as AWS, click “Next: Configure Cloud Account” button, and enter the Configure Accounts page.

  4. Set the following parameters.

    • Name: The name of the AWS account.
    • Account type: Currently supports managing AWS cloud accounts in Global Zone and China Zone.
    • Key ID/Password: The key ID and password information of the docked AWS platform. For details, please see Get Access Key and Secret for AWS.
    • Resource attribution project: Select the local project that synchronizes the resources on the cloud account to the OneCloud platform. If you want to categorize the resources on the cloud account according to the projects on the cloud, please specify the default resource attribution project first and check the box to create the project automatically. After checking the box, a local project with the same name as the project on the cloud will be created in the OneCloud platform and the resources will be synchronized to the corresponding project. Resources without project attribution on the cloud will be synchronized to the default resource attribution project.
    • Proxy: Set this item when the cloud account needs a proxy to access normally, leave it blank for direct connection. If there is no suitable proxy, click “Create” hyperlink directly and set relevant parameters in the pop-up Create Proxy dialog box to create a proxy.
    • Enable SSO Login: After enabling this item, it will automatically synchronize the system’s SAML information to the cloud account and become the identity provider for signing in the cloud. Realize single sign-on to the public cloud platform through this system.
    • Auto sync: Set whether to automatically synchronize the information on AWS platform, and set the time interval for auto-sync.

  5. Click the “Connection Test” button to test whether the parameters entered are correct.

  6. Click “OK” button to create AWS account. And go to the Billing File Access Information page to configure the billing parameters for the cloud account so that the user can view the billing information for the cloud account in Expenses.

  7. If you need to view billing information in OneCloud platform, etc. please configure relevant parameters, after the configuration is completed and tested successfully, click the “OK” button.

    • Cloud account type: Including main account and associated account, please make sure the main account has been imported into OneCloud platform before using the associated account, and select the main account when using the associated account.
    • Bucket URL: The URL of the oss bucket where the billing file is located. For more details, please see Get the Expense S3 Bucket URL.
    • File prefix: When there are other files stored in the Expense OSS Bucket besides the billing file, you need the file prefix to get only the billing file in the bucket, etc. The file prefix for AWS is the account ID.
    • Collect bills immediately: OneCloud The platform automatically collects bills at 4am every day by default. When this item is enabled, bills will be collected immediately after the billing file access information is configured.
    • Time range: When collect bills immediately is enabled, it supports setting the time range to immediately collect bills within the time range, please make sure there is bill data within the selected time range. It is recommended to collect bills within 1~6 months, otherwise there will be too much data, which will cause much pressure on the system and affect the daily task of collecting bills.

  8. Click “Connection Test” button to test whether the parameters entered are correct.

  9. Click “Skip” button when you do not need to manage billing data on the OneCloud platform.

Step Three: Login to AWS with SSO

The following is an example of how to sign in AWS platform from the OneCloud platform with SSO.

Enable SSO Login

  1. When configuring the parameters of Step Two: Setup AWS account on OneCloud platform, check “Enable SSO Login”.

Create SAML User

  1. Add a user on the platform as a SSO login user on the OneCloud platform’s “Accounts-Azure Account-Properties-SAML Users” page.

  2. Click the “Create” button, select the users on the platform and the corresponding cloud user group in the create SAML users dialog box, and click the “OK” button.

  3. Users on the added platform can log in to the Azure platform without password by clicking the “SSO Login” button on the “User Information - Cloud SSO - SSO Login User” page in the upper right corner.