Billing Permissions for FinOps Data

Overview

The CloudAIPilot FinOps Engine does more than just show you your monthly bill. It autonomously analyzes your cloud footprint to detect orphaned disks, unattached elastic IPs, and oversized servers, proposing actionable waste-reduction recommendations via Approval Cards.

To perform this intelligence, the platform requires specific billing read permissions.

Required Permissions by Provider

AWS

You must attach policies that allow the ce:GetCostAndUsage and ce:GetCostForecast actions.

*Note:* AWS Cost Explorer must be explicitly enabled in your AWS Billing Console before CloudAIPilot can ingest data.

GCP

You must grant the Billing Account Viewer role to your Service Account.

*Note:* This must be applied at the Billing Account Level, not just the Project level.

Azure

The Service Principal requires the Billing Reader role at the Subscription or Management Group level.

DigitalOcean

DigitalOcean includes billing read access by default in the standard Personal Access Token (PAT). No extra steps are required.

Data Freshness & Sync

The FinOps engine runs asynchronous polling jobs to ingest data. Because cloud providers (like AWS) often delay final billing data by up to 24 hours, CloudAIPilot displays a Data Freshness timestamp in the dashboard so you know exactly when the last ingestion occurred.

Related Articles

• KB-08-01: FinOps module overview and data freshness
• KB-08-08: Waste findings categories and priorities