Threat model

A billing-read credential should be able to see cost lines, account metadata, and resource tags. It should not be able to launch instances, modify IAM, exfiltrate object storage contents, or read application secrets. Treat the cost-monitoring credential as you would a third-party read-only auditor.

AWS: minimum IAM policy for Cost Explorer + CUR

Grant ce:GetCostAndUsage, ce:GetTags, ce:GetDimensionValues, organizations:ListAccounts (if linked-account aware), cur:DescribeReportDefinitions, and s3:GetObject only on the CUR delivery bucket and prefix. No * resources. No iam:*. No ec2:*.

  • Use a role, not an IAM user with long-lived keys.
  • Trust principal: the cost tool's account ARN, with ExternalId.
  • Confirm via CloudTrail what the role actually calls.

GCP: roles for Billing Export and BigQuery

roles/billing.viewer on the billing account, roles/bigquery.dataViewer on the billing-export dataset, and roles/bigquery.jobUser in the project the tool will run queries in. Avoid roles/bigquery.user (too broad) and roles/owner (entirely too broad).

DigitalOcean: read scopes on a Personal Access Token

Create a Personal Access Token with `read` scope only. DO does not (as of 2026) offer per-API granular scopes, so the read PAT covers billing, projects, and the resources needed for allocation. Rotate quarterly; revoke immediately if the tool changes vendor.

Why you should never grant *:* or AdministratorAccess

Cost-tool credentials are stored on the tool vendor's infrastructure. Even with the best vendor, a future compromise becomes an account-wide compromise if the credential is over-scoped. The cost of granting least privilege is small; the cost of over-granting is unbounded.

Auditing what the tool actually called

AWS CloudTrail logs every API call the role made. GCP Audit Logs do the same for the service account. Run a one-time audit a week after enabling the tool to confirm the call set matches expectations — if it called anything outside the granted policy, the policy needs tightening.

Rotation cadence and credential storage

Rotate the AWS role's ExternalId or the DO PAT quarterly. GCP service account keys should be rotated yearly at minimum, or moved to short-lived credentials via Workload Identity. Store credentials in the tool's secret manager — never check them into a repo.

Who tovin.io is for

SREs & Platform Engineering leads Solo founders Finance & ops

Frequently asked

Does Tovin.io require write access?

No. Tovin.io is read-only by design on every supported cloud. Granting write access would be an over-scope; refuse if any cost tool asks for it.

Can I use AWS SSO/IAM Identity Center?

Yes, via a role assumable by the cost tool's account ARN with an ExternalId trust condition.

What is the DO scope I need?

A read-scoped Personal Access Token. DO does not yet offer per-API scoping, so the read PAT covers billing, projects, and the resources you want to allocate.