Connect a Provider#

Connecting a cloud provider is the single most important setup action — it unlocks Discovery, FinOps, Provisioning, Automation, and Monitoring across all three providers.

Reply CMP connects via read-only API calls using a dedicated service principal (Azure), IAM user (AWS), or service account (GCP). No changes are made to your existing infrastructure.

Note

Read-only vs read-write — By default, Reply CMP only requires read-only permissions. You only need write permissions if you plan to use Automation (start/stop VMs, enforce tags). The connection wizard lets you choose the permission level.

Before you start#

Open Tenant → Connections → Add Connection and select your provider. You will need the credentials created in the steps below.

Provider setup#

Prerequisites

  • Azure Portal access (Global Administrator or Application Administrator)

  • Your Subscription ID

Steps

  1. Go to Azure Portal → Azure Active Directory → App registrations → New registration

  2. Name: e.g. reply-cmp-readonly; Supported account types: This directory only; no redirect URI

  3. Record: Application (client) ID and Directory (tenant) ID

  4. Go to Certificates & secrets → New client secret → set expiry → copy the secret value immediately (shown only once)

  5. Go to Subscriptions → {your subscription} → Access control (IAM) → Add role assignment

    • For read-only: assign the Reader role to the app registration

    • For read-write (Automation): assign Contributor instead

  6. Enter all values in Reply CMP

Required fields in Reply CMP

Field

Where to find it

Connection name

Your choice

App ID

Application (client) ID from step 3

Subscription ID

From the Subscriptions blade

Tenant ID

Directory (tenant) ID from step 3

Client Secret

Value from step 4

Permission level

ReadOnly / ReadWrite

Common errors

Error code

Cause

Fix

AADSTS7000222

Client secret expired or invalid

Rotate the secret in Azure AD and update the connection

invalid_client

Wrong App ID or Tenant ID

Check that the values exactly match the app registration

AADSTS65001

IAM role not assigned

Assign the Reader role on the subscription to the app registration

Note

Monitoring queries — The Reader role is sufficient for all Azure Monitoring queries (Metrics, Alerts Management). For Log Analytics (KQL) queries, Reader also works when the workspace uses resource-centric access mode (the default for workspaces created after March 2019). If a workspace is configured to require workspace permissions (workspace-centric mode), additionally assign the Log Analytics Reader role to the app registration on that specific workspace.

Prerequisites

  • AWS Console access (administrator)

  • Your Account ID (12-digit number, visible in the top-right of the AWS Console)

Steps

  1. Go to IAM → Users → Create user → name e.g. reply-cmp-readonly

  2. Attach policies:

    • For read-only: ReadOnlyAccess + AWSResourceExplorer2FullAccess (needed for Discovery)

    • For read-write (Automation): PowerUserAccess + AWSResourceExplorer2FullAccess

  3. Open Security credentials → Create access key → Application running outside AWS → copy Access Key ID and Secret Access Key

  4. Enter all values in Reply CMP

Required fields in Reply CMP

Field

Where to find it

Connection name

Your choice

Account ID

12-digit account number

Access Key ID

From step 3

Secret Access Key

From step 3

Default Region

e.g. eu-west-1

Permission level

ReadOnly / ReadWrite

Common errors

Error code

Cause

Fix

InvalidAccessKeyId

Key ID does not exist or has been deleted

Recreate access key in IAM

SignatureDoesNotMatch

Secret Access Key is incorrect

Check for copy-paste errors; recreate the key

UnrecognizedClientException

Key is in a different account

Confirm Account ID matches the IAM user

AccessDenied

Missing required policy

Ensure ReadOnlyAccess and AWSResourceExplorer2FullAccess are attached

Note

Monitoring queries — The ReadOnlyAccess policy includes all permissions needed for Monitoring query types: CloudWatch Metrics (cloudwatch:GetMetricData, cloudwatch:ListMetrics), CloudWatch Alarms (cloudwatch:DescribeAlarms), and CloudWatch Logs Insights (logs:StartQuery, logs:GetQueryResults, logs:StopQuery). No additional policies are required.

Prerequisites

  • GCP Console access (Project Owner or IAM Admin)

  • BigQuery billing export configured (needed for cost data — GCP documentation)

Steps

  1. Go to IAM & Admin → Service Accounts → Create service account → name e.g. reply-cmp-viewer

  2. Grant roles:

    • roles/viewer

    • roles/cloudasset.viewer

    • roles/bigquery.dataViewer

  3. Enable APIs: Cloud Asset Inventory API and Cloud Resource Manager API

  4. Open Keys → Add key → JSON → download the key file

  5. Note your Project ID and BigQuery billing configuration (dataset name, table name)

  6. Enter all values in Reply CMP — upload the JSON key file when prompted

Required fields in Reply CMP

Field

Where to find it

Connection name

Your choice

Project ID

Shown in the GCP Console header

Billing Dataset

BigQuery export dataset name

Billing Table

BigQuery export table name

Billing Project ID

(Optional) defaults to Project ID

JSON Key File

Downloaded in step 4

Permission level

ReadOnly / ReadWrite

Common errors

Error code

Cause

Fix

TokenResponseException

JSON key is invalid or corrupted

Re-download the key file from GCP Console

403 Forbidden

Missing IAM role

Verify all three roles are granted to the service account

404 Not Found

BigQuery dataset or table does not exist

Check dataset name and confirm billing export is enabled

Note

Monitoring queries — The roles/viewer role already includes all permissions in roles/monitoring.viewer (monitoring.timeSeries.list, monitoring.alertPolicies.list, and related read operations). No additional roles are required for Monitoring.

What happens after connecting#

Tip

After saving the connection, Reply CMP runs an initial discovery scan. This takes 1–10 minutes depending on provider and account size. Cost data takes up to 24 hours to appear on first sync — the billing export must accumulate at least one day of data.

Secrets are stored in Azure Key Vault, encrypted with AES-256. Secret values cannot be retrieved after saving — if you need to rotate credentials, update the connection with the new value.

Validating your connection#

The connection wizard runs a live credential test before saving. If validation fails, the connection is not saved. Fix the credential issue shown and retry.

Managing connections#

After connecting, go to Tenant → Connections to see:

Column

Meaning

Last discovery

Timestamp of the most recent resource scan

Last cost refresh

Timestamp of the most recent billing data pull

Expiry chip

Red = expired; action needed

Actions

Manual Launch Discovery and Refresh Cost Data buttons

Next steps#

Explore your inventory →

Review your first costs →