read only cloud cost optimizer
Most FinOps tools ship long-lived service-account keys, hardcoded access keys, or write-scope IAM roles. Lumicost ships none of that. We use Workload Identity Federation on GCP, IAM Role + external-id (no static keys) on AWS, and App Registration with read scopes on Azure — every credential is short-lived, revocable from your console, and scoped to the specific data we need to compute savings. Zero persisted secrets, zero write paths into your environment.
InfoSec is the deal-killer for cost-optimization tools. CFO wants the savings; CISO won't sign because the vendor wants long-lived credentials with arbitrary scopes. Lumicost was built read-only-first: we connect through identity-federation patterns each cloud already trusts, with audited per-tenant external IDs and the smallest possible permission set. The same credentials power cost analysis, anomaly detection, Kubernetes allocation, migration scoring, and SOC 2 / HIPAA / ISO 27001 / FedRAMP evidence — so InfoSec reviews one connection, not ten.
We never accept downloadable JSON keys. You create a Workload Identity Pool + OIDC Provider in your project, attach the impersonated service account, and we federate via short-lived tokens. The full Terraform module is published. Required scopes: roles/viewer + roles/bigquery.dataViewer (for billing export). Revoke instantly by deleting the WIF binding.
Standard IAM Role assumed via STS with a per-tenant external-id (defends against the confused-deputy class of attacks). The trust policy locks AssumeRole to Lumicost's account ID + your unique external-id. Required permissions: ce:Get*, cur:Describe*, ec2:Describe*, eks:Describe*, rds:Describe*, s3:Get*/List* (no Object access), cloudwatch:GetMetricData. Full IAM policy is published verbatim.
App Registration with delegated permissions to the Cost Management + Reservations + Resources APIs in read-only roles. The client secret is exchanged for short-lived bearer tokens — we don't persist it once federated. Compatible with conditional access policies and your tenant's PIM / approval workflows.
We physically do not call mutation APIs. The codebase has no `eks:Update*`, no `ec2:Modify*`, no kubectl client, no Terraform apply. Recommendations are surfaced; execution stays in your IaC pipeline. Connection telemetry is logged on our side and exposable via SIEM export so your team sees every API call we make.
Each cloud connection is independent and revocable from your own console — delete the WIF binding, the IAM role, or the App Registration and Lumicost loses access immediately. Multi-account / multi-project / multi-subscription are supported via separate connections so you can pilot with a single non-prod account before extending org-wide.
No. Static credentials are a hard 'no' in the Lumicost connection flow. On GCP you create a Workload Identity Federation pool and we federate to a service account via short-lived tokens. On AWS you create an IAM Role and we assume it via STS with a per-tenant external-id. On Azure you create an App Registration and we exchange the client secret for short-lived bearer tokens. We never see — and never store — a downloadable key file.
Two layers. (1) The IAM policies we ask you to attach are read-only by construction and we publish them verbatim — copy them into your console and you'll see no `Update`, `Modify`, `Delete`, `Put`, or `Create` actions. (2) Even if a permission accidentally allowed mutation, our codebase contains no SDK calls to mutation APIs. You can audit both surfaces independently.
Yes — and it doesn't even require a Lumicost UI action. On GCP, delete the Workload Identity binding. On AWS, detach Lumicost's trust policy from the IAM Role (or delete the role). On Azure, disable the App Registration. Lumicost will lose access on the next token refresh, no support ticket required. We also expose 'Disconnect' actions in the Settings UI for convenience.
Yes. The exact same read-only credentials power cost analysis, anomaly detection, Kubernetes allocation, the cross-cloud migration analyzer, and SOC 2 / HIPAA / ISO 27001 / FedRAMP Low evidence collection. InfoSec reviews one connection model and gets the entire FinOps + compliance + migration scope — without writing 10 separate security review tickets.
Connect read-only credentials, get your first insights in 24 hours.