# OCI Integration FAQ

## What do I need before I can connect OneLens to OCI?

You need the following before starting the OCI integration:

* An active OCI account with access to the root compartment for configuring cost exports.
* Permission to manage Identity & Security settings, including creating domains, users, groups, and policies.
* The public key file provided by the OneLens team (required during API key setup in Step 4).

{% hint style="info" %}
All four steps, creating a group, user, policy, and generating credentials - must be completed in order. Skipping any step will prevent OneLens from reading your OCI cost and usage data.
{% endhint %}

## What is the high-level architecture of this integration?

The integration follows a **passive, read-only architecture** using Azure Cost Management Exports.

* **Data Flow:** Azure writes billing data (Parquet format) to a Storage Account in your tenant. OneLens ingests this data securely.
* **Resource Impact:** *Zero*. The integration operates asynchronously on billing data and does not touch your production compute or databases.

## What specific permissions does OneLens require?

We adhere to **Least Privilege**. We do not require `Contributor` or `Owner` access for the integration at any scope.

<table><thead><tr><th width="163">IAM Role</th><th width="177">Scope</th><th width="163">Assignee</th><th width="206">Purpose</th></tr></thead><tbody><tr><td>Reader</td><td><em><strong>*</strong>Target scope</em></td><td>App Registration, External User</td><td>Read resources metadata.</td></tr><tr><td>Cost Management Reader</td><td><em><strong>*</strong>Target scope</em></td><td>App Registration, External User</td><td>Read cost analysis data.</td></tr><tr><td>Billing Reader</td><td>Management Group or Subscription</td><td>App Registration</td><td>Read invoice and billing data (for EA)</td></tr><tr><td>Billing Account Reader</td><td>Billing account</td><td>App Registration</td><td>Read billing data (for MCA/MOSP)</td></tr><tr><td>Storage Blob Data Reader </td><td>Storage account</td><td>App Registration, External User</td><td>Read exported cost report data.</td></tr></tbody></table>

## Can we use a Managed Identity instead of a App Registration?

Currently, the integration requires an **App Registration with a Client Secret** because the OneLens platform resides outside your Azure Tenant (multi-tenant SaaS).

* **Security Note:** Managed Identities are typically restricted to Azure-to-Azure resources within the same tenant. For cross-tenant access, an App Registration is the standard secure pattern, recommended by Microsoft. We set a safe rotation policy for the Client Secret (every 90 days).

## What if we have a third-party billing partner (CSP) and do not have the `Billing Account Owner` role?

If you purchase Azure through a CSP or MSP, you likely do not have permissions at the Billing Account scope.

* **Action:** You can ask your billing partner to assign your user the `Billing Account Owner` role, to perform the integration. Or, the billing partner can directly assign the `Billing Account Viewer` roles to our App Registration and External User at the decided scope.

## With the **Reader** role, are you able to access sensitive data?

**No.** The Reader role is strictly a **Control Plane** permission.

* **What it allows:** Viewing resource metadata (e.g., *"There is a VM named 'production-db' with 4 vCPUs"*). This is essential for us to map costs to specific resources and generate rightsizing recommendations.
* **What it does NOT allow:** It does not grant access to the **Data Plane**. We **cannot** read the files inside your Storage Accounts (except the specific billing container), we **cannot** view rows in your SQL databases, and we **cannot** access secrets in your Key Vaults.

## Why do we need to invite an external user?

The external user (***<onelens.finops@astuto.ai>**) allows ou*r support and engineering team to debug ingestion issues and validate configuration without requiring shared credentials. This user is assigned strictly read-only roles (`Reader`, `Cost Management Reader`, `Storage Blob Data Reader`).

## Does the "Allow" network rule on the Storage Account expose our data?

**No.** The command `az storage account update --default-action Allow` permits network connectivity **but does not bypass authentication**.

* **Security Layer:** Access is still strictly controlled via RBAC (Identity). Only entities with the `Storage Blob Data Reader` role (like our App Registration) can read the data. Anonymous access is explicitly disabled on the container.

## Why is "Overwrite data" enabled in the cost export?

Azure Cost Management data is cumulative for the current month and can change daily (due to reservation applications or late-arriving usage).

* **Reason:** Enabling "Overwrite" ensures that the daily export updates the existing file for the current month (e.g., 2023-10-01\_2023-10-31) rather than creating dozens of fragmented files (e.g., \_v1, \_v2) for the same period.
* **Benefit:** This ensures data consistency, prevents duplicate processing, and significantly reduces storage costs in your account.

## Why are we creating two exports (actual and amortized)?

* **Actual Cost:** Reconciles with your invoice.
* **Amortized Cost:** Smooths out Reservation (RI) and Savings Plan purchases to show daily effective burn rates.
* **OneLens Requirement:** We require the combined dataset Cost and usage (actual + amortized) to provide accurate recommendations.

## Which Resource Providers must be registered before starting the integration?

Before starting, ensure the following are registered on the target subscriptions:

1. `Microsoft.CostManagementExports`
2. `Microsoft.CostManagement`
3. `Microsoft.Billing`
4. `Microsoft.Storage`
5. `Microsoft.ContainerService` (if onboarding AKS)
6. `Microsoft.Insights` (if onboarding AKS)

## How do we handle Kubernetes (AKS) cost visibility?

Azure does not break down AKS costs by default. You must enable **Cost Analysis** on your clusters.

* **Requirement:** Clusters must be on Standard or Premium tier (Free tier is not supported).
* **Command:**\
  `az aks update --resource-group <rg_name> --name <cluster_name> --enable-cost-analysis`
* **Bulk Enable:** We provide a loop script to enable this for **all clusters** in a resource group. You can find the same in the relevant section in the documentation.

## How are tags handled?

We rely on Azure's **Tag Inheritance** to ensure costs are properly attributed. You should **enable Tag Inheritance** at the Billing Account or Subscription level so that resource group tags automatically flow down to the child resources and usage records.

## How do we rotate credentials for the App Registration?

1. Generate a new Client Secret in the `onelens-sa` App Registration.
2. Share the new Client Secret ID and Value to the OneLens integration team over a secure encrypted channel like email.
3. Delete the old secret `onelens-secret` from Azure.

Our team will reach out to you for routine secret rotation as well as in the scenario of secret exposure.

## What is the cost incurred for this setup?

The below analysis provides approximate costs for the setup in **South India** region.

<table data-full-width="false"><thead><tr><th>Component</th><th width="150">$5K/month spend</th><th width="159">$50K/month spend</th><th width="169.5">$500K/month spend</th><th width="158">$5M/month spend</th></tr></thead><tbody><tr><td>Storage</td><td>~$0.01</td><td>~$0.06</td><td>~$0.65</td><td>~$6.50</td></tr><tr><td>Write Operations</td><td>~$0.01</td><td>~$0.05</td><td>~$0.50</td><td>~$5.00</td></tr><tr><td>Read Operations</td><td>~$0.01</td><td>~$0.01</td><td>~$0.10</td><td>~$1.00</td></tr><tr><td>Cost Management Export</td><td>Free</td><td>Free</td><td>Free</td><td>Free</td></tr><tr><td>Total cost per month</td><td><strong>~$0.03</strong></td><td><strong>~$0.12</strong></td><td><strong>~$1.25</strong></td><td><strong>~$12.50</strong></td></tr></tbody></table>

Rates and references:

<table data-full-width="false"><thead><tr><th>Metric</th><th width="260">South India Region Rate (in USD)</th><th width="195">Reference</th></tr></thead><tbody><tr><td>Standard Hot LRS Capacity</td><td>$0.019 per GB/month</td><td><a href="https://azure.microsoft.com/pricing/details/storage/blobs/">Azure Blob pricing</a></td></tr><tr><td>Write Operations</td><td>$0.05 per 10,000</td><td><a href="https://azure.microsoft.com/pricing/details/storage/blobs/">Azure Blob pricing</a></td></tr><tr><td>Read Operations</td><td>$0.004 per 10,000</td><td><a href="https://azure.microsoft.com/pricing/details/storage/blobs/">Azure Blob pricing</a></td></tr><tr><td>Cost Management Export</td><td>$0.00 (Free service)</td><td><a href="https://azure.microsoft.com/en-us/pricing/details/cost-management/">Cost Management pricing</a></td></tr><tr><td>Intra-region transfer</td><td>$0.00</td><td>Free, since regions are South India.</td></tr></tbody></table>