Cloud Accounts
Cloud accounts are connections between Upmetr and your cloud providers. Once connected, Upmetr discovers resources, tracks costs, and collects cloud-native metrics automatically.Supported Providers
AWS
EC2, RDS, Route53, CloudFront, ALB, ACM, CloudWatch metrics, Cost Explorer
Google Cloud
Compute Engine, Cloud SQL, Cloud Monitoring metrics, billing
Azure
Virtual Machines, SQL Database, Azure Monitor metrics, cost management
DigitalOcean
Droplets, managed databases, monitoring, billing
Adding an Account
- Navigate to Settings > Cloud Accounts
- Click Add Account
- Select your cloud provider
- Enter credentials (see provider-specific sections below)
- Click Test Connection to verify
- Click Save
AWS Setup
AWS supports two authentication methods:- IAM Role (Recommended)
- Access Keys
The most secure method — Upmetr assumes a role in your AWS account.
Step 1: Create an IAM Policy
In your AWS account, create a policy namedUpmetr-Monitoring-ReadOnly:To also allow instance management (start/stop/reboot) from Upmetr, add
ec2:StartInstances, ec2:StopInstances, and ec2:RebootInstances to the policy.Step 2: Create an IAM Role
- Go to IAM > Roles > Create Role
- Select Another AWS account
- Enter the Upmetr AWS Account ID (provided in the app)
- Check Require external ID and enter a unique value (e.g.,
upmetr-YOURORG-2026) - Name the role
Upmetr-Monitoring-Role - Attach the
Upmetr-Monitoring-ReadOnlypolicy
Step 3: Add to Upmetr
In the Upmetr UI:- AWS Account ID — Your 12-digit account ID
- Role ARN — e.g.,
arn:aws:iam::123456789012:role/Upmetr-Monitoring-Role - External ID — The value from step 2
- Default Region — Your primary AWS region
GCP Setup
-
Create a Service Account in your GCP project with the following roles:
roles/compute.viewer— Compute Engine resourcesroles/cloudsql.viewer— Cloud SQL instancesroles/monitoring.viewer— Cloud Monitoring metricsroles/billing.viewer— Billing data (optional, for cost tracking)
- Generate a JSON key file for the service account
- In Upmetr, paste the contents of the JSON key file in the Service Account JSON field
Azure Setup
- Register an App Registration in Azure Active Directory
- Grant it the Reader role on your subscription
- In Upmetr, enter:
- Tenant ID — Your Azure AD tenant
- Application (Client) ID — From the app registration
- Client Secret — Generated in app registration > Certificates & secrets
- Subscription ID — The subscription to monitor
DigitalOcean Setup
- Generate a Personal Access Token at cloud.digitalocean.com/account/api/tokens
- Grant Read scope
- In Upmetr, paste the token
Resource Discovery
After connecting an account, Upmetr discovers:| Provider | Resource Types |
|---|---|
| AWS | EC2, RDS, Route53, CloudFront, ALB, ACM certificates |
| GCP | Compute Engine VMs, Cloud SQL instances |
| Azure | Virtual Machines, SQL Databases |
| DigitalOcean | Droplets, Managed Databases |
Security Best Practices
- Prefer IAM Roles over Access Keys when possible (AWS)
- Use unique External IDs per account for AssumeRole
- Rotate credentials periodically for Access Key or token-based auth
- Enable CloudTrail (AWS) to audit API calls from Upmetr
Troubleshooting
| Issue | Solution |
|---|---|
| ”Access Denied” | Verify the policy is attached and permissions are correct |
| ”Invalid Role ARN” | Check format: arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME |
| ”Connection Test Failed” | Verify credentials and network connectivity |
| ”Expired Token” | Regenerate the token or access key |