Connect a Provider#

Connecting a cloud provider is the single most important setup action — it unlocks Discovery, FinOps, Provisioning, Automation, and Monitoring across all three providers.

Reply CMP connects via read-only API calls using a dedicated service principal (Azure), IAM user (AWS), or service account (GCP). No changes are made to your existing infrastructure.

Note

Read-only vs read-write — By default, Reply CMP only requires read-only permissions. You only need write permissions if you plan to use Automation (start/stop VMs, enforce tags). The connection wizard lets you choose the permission level.

Before you start#

Open Tenant → Connections → Add Connection and select your provider. You will need the credentials created in the steps below.

Provider setup#

Prerequisites

  • Azure Portal access (Global Administrator or Application Administrator)

  • Your Subscription ID

Steps

  1. Go to Azure Portal → Azure Active Directory → App registrations → New registration

  2. Name: e.g. reply-cmp-readonly; Supported account types: This directory only; no redirect URI

  3. Record: Application (client) ID and Directory (tenant) ID

  4. Go to Certificates & secrets → New client secret → set expiry → copy the secret value immediately (shown only once)

  5. Go to Subscriptions → {your subscription} → Access control (IAM) → Add role assignment

    • For read-only: assign the Reader role to the app registration

    • For read-write (Automation): assign Contributor instead

  6. Enter all values in Reply CMP

Required fields in Reply CMP

Field

Where to find it

Connection name

Your choice

App ID

Application (client) ID from step 3

Subscription ID

From the Subscriptions blade

Tenant ID

Directory (tenant) ID from step 3

Client Secret

Value from step 4

Permission level

ReadOnly / ReadWrite

Common errors

Error code

Cause

Fix

AADSTS7000222

Client secret expired or invalid

Rotate the secret in Azure AD and update the connection

invalid_client

Wrong App ID or Tenant ID

Check that the values exactly match the app registration

AADSTS65001

IAM role not assigned

Assign the Reader role on the subscription to the app registration

Prerequisites

  • AWS Console access (administrator)

  • Your Account ID (12-digit number, visible in the top-right of the AWS Console)

Steps

  1. Go to IAM → Users → Create user → name e.g. reply-cmp-readonly

  2. Attach policies:

    • For read-only: ReadOnlyAccess + AWSResourceExplorer2FullAccess (needed for Discovery)

    • For read-write (Automation): PowerUserAccess + AWSResourceExplorer2FullAccess

  3. Open Security credentials → Create access key → Application running outside AWS → copy Access Key ID and Secret Access Key

  4. Enter all values in Reply CMP

Required fields in Reply CMP

Field

Where to find it

Connection name

Your choice

Account ID

12-digit account number

Access Key ID

From step 3

Secret Access Key

From step 3

Default Region

e.g. eu-west-1

Permission level

ReadOnly / ReadWrite

Common errors

Error code

Cause

Fix

InvalidAccessKeyId

Key ID does not exist or has been deleted

Recreate access key in IAM

SignatureDoesNotMatch

Secret Access Key is incorrect

Check for copy-paste errors; recreate the key

UnrecognizedClientException

Key is in a different account

Confirm Account ID matches the IAM user

AccessDenied

Missing required policy

Ensure ReadOnlyAccess and AWSResourceExplorer2FullAccess are attached

Prerequisites

  • GCP Console access (Project Owner or IAM Admin)

  • BigQuery billing export configured (needed for cost data — GCP documentation)

Steps

  1. Go to IAM & Admin → Service Accounts → Create service account → name e.g. reply-cmp-viewer

  2. Grant roles:

    • roles/viewer

    • roles/cloudasset.viewer

    • roles/bigquery.dataViewer

  3. Enable APIs: Cloud Asset Inventory API and Cloud Resource Manager API

  4. Open Keys → Add key → JSON → download the key file

  5. Note your Project ID and BigQuery billing configuration (dataset name, table name)

  6. Enter all values in Reply CMP — upload the JSON key file when prompted

Required fields in Reply CMP

Field

Where to find it

Connection name

Your choice

Project ID

Shown in the GCP Console header

Billing Dataset

BigQuery export dataset name

Billing Table

BigQuery export table name

Billing Project ID

(Optional) defaults to Project ID

JSON Key File

Downloaded in step 4

Permission level

ReadOnly / ReadWrite

Common errors

Error code

Cause

Fix

TokenResponseException

JSON key is invalid or corrupted

Re-download the key file from GCP Console

403 Forbidden

Missing IAM role

Verify all three roles are granted to the service account

404 Not Found

BigQuery dataset or table does not exist

Check dataset name and confirm billing export is enabled

What happens after connecting#

Tip

After saving the connection, Reply CMP runs an initial discovery scan. This takes 1–10 minutes depending on provider and account size. Cost data takes up to 24 hours to appear on first sync — the billing export must accumulate at least one day of data.

Secrets are stored in Azure Key Vault, encrypted with AES-256. Secret values cannot be retrieved after saving — if you need to rotate credentials, update the connection with the new value.

Validating your connection#

The connection wizard runs a live credential test before saving. If validation fails, the connection is not saved. Fix the credential issue shown and retry.

Managing connections#

After connecting, go to Tenant → Connections to see:

Column

Meaning

Last discovery

Timestamp of the most recent resource scan

Last cost refresh

Timestamp of the most recent billing data pull

Expiry chip

Red = expired; action needed

Actions

Manual Launch Discovery and Refresh Cost Data buttons

Next steps#

Explore your inventory →

Review your first costs →