Cloud Setup Overview
CLARITY connects to your cloud accounts using read-only credentials to pull cost data, resource inventories, performance metrics, and optimization recommendations. No write access is required, and no changes are made to your infrastructure.
What You Need
| Provider | Credential Type | Minimum Permissions | Setup Time |
|---|---|---|---|
| AWS | Access Key ID + Secret Access Key | ReadOnlyAccess + Billing Read | ~5 min |
| Azure | Service Principal (App Registration) | Reader + Cost Management Reader | ~10 min |
| GCP | Service Account Key (JSON) | Viewer + BigQuery Data Viewer + Billing Viewer | ~10 min |
Security
All credentials are encrypted at rest using AES-256-GCM with per-credential random salts derived from the instance's session secret. Credentials are:
- Never transmitted to third parties or external services
- Never logged in plaintext — audit logs record credential operations without exposing secrets
- Decrypted only in memory at the moment they are needed to query your cloud provider
- Scoped to your user session — other users in the same CLARITY instance cannot access your credentials
Data Security
Your cloud credentials are encrypted at rest and decrypted only in memory when needed. Cost data and resource inventories are stored securely and never shared with third parties.
Provider Guides
Follow the detailed setup guide for each provider you want to connect:
- AWS Setup Guide — IAM user with read-only policies, CLI or CloudFormation
- Azure Setup Guide — Service Principal with Reader and Cost Management Reader roles
- Google Cloud Setup Guide — Service Account with Viewer, BigQuery, and Billing roles
What Happens After Setup
Once you add credentials, CLARITY immediately begins an initial sync:
- Resource Discovery — Inventories all supported resources (EC2, VMs, GCE instances, databases, containers, storage, etc.)
- Cost Data Pull — Retrieves service-level and resource-level billing data for the current and previous month
- Metrics Collection — Gathers CPU, memory, network, and storage utilization from CloudWatch, Azure Monitor, or Cloud Monitoring
- Optimization Analysis — Generates insights for idle, underutilized, and over-provisioned resources
- Commitment Scan — Checks for Reserved Instance, Savings Plan, and Committed Use Discount opportunities
The initial sync typically completes within 2-5 minutes. Subsequent syncs run automatically on a configurable schedule (default: every 12 hours).