TurboFinOpsTurboFinOps
Docs/Getting Started

Start here

Getting Started

This guide takes you from first login to recoverable spend, one approved action, and the first savings receipt.

First value

10 min

Primary role

Admin

Outcome

First receipt

Prerequisites

  • An active organization account and at least one Admin user.
  • Cloud credentials with read-only discovery permissions at minimum.
  • Network access from TurboFinOps worker/runtime to provider APIs.
  • Defined ownership model for who approves savings actions.

Role Setup Plan

Admin

Initial setup, cloud connection, integrations, and approval policy.

FinOps

Savings prioritization, budgets, commitment decisions, and receipts.

Platform

Approves and executes safe remediation work.

Finance

Reviews verified savings, unit economics, and forecast variance.

Viewer

Read-only visibility into costs, actions, and receipts.

Step-by-step Setup

1. Complete organization onboarding

  • Sign in and create/join your organization.
  • Confirm organization context appears in dashboard header and settings.
  • Invite core operators who can approve savings work, review risk context and validate receipts.

Validation: You can open dashboard pages without org re-creation prompts.

2. Register cloud connections

  • Open Connections and add AWS/Azure/GCP credentials.
  • Attach one or more scopes: account, subscription, or project.
  • Validate each scope is active and routable.

Validation: Connected scopes are listed and marked active.

3. Run the first savings scan

  • Open Scans and trigger a full inventory scan.
  • Wait for completion and inspect recoverable monthly spend.
  • Re-run if provider rate-limit or temporary errors occurred.

Validation: The dashboard shows top savings actions with estimated monthly impact.

4. Approve one safe action

  • Review the highest-confidence action with a clear owner and rollback path.
  • Confirm conflict checks passed for IaC ownership, freeze windows and policy flags.
  • Approve the action or route it to the owning team.

Validation: An ActionRequest moves from pending to approved and then executing or succeeded.

5. Watch the receipt pipeline

  • Open Verified Savings after execution succeeds.
  • Confirm a baseline was captured for the affected resource.
  • Track the 7, 14 and 30 day verification checkpoints.

Validation: The receipt appears as pending, verified, regressed or inconclusive.

6. Add integrations after value is visible

  • Configure Slack or Teams for approvals and savings digests.
  • Connect Jira or ServiceNow only if your process requires tickets.
  • Add AI usage metering if OpenAI or Anthropic spend needs feature attribution.

Validation: Approvals, notifications and exports match your operating workflow.

Go-live Checklist

  • At least one active scan completed for each connected provider.
  • Top savings actions reviewed and assigned to owners.
  • At least one safe action approved and executed.
  • Savings receipt baseline captured for the executed action.
  • 7-day receipt checkpoint reviewed.
  • At least one integration channel validated for approvals or digests.

30-day rollout targets

Day 0

Connect first scope, run first scan, identify top 3 actions.

Day 1

Approve one low-risk action and verify execution logs.

Day 7

Review first receipt checkpoint and share proof with finance.

Day 14

Confirm trend direction and adjust owner routing rules.

Day 30

Finalize first full verification cycle and export proof pack.

Common onboarding blockers

No findings after scan

Most often caused by inactive scopes or missing provider permissions. Re-check scope activation and least-privilege policy JSON.

Too many low-impact actions

Tune filters for minimum monthly impact and prioritize by owner readiness + confidence.

Approval bottlenecks

Set default action owners and create a daily approval cadence in Slack/Teams.

Receipt remains inconclusive

Extend baseline/observation windows and validate provider billing data freshness.

IAM quick reference

Least-privilege policies for read-only discovery on each cloud provider. Copy-paste ready. For remediation modes, add explicit Allow statements per action type as listed in the Action Engine reference.

AWS

Read-only discovery setup

Create a cross-account IAM role that trusts our worker account and attach the read-only policy below. Discovery uses ReadOnlyAccess; remediation modes additionally require explicit Allow statements per action type.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "TurboFinOpsDiscovery",
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "rds:Describe*",
        "eks:List*", "eks:Describe*",
        "lambda:List*", "lambda:Get*",
        "ecs:List*", "ecs:Describe*",
        "ecr:Describe*",
        "elasticloadbalancing:Describe*",
        "cloudwatch:GetMetricStatistics",
        "ce:GetCostAndUsage",
        "pricing:GetProducts",
        "tag:GetResources"
      ],
      "Resource": "*"
    }
  ]
}
Azure

Read-only discovery setup

Create an Entra ID app registration, generate a client secret, and assign Reader at the subscription scope. For remediation, additionally assign Contributor on the resource groups TurboFinOps may act on.

# 1. Create app registration
az ad app create --display-name "TurboFinOps Discovery"

# 2. Create service principal
APP_ID=$(az ad app list --display-name "TurboFinOps Discovery" --query "[0].appId" -o tsv)
az ad sp create --id $APP_ID

# 3. Assign Reader at subscription scope (discovery)
SUB_ID=$(az account show --query id -o tsv)
az role assignment create \
  --assignee $APP_ID \
  --role "Reader" \
  --scope "/subscriptions/$SUB_ID"

# 4. Generate client secret (paste into Connections > Azure)
az ad app credential reset --id $APP_ID --years 2
GCP

Read-only discovery setup

Create a service account with the Viewer role at the project level and download a JSON key. Discovery uses Viewer; remediation requires Compute Admin or narrower roles depending on action type.

# 1. Create service account
gcloud iam service-accounts create turbofinops-discovery \
  --display-name="TurboFinOps Discovery"

# 2. Grant Viewer at project scope
PROJECT_ID=$(gcloud config get-value project)
SA_EMAIL="turbofinops-discovery@$PROJECT_ID.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_EMAIL" \
  --role="roles/viewer"

# 3. Generate JSON key (paste into Connections > GCP)
gcloud iam service-accounts keys create ./tfo-key.json \
  --iam-account=$SA_EMAIL

What to expect at each milestone

A concrete picture of what shows up in TurboFinOps as you progress through the first month. Use this to set stakeholder expectations and to spot when something is off.

After first scan (~5 min)

  • Inventory populated: typical 50-500 resources per connected scope.
  • Findings split across FinOps, Security, Governance and Audit domains.
  • Estimated monthly savings appears on the Today dashboard.

Day 1 — First approval

  • Conflict guard runs IaC ownership, freeze window and policy checks before approval.
  • AuditLog entry created with actor, target resource, and approval mode.
  • ActionExecution row carries provider response and rollback payload.

Day 7 — First receipt checkpoint

  • Pre-action 30-day cost baseline visible on the receipt detail page.
  • Verified savings status: pending, verified, regressed or inconclusive.
  • Slack/Teams digest summarizes verified savings vs estimate.

Day 30 — Full verification cycle

  • Per-domain scores (FinOps, Security, Governance, Audit) trended over the period.
  • Forecast variance vs realized cost available on Costs board.
  • Evidence bundle exportable as CSV/JSON for finance review.
Get started

Find recoverable spend before the next invoice lands.

Connect one AWS, Azure or GCP scope, approve the safest savings actions, and give finance a receipt when the savings verify.

Read-only scan first. Approval gates before remediation.
Connect a cloud scopeSee pricing