DigiUsher DocumentationPermissions Reference
Consolidated view of all cloud provider permissions required by DigiUsher
Overview
DigiUsher requires read-only access to cost, usage, resource, and metrics data across your cloud environments. This document consolidates all permissions required for each supported cloud provider.
No write access is requested unless optional features (such as EC2 scheduling or commitment purchases) are explicitly enabled.
Cross-Cloud Summary
| Cloud | Identity Type | Authentication | Access Level | Scope |
|---|---|---|---|---|
| AWS | Cross-account IAM Role | STS AssumeRole + ExternalId (temporary tokens) | Read-only | Per-account (root or linked) |
| GCP | Service Account | JSON key | Read-only (viewer roles) | Organization-wide or per-project |
| Azure | App Registration | Client secret | Read-only (Reader role) | Management Group (all subscriptions) |
| OCI | IAM User | API key pair (PEM + fingerprint) | Read-only | Tenancy-wide |
Amazon Web Services (AWS)
Access Summary
| Component | Details |
|---|---|
| Identity type | Cross-account IAM Role (no credentials stored in your account) |
| Authentication | STS AssumeRole with ExternalId — temporary session tokens only |
| Trust relationship | Cross-account IAM role trusting DigiUsher AWS account 058264546051 with ExternalId |
| Base permissions | Read-only across cost, compute, database, storage, networking, security, and organizational metadata |
| Optional permissions | EC2 start/stop, commitment purchases, tag management, automation (all disabled by default) |
| Data access | S3 bucket containing Cost and Usage Reports (CUR data only) |
| Scope | Single AWS account (root or linked) |
| Capability | What It Provides |
|---|---|
| Billing data | Cost analytics, chargeback/showback, budgeting, forecasting, anomaly detection |
| Resource inventory | Asset discovery, idle resource detection, tag-based cost allocation |
| Optimization recommendations | Rightsizing, commitment analysis (RI/SP), idle resource cleanup |
| Utilization metrics | CPU, memory, network, disk usage for rightsizing analysis |
DigiUsher cannot create, modify, or delete any of your AWS resources (unless optional write permissions are explicitly enabled).
Core Permissions (Read-Only)
The following IAM policy (DigiUsherCorePermissions) is attached as an inline policy to the DigiUsher IAM role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DigiUsherCostAndBillingPermissions",
"Effect": "Allow",
"Action": [
"ce:Describe*",
"ce:Get*",
"cur:Describe*",
"cur:Get*",
"bcm-data-exports:ListExports",
"bcm-data-exports:GetExport",
"budgets:ViewBudget",
"savingsplans:DescribeSavingsPlans",
"savingsplans:DescribeSavingsPlansOfferings",
"savingsplans:DescribeSavingsPlansOfferingRates",
"invoicing:GetInvoicePDF",
"invoicing:GetInvoiceUnit",
"invoicing:GetInvoiceSummary",
"invoicing:ListInvoiceSummaries",
"invoicing:BatchGetInvoiceProfile",
"pricing:GetProducts"
],
"Resource": "*"
},
{
"Sid": "DigiUsherComputePermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"autoscaling:Describe*",
"application-autoscaling:Describe*",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetPolicy",
"lambda:GetProvisionedConcurrencyConfig",
"lambda:List*",
"ecs:Describe*",
"ecs:List*",
"eks:Describe*",
"eks:List*",
"elasticloadbalancing:Describe*",
"compute-optimizer:Get*",
"compute-optimizer:UpdateEnrollmentStatus"
],
"Resource": "*"
},
{
"Sid": "DigiUsherDatabasePermissions",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBClusters",
"rds:DescribeReservedDBInstances",
"rds:DescribeReservedDBInstancesOfferings",
"rds:ListTagsForResource",
"dynamodb:Describe*",
"dynamodb:List*",
"elasticache:Describe*",
"elasticache:List*",
"es:Describe*",
"es:List*",
"redshift:Describe*",
"redshift:List*",
"docdb:Describe*",
"docdb:List*",
"neptune:Describe*",
"neptune:List*",
"timestream:DescribeEndpoints",
"timestream:DescribeDatabase",
"timestream:DescribeTable",
"timestream:ListDatabases",
"timestream:ListTables",
"dms:Describe*",
"dms:List*",
"memorydb:Describe*",
"memorydb:List*"
],
"Resource": "*"
},
{
"Sid": "DigiUsherStoragePermissions",
"Effect": "Allow",
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetLifecycleConfiguration",
"s3:GetIntelligentTieringConfiguration",
"s3:ListAllMyBuckets",
"elasticfilesystem:Describe*",
"fsx:Describe*",
"glacier:Describe*",
"glacier:List*",
"ecr:Describe*",
"ecr:List*",
"ecr:GetLifecyclePolicy",
"backup:Describe*",
"backup:List*",
"backup:GetBackupPlan"
],
"Resource": "*"
},
{
"Sid": "DigiUsherNetworkingAndCDNPermissions",
"Effect": "Allow",
"Action": [
"cloudfront:GetDistributionConfig",
"cloudfront:ListDistributions",
"route53:List*",
"route53:GetHostedZone",
"apigateway:GET"
],
"Resource": "*"
},
{
"Sid": "DigiUsherDataAndAnalyticsPermissions",
"Effect": "Allow",
"Action": [
"glue:GetJobs",
"glue:GetCrawlers",
"glue:GetDatabases",
"glue:ListJobs",
"glue:ListCrawlers",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeInstanceGroups",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",
"elasticmapreduce:ListInstanceGroups",
"states:DescribeStateMachine",
"states:ListStateMachines",
"states:ListExecutions",
"athena:List*",
"athena:GetWorkGroup",
"kinesis:Describe*",
"kinesis:List*",
"kafka:Describe*",
"kafka:List*",
"quicksight:List*",
"quicksight:DescribeDashboard",
"quicksight:DescribeAccountSubscription",
"sagemaker:List*",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeNotebookInstance"
],
"Resource": "*"
},
{
"Sid": "DigiUsherMessagingPermissions",
"Effect": "Allow",
"Action": [
"sqs:List*",
"sqs:GetQueueAttributes",
"sns:List*",
"sns:GetTopicAttributes",
"ses:GetSendQuota",
"ses:ListIdentities",
"mq:Describe*",
"mq:List*",
"events:Describe*",
"events:List*"
],
"Resource": "*"
},
{
"Sid": "DigiUsherMonitoringAndLoggingPermissions",
"Effect": "Allow",
"Action": [
"cloudwatch:Get*",
"cloudwatch:List*",
"cloudtrail:Describe*",
"cloudtrail:GetTrailStatus",
"cloudtrail:List*",
"logs:DescribeLogGroups"
],
"Resource": "*"
},
{
"Sid": "DigiUsherSecurityAndCompliancePermissions",
"Effect": "Allow",
"Action": [
"iam:GetAccessKeyLastUsed",
"iam:GetLoginProfile",
"iam:ListAccessKeys",
"iam:ListUsers",
"sso:List*",
"sso:Describe*",
"identitystore:List*",
"identitystore:Describe*",
"kms:List*",
"kms:DescribeKey",
"secretsmanager:List*",
"secretsmanager:DescribeSecret",
"guardduty:List*",
"guardduty:GetDetector",
"securityhub:GetEnabledStandards",
"securityhub:DescribeHub",
"wafv2:List*",
"wafv2:GetWebACL",
"config:Describe*",
"config:GetDiscoveredResourceCounts"
],
"Resource": "*"
},
{
"Sid": "DigiUsherResourceExplorerPermissions",
"Effect": "Allow",
"Action": [
"resource-explorer-2:Get*",
"resource-explorer-2:List*",
"resource-explorer-2:BatchGetView",
"resource-explorer-2:Search"
],
"Resource": "*"
},
{
"Sid": "DigiUsherRAMPermissions",
"Effect": "Allow",
"Action": [
"ram:GetResourceShares",
"ram:ListResources",
"ram:ListPrincipals"
],
"Resource": "*"
},
{
"Sid": "DigiUsherOrganizationsAndTaggingPermissions",
"Effect": "Allow",
"Action": [
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListChildren",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListParents",
"organizations:ListRoots",
"organizations:ListTagsForResource",
"tag:GetResources",
"tag:GetTagKeys",
"tag:GetTagValues",
"resourcegroups:GetGroup",
"resourcegroups:ListGroups",
"servicequotas:Get*",
"servicequotas:List*"
],
"Resource": "*"
},
{
"Sid": "DigiUsherSustainabilityPermissions",
"Effect": "Allow",
"Action": [
"sustainability:GetCarbonFootprintSummary"
],
"Resource": "*"
},
{
"Sid": "DigiUsherTrustedAdvisorPermissions",
"Effect": "Allow",
"Action": [
"trustedadvisor:Describe*",
"trustedadvisor:Get*",
"trustedadvisor:List*"
],
"Resource": "*"
},
{
"Sid": "DigiUsherMarketplacePermissions",
"Effect": "Allow",
"Action": [
"aws-marketplace:ListEntities"
],
"Resource": "*"
}
]
}S3 CUR Access (Root/Payer Accounts Only)
An additional inline policy (DigiUsherS3CURAccess) grants read access to the S3 bucket containing Cost and Usage Reports:
Replace YOUR_BUCKET_NAME with your actual bucket name:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DigiUsherCURPermissions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME",
"arn:aws:s3:::YOUR_BUCKET_NAME/*"
]
}
]
}S3 Bucket Policy (Billing Services)
The S3 bucket hosting CUR data requires a bucket policy allowing AWS billing services to write reports:
Replace YOUR_BUCKET_NAME and YOUR_ACCOUNT_ID with your actual values:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowBillingServiceAccess",
"Effect": "Allow",
"Principal": {
"Service": [
"billingreports.amazonaws.com",
"bcm-data-exports.amazonaws.com"
]
},
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME",
"arn:aws:s3:::YOUR_BUCKET_NAME/*"
],
"Condition": {
"StringLike": {
"aws:SourceArn": [
"arn:aws:cur:us-east-1:YOUR_ACCOUNT_ID:definition/*",
"arn:aws:bcm-data-exports:us-east-1:YOUR_ACCOUNT_ID:export/*"
]
},
"StringEquals": {
"aws:SourceAccount": "YOUR_ACCOUNT_ID"
}
}
}
]
}Optional Permissions
These permissions are disabled by default and can be added as separate inline policies on the DigiUsher IAM role if needed.
What DigiUsher CAN Access (Read-Only)
- Cost and usage data via S3 (CUR exports)
- Resource metadata (names, types, regions, tags) across compute, database, storage, networking, and security services
- Utilization metrics via CloudWatch
- Optimization recommendations via Compute Optimizer and Trusted Advisor
- Reserved Instance and Savings Plan information
- Organization, account, and OU hierarchy
The core policy includes compute-optimizer:UpdateEnrollmentStatus. This is a one-time, non-destructive enrollment that enables Compute Optimizer recommendations — it does not create, modify, or delete your resources. This permission can be omitted if desired, however DigiUsher will not be able to provide Compute Optimizer-based rightsizing recommendations without it.
What DigiUsher CANNOT Do
- Create, modify, or delete any AWS resources (unless optional write permissions are explicitly enabled)
- Access application data, databases, or storage contents (beyond CUR data)
- Modify IAM policies or permissions
- Read secrets, credentials, or encryption keys
- Access network traffic or logs content
- Make purchases or modify billing settings (unless optional commitment purchase permissions are enabled)
Google Cloud Platform (GCP)
Access Summary
| Component | Details |
|---|---|
| Identity | GCP Service Account (digiusher-finops) — no Console login, API-only |
| Authentication | JSON key (does not expire by default) |
| Access level | Read-only — all roles are viewer/reader roles |
| Scope | Organization-wide (recommended) or limited to specific projects |
| Billing | Billing Viewer on a single billing account |
| Data access | BigQuery billing export dataset only — no access to other datasets |
| Capability | What It Provides |
|---|---|
| Billing data | Cost analytics, chargeback/showback, budgeting, forecasting, anomaly detection |
| Resource inventory | Asset discovery, idle resource detection, tag-based cost allocation |
| Optimization recommendations | VM rightsizing, CUD/reservation analysis, idle resource cleanup |
| Utilization metrics | CPU, memory, network, disk usage for rightsizing analysis |
DigiUsher cannot create, modify, or delete any of your GCP resources.
Roles and APIs
Billing Account
| Role | Purpose |
|---|---|
Billing Account Viewer | View billing data and cost information |
Organization
| Role | Purpose |
|---|---|
Browser | Browse org/folder/project hierarchy |
Tag Viewer | Read tags for chargeback/showback |
Cloud Asset Viewer | Resource inventory across projects |
Recommender Viewer | Cost optimization recommendations |
Compute Viewer | View CUDs, reservations, and Compute resources |
Cloud SQL Viewer | View Cloud SQL details and commitments |
BigQuery Resource Viewer | View BigQuery resource metadata for recommendations |
Monitoring Viewer | Read utilization metrics |
Project
| Role | Purpose |
|---|---|
BigQuery Job User | Execute billing queries |
BigQuery Read Session User | Efficient parallel data reads via Storage Read API |
Service Usage Consumer | Required for Cloud Asset API calls |
BigQuery Dataset
| Role | Purpose |
|---|---|
BigQuery Data Viewer | Read billing export data |
APIs
The following APIs must be enabled in the project hosting the service account:
bigquery.googleapis.comcloudbilling.googleapis.comcloudresourcemanager.googleapis.comiam.googleapis.comcloudasset.googleapis.comrecommender.googleapis.comcompute.googleapis.comsqladmin.googleapis.commonitoring.googleapis.com
What DigiUsher CAN Access (Read-Only)
- Billing data and cost information via BigQuery
- Resource metadata (names, types, regions, labels, tags)
- Utilization metrics (CPU, memory, network, disk) via Cloud Monitoring
- Optimization recommendations from Google's Recommender API
- CUD and reservation information
- Organization, folder, and project hierarchy
What DigiUsher CANNOT Do
- Create, modify, or delete any GCP resources
- Access application data, databases, or storage contents
- Modify IAM policies or permissions
- Read secrets, credentials, or encryption keys
- Access network traffic or logs content
- Make purchases or modify billing settings
- Access BigQuery datasets other than the billing export dataset
Scope Controls
- Set
target_project_ids(Terraform) to restrict access to specific projects instead of the entire organization - BigQuery access is always scoped to the billing export dataset only, regardless of org-wide access
- Billing Viewer is scoped to a single billing account
Microsoft Azure
Access Summary
| Component | Details |
|---|---|
| Identity | Azure App Registration (DigiUsherApp) — service principal, no interactive login |
| Authentication | Client secret (recommended 24-month expiry) |
| Access level | Read-only — Reader role at Management Group level |
| Scope | All subscriptions under the root Management Group |
| Billing | FOCUS cost export from Billing Account scope |
| Data access | Storage Blob Data Reader on the cost export storage account only |
| Capability | What It Provides |
|---|---|
| Billing data | Cost analytics, chargeback/showback, budgeting, forecasting, anomaly detection |
| Resource inventory | Asset discovery, idle resource detection, tag-based cost allocation |
| Optimization recommendations | Reservation and Savings Plan analysis, idle resource cleanup |
| Utilization metrics | Resource usage for rightsizing analysis |
DigiUsher cannot create, modify, or delete any of your Azure resources.
Roles
| Scope | Role | Purpose |
|---|---|---|
| Management Group (root) | Reader | Read-only access to all subscriptions and resources |
| Storage Account | Storage Blob Data Reader | Read FOCUS cost export data |
| Tenant (optional) | Reservations Reader | View reservation details and utilization |
| Tenant (optional) | Savings Plan Reader | View savings plan details and utilization |
Resource Provider: Microsoft.CostManagementExports must be registered on the subscription hosting the storage account.
What DigiUsher CAN Access (Read-Only)
- Cost and usage data via FOCUS exports in Azure Storage
- Resource metadata (names, types, regions, tags) via Reader role
- Reservation and Savings Plan information (if optional access granted)
- Management Group, subscription, and resource group hierarchy
What DigiUsher CANNOT Do
- Create, modify, or delete any Azure resources
- Access application data, databases, or storage contents (beyond cost exports)
- Modify IAM policies or role assignments
- Read secrets, credentials, or encryption keys
- Access network traffic or logs content
- Make purchases or modify billing settings
Oracle Cloud Infrastructure (OCI)
Access Summary
| Component | Details |
|---|---|
| Identity | OCI IAM User (digiusher-service-user) — API-only, no Console password |
| Authentication | API key pair (PEM private key + fingerprint) |
| Access level | Read-only — all policies use the read verb only |
| Scope | Tenancy-wide |
| Billing | Read-only access to cost and usage reports |
| Data access | Cost and Usage Reports via Oracle's cross-tenancy bucket (FOCUS format only) |
| Capability | What It Provides |
|---|---|
| Billing data | Cost analytics, chargeback/showback, budgeting, forecasting, anomaly detection |
| Resource inventory | Asset discovery, idle resource detection, tag-based cost allocation |
| Optimization recommendations | Rightsizing, commitment analysis, idle resource cleanup |
| Utilization metrics | CPU, memory, network, disk usage for rightsizing analysis |
DigiUsher cannot create, modify, or delete any of your OCI resources.
OCI requires define/endorse statements to be in a separate policy from Allow statements. Create the following two policies at the tenancy (root compartment) level.
Policy 1: Cost Report Cross-Tenancy Access
Grants read access to Oracle's cost reporting tenancy for FOCUS cost reports. The OCID below is Oracle's cost reporting tenancy — it is the same for all OCI customers.
define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
endorse group digiusher-finops-group to read objects in tenancy usage-reportPolicy 2: DigiUsher Access Policy
Grants read access to usage reports, budget data, resource metadata, and monitoring metrics.
Allow group digiusher-finops-group to read usage-report in tenancy
Allow group digiusher-finops-group to read usage-budgets in tenancy
Allow group digiusher-finops-group to read all-resources in tenancy
Allow group digiusher-finops-group to read metrics in tenancyAll policies are strictly read-only. Nothing can be modified, deleted, or created in your environment.
Note
If you leave out the last two statements (all-resources and metrics), DigiUsher will not be able to provide optimization recommendations, rightsizing suggestions, or utilization-based insights.
What DigiUsher CAN Access (Read-Only)
- Cost and usage reports (FOCUS format) via Oracle's cross-tenancy bucket
- Budget data
- Resource metadata (names, types, regions, tags) via Resource Search API
- Utilization metrics (CPU, memory, network, disk) via OCI Monitoring
- Organization and compartment hierarchy
What DigiUsher CANNOT Do
- Create, modify, or delete any OCI resources
- Access application data, databases, or storage contents
- Modify IAM policies or permissions
- Read secrets, credentials, or encryption keys
- Access network traffic or logs content
- Make purchases or modify billing settings