Advanced Setup Available in v1.18.8+
Azure Cost Integration Setup
You can set up Azure integration resources directly on your Azure account, without using ScaleOps Managed Application.
- Launch Cloud Shell in your Azure account
- Run the provided script in Cloud Shell:
curl -sL scriptshelf.scaleops.com/azure/integrate.sh | bash -s -- cost \
--subscription-id <SUBSCRIPTION_ID> \
--create-application- After the script runs, copy the helm values provided in the output to your helm values and install ScaleOps.
- Wait for ScaleOps to integrate with your Azure cost data
*It may take a few minutes for the integration to complete.
Reference
Helm Parameters
| Key | Description | Default |
|---|---|---|
enabled | Enable integration | false |
tenantId | Azure Tenant ID | Current cluster tenant ID |
subscriptionId | Azure Subscription ID | Current cluster subscription ID |
applicationId | Your application ID | Application ID from ScaleOps API |
applicationSecret | Your application Secret | Application Secret from ScaleOps API |
containerName | Azure Storage Container Name | cost-exports |
storageAccountName | Azure Storage Account Name | scaleopscoststorage |
costExportName | Azure Cost Export Name | scaleops-cost-report |
costExportDirectory | Azure Cost Export Directory | scaleops-cost-exports |
applyToAllClusters | Should enable all child clusters | false |
Script parameters
| Parameter | Description | Default / Notes |
|---|---|---|
-s <UUID>, --subscription <UUID> | Azure subscription ID (required for all commands) | |
-a <UUID>, --application <UUID> | Azure application ID (required for all commands unless --create-application is used) | |
--create-application | Create a new Azure AD application instead of using existing | |
--app-name <name> | Name for the Azure AD application | "ScaleOps-Integration-<TIMESTAMP>" |
--use-workload-identity | Enable workload identity setup (required for workload identity) | false |
--skip-checks | Skip authorization policies validations | Default: false |
--installation-namespace <NAMESPACE> | Installation namespace (required for workload identity) | scaleops-system |
--cluster-name <NAME> | AKS cluster name (required for workload identity) | |
--location <loc> | Azure region | westeurope |
--cost-export-name <name> | Cost export name | scaleops-cost-report |
--export-directory-name <name> | Cost export directory name | scaleops-cost-exports |
--resource-group-name <name> | Resource group name | scaleops-cost-integration |
--storage-account-name <name> | Storage account name (default will be made unique) | scaleopscost |
--container-name <name> | Container name | cost-exports |
--cost-role-name <name> | Cost export role name | ScaleOps Cost Export |
--additional-permissions <p1,p2> | Comma-separated list of extra Azure permissions to add to the custom role | “ |
--dry-run | Show what would be created without making changes | |
-v, --verbose | Print all az commands before executing them | |
-h, --help | Show this help message |
Using External Secret
Run helm template with correct values of the Azure billing integration to retrieve secret definition:
helm template ... --show-only templates/cur_settings_secret.yamlStore the secret data from the helm template output on your secret provider, and reference it using External Secrets:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: scaleops-cloud-billing-settings
namespace: scaleops-system
spec:
secretStoreRef:
name: SECRET_STORE_NAME # Replace with your secret store name
kind: ClusterSecretStore # Replace with your secret store kind
target:
name: scaleops-cloud-billing-settings
template:
data:
settings: "{{ .azure_billing_config }}"
data:
- secretKey: azure_billing_config
remoteRef:
key: path/to/secret # Replace with your secret pathIf you use this approach, do not include cloudBillingIntegration.azure values in your helm values file.
Permissions
Required Azure Permissions
To run the integration script or Terraform, the person running the script or Terraform needs the following roles:
| Role | Scope | Purpose |
|---|---|---|
| Owner or User Access Administrator | Subscription | Create custom roles and assign them to service principals |
| Contributor | Subscription | Create resource groups, storage accounts, and other Azure resources |
| Application Administrator or Cloud Application Administrator | Azure AD Tenant | Create Azure AD applications and service principals |
Minimal Required Permissions
Azure AD Permissions (to create the service principal):
Application.ReadWrite.All- Create Azure AD applicationsDirectory.ReadWrite.All- Create service principalsApplication.ReadWrite.OwnedBy- Manage owned applicationsApplication.Read.All- Read existing applications and service principals
Azure Subscription Permissions (to create resources and grant permissions):
Microsoft.Authorization/roleDefinitions/read- Read existing rolesMicrosoft.Authorization/roleDefinitions/write- Create custom rolesMicrosoft.Authorization/roleAssignments/read- Read existing role assignmentsMicrosoft.Authorization/roleAssignments/write- Assign roles to service principalsMicrosoft.Resources/subscriptions/resourcegroups/read- Read existing resource groupsMicrosoft.Resources/subscriptions/resourcegroups/write- Create resource groupsMicrosoft.Storage/storageAccounts/read- Read existing storage accountsMicrosoft.Storage/storageAccounts/write- Create storage accountsMicrosoft.CostManagement/exports/read- Read existing cost exportsMicrosoft.CostManagement/exports/write- Create cost exportsMicrosoft.Resources/subscriptions/providers/register/action- Register providersMicrosoft.Resources/subscriptions/read- Read subscription information