> ## Documentation Index
> Fetch the complete documentation index at: https://docs.upmetr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cloud Accounts

> Connect your AWS, GCP, Azure, or DigitalOcean accounts to Upmetr

Cloud accounts are connections between Upmetr and your cloud providers. Once connected, Upmetr discovers resources, tracks costs, and collects cloud-native metrics automatically.

## Supported Providers

<CardGroup cols={2}>
  <Card title="AWS" icon="aws">
    EC2, RDS, Route53, CloudFront, ALB, ACM, CloudWatch metrics, Cost Explorer
  </Card>

  <Card title="Google Cloud" icon="google">
    Compute Engine, Cloud SQL, Cloud Monitoring metrics, billing
  </Card>

  <Card title="Azure" icon="microsoft">
    Virtual Machines, SQL Database, Azure Monitor metrics, cost management
  </Card>

  <Card title="DigitalOcean" icon="digital-ocean">
    Droplets, managed databases, monitoring, billing
  </Card>
</CardGroup>

## Adding an Account

1. Navigate to **Settings > Cloud Accounts**
2. Click **Add Account**
3. Select your cloud provider
4. Enter credentials (see provider-specific sections below)
5. Click **Test Connection** to verify
6. Click **Save**

After adding, click **Discover** to scan for resources. Resources are re-discovered every 15 minutes.

***

## AWS Setup

AWS supports two authentication methods:

<Tabs>
  <Tab title="IAM Role (Recommended)">
    The most secure method — Upmetr assumes a role in your AWS account.

    ### Step 1: Create an IAM Policy

    In your AWS account, create a policy named `Upmetr-Monitoring-ReadOnly`:

    ```json theme={null}
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "UpmetrMonitoringReadOnly",
          "Effect": "Allow",
          "Action": [
            "ec2:Describe*",
            "rds:Describe*",
            "rds:ListTagsForResource",
            "cloudwatch:GetMetricData",
            "cloudwatch:GetMetricStatistics",
            "cloudwatch:ListMetrics",
            "route53:List*",
            "route53:Get*",
            "cloudfront:List*",
            "cloudfront:Get*",
            "elasticloadbalancing:Describe*",
            "acm:List*",
            "acm:Describe*",
            "ce:GetCostAndUsage",
            "ce:GetCostForecast",
            "budgets:ViewBudget",
            "sts:GetCallerIdentity"
          ],
          "Resource": "*"
        }
      ]
    }
    ```

    <Note>
      To also allow instance management (start/stop/reboot) from Upmetr, add `ec2:StartInstances`, `ec2:StopInstances`, and `ec2:RebootInstances` to the policy.
    </Note>

    ### Step 2: Create an IAM Role

    1. Go to **IAM > Roles > Create Role**
    2. Select **Another AWS account**
    3. Enter the Upmetr AWS Account ID (provided in the app)
    4. Check **Require external ID** and enter a unique value (e.g., `upmetr-YOURORG-2026`)
    5. Name the role `Upmetr-Monitoring-Role`
    6. Attach the `Upmetr-Monitoring-ReadOnly` policy

    ### Step 3: Add to Upmetr

    In the Upmetr UI:

    * **AWS Account ID** — Your 12-digit account ID
    * **Role ARN** — e.g., `arn:aws:iam::123456789012:role/Upmetr-Monitoring-Role`
    * **External ID** — The value from step 2
    * **Default Region** — Your primary AWS region
  </Tab>

  <Tab title="Access Keys">
    Simpler setup, suitable for quick testing.

    ### Step 1: Create an IAM User

    1. Go to **IAM > Users > Create User**
    2. Name: `upmetr-monitoring-reader`
    3. Attach the `Upmetr-Monitoring-ReadOnly` policy (same as above)
    4. Create an **Access Key** for programmatic access

    ### Step 2: Add to Upmetr

    * **Access Key ID** — Your access key
    * **Secret Access Key** — Your secret key
    * **Default Region** — Your primary region
  </Tab>
</Tabs>

***

## GCP Setup

1. Create a **Service Account** in your GCP project with the following roles:
   * `roles/compute.viewer` — Compute Engine resources
   * `roles/cloudsql.viewer` — Cloud SQL instances
   * `roles/monitoring.viewer` — Cloud Monitoring metrics
   * `roles/billing.viewer` — Billing data (optional, for cost tracking)

2. Generate a **JSON key file** for the service account

3. In Upmetr, paste the contents of the JSON key file in the **Service Account JSON** field

***

## Azure Setup

1. Register an **App Registration** in Azure Active Directory
2. Grant it the **Reader** role on your subscription
3. In Upmetr, enter:
   * **Tenant ID** — Your Azure AD tenant
   * **Application (Client) ID** — From the app registration
   * **Client Secret** — Generated in app registration > Certificates & secrets
   * **Subscription ID** — The subscription to monitor

***

## DigitalOcean Setup

1. Generate a **Personal Access Token** at [cloud.digitalocean.com/account/api/tokens](https://cloud.digitalocean.com/account/api/tokens)
2. Grant **Read** scope
3. In Upmetr, paste the token

***

## Resource Discovery

After connecting an account, Upmetr discovers:

| Provider         | Resource Types                                       |
| ---------------- | ---------------------------------------------------- |
| **AWS**          | EC2, RDS, Route53, CloudFront, ALB, ACM certificates |
| **GCP**          | Compute Engine VMs, Cloud SQL instances              |
| **Azure**        | Virtual Machines, SQL Databases                      |
| **DigitalOcean** | Droplets, Managed Databases                          |

Resources are refreshed every 15 minutes. You can trigger a manual discovery from the account detail page.

***

## Security Best Practices

<Warning>
  Always use the **least privilege** principle. Only grant the permissions Upmetr needs.
</Warning>

* **Prefer IAM Roles** over Access Keys when possible (AWS)
* **Use unique External IDs** per account for AssumeRole
* **Rotate credentials** periodically for Access Key or token-based auth
* **Enable CloudTrail** (AWS) to audit API calls from Upmetr

## Troubleshooting

| Issue                        | Solution                                                  |
| ---------------------------- | --------------------------------------------------------- |
| **"Access Denied"**          | Verify the policy is attached and permissions are correct |
| **"Invalid Role ARN"**       | Check format: `arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME`    |
| **"Connection Test Failed"** | Verify credentials and network connectivity               |
| **"Expired Token"**          | Regenerate the token or access key                        |
