Skip to content
leancosts docs

Connect a cloud account

Ingest a real cloud estate so Costs, Hunters, Governance, and the Savings Register populate with your data. leancosts is read-only — connecting grants read access only; it never writes to or mutates your cloud.

All connectors live on Admin → Connections. Pick your cloud’s tab.

Azure

Section titled “Azure”
  1. Go to Admin → Connections → Azure.
  2. Add connection opens the connect wizard:
    • One-Click Connect (device-code OAuth), when available, provisions the service principal, secret, and role assignments, validates, and kicks off the first sync for you.
    • Manual credentials otherwise: open Setup guide for the exact steps — register an app, create a client secret, then assign Reader + Cost Management Reader at subscription scope (plus Reservations Reader at tenant scope if you want reservation/savings-plan utilization findings). Paste tenant/client/secret/subscription into the wizard.
  3. Hit Test, then save. The first healthy connection starts auto-discovery.

AWS

Section titled “AWS”
  1. Go to Admin → Connections → AWS.
  2. Run the provided copy-paste AWS CLI snippet in your Organizations payer account. It creates a read-only cross-account IAM role with an ExternalId.
  3. Paste the resulting role ARN + ExternalId back into leancosts and Test. (An access-key path exists as an eval escape hatch, but the cross-account role is the recommended posture.)

GCP

Section titled “GCP”

Go to Admin → Connections → GCP and follow the connector wizard. GCP hunters read the same canonical cost model as Azure/AWS; remediation ships as guided gcloud kits.

What happens on first sync

Section titled “What happens on first sync”

The moment a connection is healthy, auto-discovery ingests, with no “pick your subscriptions” prompt:

  1. Subscriptions / accounts the connector can see.
  2. Resources (Azure Resource Graph / AWS & GCP inventory APIs).
  3. Resource groups (derived counts).
  4. Tags — populated onto each resource; tag governance reads them directly.
  5. Cost data — daily granularity for the current month + 12 prior months.

Watch progress in the global sync banner (top of every page) and the per-row progress strip on the connection. You only ever opt subscriptions out (a toggle), never in.

Verifying it worked

Section titled “Verifying it worked”
  • Costs shows non-zero trend/daily data.
  • Coverage shows your real resources under each required tag.
  • The Savings Register starts surfacing optimization findings as hunters fan out.

Troubleshooting

Section titled “Troubleshooting”
  • Connection won’t validate — re-check the role assignments (Azure) or the ExternalId + trust policy (AWS). The Test button surfaces the failing call.
  • No cost rows after sync — Cost Management/CUR data lags; the resource and tag phases complete first, costs follow. Re-open the connection console to see the cost phase progress.