TurboFinOpsTurboFinOps
Docs/Connect Cloud

How to

Connect a cloud provider and run your first scan

Set up trusted cloud connections and scopes so TurboFinOps can discover inventory, estimate recoverable spend and prepare governed savings actions.

Back to How To Guides

Prerequisites

Before connecting a provider, ensure the following:

  • You have the Admin role in your TurboFinOps organization. Only Admins can create or modify cloud connections.
  • You have sufficient permissions in your cloud provider to create read-only IAM roles, service principals, or service accounts.
  • TurboFinOps requires read-only access to scan inventory. Write access is only needed if you plan to use automated actions (and is gated behind the action engine with conflict detection).
AWS

Connecting AWS

TurboFinOps uses an IAM user with programmatic access. We recommend a dedicated read-only IAM user per account.

Step 1 -- Create an IAM user

  1. 1In the AWS Console, navigate to IAM - Users - Create user.
  2. 2Give the user a name (e.g. TurboFinOps-readonly).
  3. 3Select "Programmatic access" to generate an Access Key ID and Secret Access Key.
  4. 4Attach the AWS-managed policy ReadOnlyAccess (or a custom policy -- see below).
  5. 5Save the Access Key ID and Secret Access Key -- you will need these in TurboFinOps.

Minimum required permissions

The following services are queried during a scan:

ec2:Describe*rds:Describe*eks:Describe*lambda:List*ecs:Describe*ecr:Describe*elasticloadbalancing:Describe*pricing:GetProductscloudwatch:GetMetricStatistics

Using ReadOnlyAccess is the simplest approach for initial setup. Narrow permissions are recommended for production.

Step 2 -- Add the connection in TurboFinOps

  1. 1Go to Dashboard - Connections - New Connection - AWS.
  2. 2Enter the Access Key ID and Secret Access Key.
  3. 3Select the default region (used for pricing API calls).
  4. 4Save the connection -- TurboFinOps will validate credentials immediately.
AZ

Connecting Azure

TurboFinOps uses an Azure App Registration (service principal) with a client secret. This is the recommended approach for service-to-service authentication.

Step 1 -- Create an App Registration

  1. 1In the Azure Portal, go to Microsoft Entra ID - App registrations - New registration.
  2. 2Name it (e.g. TurboFinOps-readonly) and register.
  3. 3Under Certificates & secrets, create a new Client secret. Copy the secret value immediately.
  4. 4Note the Application (client) ID and Directory (tenant) ID from the Overview tab.
  5. 5Under API permissions, ensure Microsoft.Graph is not required -- Azure Resource Manager permissions are sufficient.

Step 2 -- Assign Reader role to the service principal

  1. 1In Azure Portal, go to the subscription you want to scan.
  2. 2Go to Access control (IAM) - Add role assignment.
  3. 3Role: Reader. Assign to: your App Registration (search by name).
  4. 4Save. Repeat for each additional subscription.

Step 3 -- Add connection in TurboFinOps

  1. 1Go to Dashboard - Connections - New Connection - Azure.
  2. 2Enter Tenant ID, Client ID, and Client Secret.
  3. 3Save -- credentials are validated immediately.
GCP

Connecting GCP

TurboFinOps uses a GCP Service Account with a JSON key file. Create a dedicated service account per project for least-privilege access.

Step 1 -- Create a Service Account

  1. 1In Google Cloud Console, go to IAM & Admin - Service Accounts - Create Service Account.
  2. 2Name it (e.g. TurboFinOps-readonly) and click Create.
  3. 3Grant role: Viewer (roles/viewer) on the project.
  4. 4Click Done. Then click on the service account - Keys - Add Key - JSON.
  5. 5Download the JSON key file. You will paste its contents into TurboFinOps.

Step 2 -- Add connection in TurboFinOps

  1. 1Go to Dashboard - Connections - New Connection - GCP.
  2. 2Paste the contents of the JSON key file.
  3. 3Save -- credentials are validated immediately.

Adding Scopes

A Scope is a single discoverable unit: one AWS account, one Azure subscription, or one GCP project. A connection can have multiple scopes. Each scope is scanned independently.

  1. 1After saving a connection, click "Add Scope" on the connection detail page.
  2. 2For AWS: enter the Account ID. For Azure: enter the Subscription ID. For GCP: enter the Project ID.
  3. 3Optionally add a display name and tags for organizational clarity.
  4. 4Mark the scope as Active.
  5. 5Save the scope -- it will appear in the Connections list and be available for scan jobs.

Note

At least one active scope is required before running a scan. Scans without active scopes produce no findings.

Running Your First Scan

  1. 1Go to Dashboard - Scans.
  2. 2In Run New Scan, pick either one cloud scope or Whole cloud plus AWS, Azure, or GCP (queues one background job per active scope on that provider; each job counts toward your plan scan quota).
  3. 3Optionally choose Scan type (Full vs lighter passes) using the descriptions on that page; modes change which provider APIs run, not a diff against your last scan.
  4. 4Jobs run asynchronously. Processing often takes 1-5 minutes per job depending on inventory size.
  5. 5Once complete, open Dashboard - Today to review the highest-value savings actions.
  6. 6Open Dashboard - Savings to see the pipeline from detected waste to receipt verification.
  7. 7Use Dashboard - Resources only when you need raw inventory detail for a specific scope.

Validation Checklist

  • Connection appears in Dashboard - Connections and status is not "failed".
  • At least one scope is marked Active.
  • Last scan job shows status "completed" in Dashboard - Scans.
  • Resource count in Dashboard - Resources is greater than zero.
  • Dashboard - Today shows either savings actions, pending approvals, or a clear no-waste empty state.
  • Dashboard - Savings shows detected opportunities or receipt verification state.

Troubleshooting

Problem: Credential validation fails immediately after saving

Fix: Double-check the key values for typos. For AWS, ensure the IAM user has programmatic access enabled (not just console access). For Azure, confirm the client secret has not expired. For GCP, ensure the JSON key file content was pasted in full.

Problem: Scan completes but Resource count is zero

Fix: Confirm the scope external ID is correct (Account ID / Subscription ID / Project ID). Check that the cloud account actually contains resources in the scanned regions. Verify the IAM role/service principal has read access to the resource types expected.

Problem: No findings after a successful scan

Fix: This can be valid if resources pass the enabled rules. Review Resources to confirm inventory was collected, then check Today and Savings for recoverable-spend actions or no-waste empty states.

Problem: Scan jobs stuck in "running" for more than 10 minutes

Fix: This may indicate a provider API rate limit or a network timeout. Re-trigger the scan from Dashboard - Scans. If the problem persists, contact support with the scan job ID.

Problem: Azure scan fails with "insufficient privileges"

Fix: Ensure the App Registration has the Reader role assigned at the subscription level (not just resource group level). Role assignments can take a few minutes to propagate in Azure.

Still stuck? See the Troubleshooting guide or contact support@turbofinops.com.

Get started

Find recoverable spend before the next invoice lands.

Connect one AWS, Azure or GCP scope, approve the safest savings actions, and give finance a receipt when the savings verify.

Read-only scan first. Approval gates before remediation.
Connect a cloud scopeSee pricing