TurboFinOpsTurboFinOps
Docs/Connect Cloud

How to

Connect a cloud provider and run your first scan

Set up trusted cloud connections and scopes so TurboFinOps can discover your inventory and generate findings. This guide covers AWS, Azure, and GCP.

Back to How To Guides

Prerequisites

Before connecting a provider, ensure the following:

  • You have the Admin role in your TurboFinOps organization. Only Admins can create or modify cloud connections.
  • You have sufficient permissions in your cloud provider to create read-only IAM roles, service principals, or service accounts.
  • TurboFinOps requires read-only access to scan inventory. Write access is only needed if you plan to use automated actions (and is gated behind the action engine with conflict detection).
AWS

Connecting AWS

TurboFinOps uses an IAM user with programmatic access. We recommend a dedicated read-only IAM user per account.

Step 1 -- Create an IAM user

  1. 1In the AWS Console, navigate to IAM - Users - Create user.
  2. 2Give the user a name (e.g. TurboFinOps-readonly).
  3. 3Select "Programmatic access" to generate an Access Key ID and Secret Access Key.
  4. 4Attach the AWS-managed policy ReadOnlyAccess (or a custom policy -- see below).
  5. 5Save the Access Key ID and Secret Access Key -- you will need these in TurboFinOps.

Minimum required permissions

The following services are queried during a scan:

ec2:Describe*rds:Describe*eks:Describe*lambda:List*ecs:Describe*ecr:Describe*elasticloadbalancing:Describe*pricing:GetProductscloudwatch:GetMetricStatistics

Using ReadOnlyAccess is the simplest approach for initial setup. Narrow permissions are recommended for production.

Step 2 -- Add the connection in TurboFinOps

  1. 1Go to Dashboard - Connections - New Connection - AWS.
  2. 2Enter the Access Key ID and Secret Access Key.
  3. 3Select the default region (used for pricing API calls).
  4. 4Save the connection -- TurboFinOps will validate credentials immediately.
AZ

Connecting Azure

TurboFinOps uses an Azure App Registration (service principal) with a client secret. This is the recommended approach for service-to-service authentication.

Step 1 -- Create an App Registration

  1. 1In the Azure Portal, go to Microsoft Entra ID - App registrations - New registration.
  2. 2Name it (e.g. TurboFinOps-readonly) and register.
  3. 3Under Certificates & secrets, create a new Client secret. Copy the secret value immediately.
  4. 4Note the Application (client) ID and Directory (tenant) ID from the Overview tab.
  5. 5Under API permissions, ensure Microsoft.Graph is not required -- Azure Resource Manager permissions are sufficient.

Step 2 -- Assign Reader role to the service principal

  1. 1In Azure Portal, go to the subscription you want to scan.
  2. 2Go to Access control (IAM) - Add role assignment.
  3. 3Role: Reader. Assign to: your App Registration (search by name).
  4. 4Save. Repeat for each additional subscription.

Step 3 -- Add connection in TurboFinOps

  1. 1Go to Dashboard - Connections - New Connection - Azure.
  2. 2Enter Tenant ID, Client ID, and Client Secret.
  3. 3Save -- credentials are validated immediately.
GCP

Connecting GCP

TurboFinOps uses a GCP Service Account with a JSON key file. Create a dedicated service account per project for least-privilege access.

Step 1 -- Create a Service Account

  1. 1In Google Cloud Console, go to IAM & Admin - Service Accounts - Create Service Account.
  2. 2Name it (e.g. TurboFinOps-readonly) and click Create.
  3. 3Grant role: Viewer (roles/viewer) on the project.
  4. 4Click Done. Then click on the service account - Keys - Add Key - JSON.
  5. 5Download the JSON key file. You will paste its contents into TurboFinOps.

Step 2 -- Add connection in TurboFinOps

  1. 1Go to Dashboard - Connections - New Connection - GCP.
  2. 2Paste the contents of the JSON key file.
  3. 3Save -- credentials are validated immediately.

Adding Scopes

A Scope is a single discoverable unit: one AWS account, one Azure subscription, or one GCP project. A connection can have multiple scopes. Each scope is scanned independently.

  1. 1After saving a connection, click "Add Scope" on the connection detail page.
  2. 2For AWS: enter the Account ID. For Azure: enter the Subscription ID. For GCP: enter the Project ID.
  3. 3Optionally add a display name and tags for organizational clarity.
  4. 4Mark the scope as Active.
  5. 5Save the scope -- it will appear in the Connections list and be available for scan jobs.

Note

At least one active scope is required before running a scan. Scans without active scopes produce no findings.

Running Your First Scan

  1. 1Go to Dashboard - Scans.
  2. 2In Run New Scan, pick either one cloud scope or Whole cloud plus AWS, Azure, or GCP (queues one background job per active scope on that provider; each job counts toward your plan scan quota).
  3. 3Optionally choose Scan type (Full vs lighter passes) using the descriptions on that page; modes change which provider APIs run, not a diff against your last scan.
  4. 4Jobs run asynchronously. Processing often takes 1-5 minutes per job depending on inventory size.
  5. 5Once complete, navigate to Dashboard - Resources to see discovered inventory.
  6. 6Navigate to Dashboard - Findings to see generated rule violations and recommendations.
  7. 7Check the domain scores on the main Dashboard -- they update after each completed scan.

Validation Checklist

  • Connection appears in Dashboard - Connections and status is not "failed".
  • At least one scope is marked Active.
  • Last scan job shows status "completed" in Dashboard - Scans.
  • Resource count in Dashboard - Resources is greater than zero.
  • At least some findings appear in Dashboard - Findings.
  • Domain scores on the main Dashboard have been updated (not all zeros).

Troubleshooting

Problem: Credential validation fails immediately after saving

Fix: Double-check the key values for typos. For AWS, ensure the IAM user has programmatic access enabled (not just console access). For Azure, confirm the client secret has not expired. For GCP, ensure the JSON key file content was pasted in full.

Problem: Scan completes but Resource count is zero

Fix: Confirm the scope external ID is correct (Account ID / Subscription ID / Project ID). Check that the cloud account actually contains resources in the scanned regions. Verify the IAM role/service principal has read access to the resource types expected.

Problem: No findings after a successful scan

Fix: This is expected if all resources are correctly configured. Not all environments have active violations. Review the Resources page to confirm inventory was collected, and check the FinOps and Security dashboards for score context.

Problem: Scan jobs stuck in "running" for more than 10 minutes

Fix: This may indicate a provider API rate limit or a network timeout. Re-trigger the scan from Dashboard - Scans. If the problem persists, contact support with the scan job ID.

Problem: Azure scan fails with "insufficient privileges"

Fix: Ensure the App Registration has the Reader role assigned at the subscription level (not just resource group level). Role assignments can take a few minutes to propagate in Azure.

Still stuck? See the Troubleshooting guide or contact support@turbofinops.com.

TurboFinOps

Start with one cloud scope. Prove savings fast.

Connect AWS, Azure, or GCP and get actionable findings, score trends, and auditable remediation paths in minutes.

Built for FinOps, governance and audit workflows
Book a DemoCompare Plans