Read-only permission templates

CloudCostIQ reads billing evidence. It does not change infrastructure.

Use these examples to review the access boundary before connecting CloudCostIQ. AWS and Azure support recurring billing ingestion today. GCP supports uploaded billing evidence and controlled live access for recurring review evidence.

AWS

Connect a read-only IAM role so each weekly cloud cost review uses real AWS Cost Explorer billing data. CloudCostIQ assumes the role only to read billing data and write normalized cost facts.

No write access
  • Read Cost Explorer and Billing data
  • Read Cost and Usage Report definitions
  • Read organization account metadata
  • No permissions to start, stop, resize, delete, or modify infrastructure
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CloudCostIQBillingReadOnly",
      "Effect": "Allow",
      "Action": [
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "ce:GetDimensionValues",
        "ce:GetReservationCoverage",
        "ce:GetReservationPurchaseRecommendation",
        "ce:GetReservationUtilization",
        "ce:GetSavingsPlansCoverage",
        "ce:GetSavingsPlansPurchaseRecommendation",
        "ce:GetSavingsPlansUtilization",
        "ce:GetTags",
        "cur:DescribeReportDefinitions",
        "organizations:DescribeAccount",
        "organizations:ListAccounts"
      ],
      "Resource": "*"
    }
  ]
}
Open step-by-step setup guide

Azure

Connect Azure Cost Management with a dedicated service principal so each weekly review can use recurring subscription spend, normalized cost facts, and repeat verification periods. Manual invoice, CSV, CSV.gz, and CSP workbook upload remains supported as the fastest fallback.

No write access
  • Cost Management Reader at subscription scope for live ActualCost queries
  • Reader at subscription scope only when resource metadata is needed to resolve ownership and service context
  • No Contributor, Owner, or write permissions
  • No permissions to modify resources or deployments
{
  "required_roles": [
    {
      "role": "Cost Management Reader",
      "scope": "/subscriptions/{subscriptionId}",
      "purpose": "Read Azure Cost Management ActualCost data for recurring reviews"
    },
    {
      "role": "Reader",
      "scope": "/subscriptions/{subscriptionId}",
      "purpose": "Optional resource metadata for owner and service context"
    }
  ],
  "credential_fields": [
    "tenantId",
    "subscriptionId",
    "clientId",
    "clientSecret"
  ],
  "explicitly_not_required": [
    "Owner",
    "Contributor",
    "User Access Administrator"
  ]
}
Open step-by-step setup guide

GCP

Use this baseline for future connected GCP billing export ingestion. Manual invoice PDF and BigQuery billing export CSV upload remains supported.

No write access
  • Billing Account Viewer for billing metadata
  • BigQuery Data Viewer on the billing export dataset
  • BigQuery Job User for query execution against the export
  • No Compute Admin, Editor, Owner, or resource write permissions
roles:
  billing_account:
    - roles/billing.viewer
  billing_export_dataset:
    - roles/bigquery.dataViewer
  billing_export_project:
    - roles/bigquery.jobUser
not_required:
  - roles/editor
  - roles/owner
  - roles/compute.admin

Trust boundary

CloudCostIQ does not request Owner, Contributor, Editor, Compute Admin, IAM mutation, deployment, or resource write permissions for standard billing ingestion. The product turns billing evidence into Accountability Review ownership, verification, and executive brief workflows.

View security model