Connecting cloud billing accounts.
Last updated June 10, 2026
Naew ingests billing data through dedicated, read-only principals that you create in your own cloud account: an IAM user for AWS, a service account for GCP. This page walks through creating each one with the minimum permissions, and explains exactly what Naew stores and how the credentials are protected.
AWS — IAM user for Cost Explorer
- 01In the AWS console, open IAM → Users → Create user. Name it something recognisable like naew-cost-reader and do not grant console access.
- 02On the permissions step, choose Attach policies directly → Create policy and paste this least-privilege policy into the JSON tab:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:GetCostAndUsage",
"sts:GetCallerIdentity",
"savingsplans:DescribeSavingsPlans"
],
"Resource": "*"
}
]
}- 03After the user is created, open it and go to Security credentials → Create access key. Pick Third-party service, then copy the access key id and secret access key into the AWS connect form. The secret is shown only once.
- The savingsplans:DescribeSavingsPlanspermission is optional. Without it, daily costs still sync; Naew just won't auto-detect Savings Plan commitments as fixed-term charges in the ledger and renewals view.
- Cost Explorer must be enabled on the account (it activates on first visit to the Cost Explorer console) and returns data in USD, so the organisation's default currency must be USD.
- The Cost Explorer API costs $0.01 per request on your AWS bill; the daily sync makes roughly 14 requests per integration.
- Cost data settles 24–72 hours after a day closes and can restate; the daily sync refetches the trailing 14 days to absorb revisions.
GCP — service account for the BigQuery billing export
GCP has no live cost API equivalent to Cost Explorer; costs come from a BigQuery export that you enable once on the billing account. Naew then queries that table with a service account you control.
- 01In console.cloud.google.com/billing, open the billing account → Billing export → BigQuery export and enable Standard usage cost export. Pick the project and dataset that will hold the export (the dataset is conventionally named billing_export). If you just enabled it, the export table can take a few hours to appear — the connect form's probe will report “table not found” until then.
- 02In that same project, open IAM & Admin → Service accounts → Create service account. Name it something like naew-billing-reader and grant it two roles on the project: roles/bigquery.dataViewer and roles/bigquery.jobUser — read the export, run queries.
- 03Optional: also grant roles/compute.viewerif you want Committed Use Discounts to surface as fixed-term charges in the renewals view. Without it, daily costs still sync; CUDs just aren't auto-detected.
- 04Open the service account → Keys → Add key → Create new key → JSON, and paste the entire downloaded file into the GCP connect form together with the billing account id, project id, and dataset name.
- The billing account's currency must match the organisation's default currency — the connect form verifies this against the export before saving anything.
- Billing rows settle within ~24 hours of usage and can restate for several days; the daily sync refetches the trailing 14 days. Daily spend is stored net of credits (sustained-use and committed-use discounts, promotions).
- Each sync runs one BigQuery query that incurs a few cents of query cost against your own GCP project.
What Naew stores, and how
The secret half of each credential — the AWS secret access key, the GCP service-account JSON (which contains the private key) — is written to Supabase Vault, encrypted with a platform-managed key, and is never stored in application tables or logs. Non-secret identifiers (AWS access key id, GCP client email, project and dataset names) live in the integration row so the UI can display them. Disconnecting an integration deletes the Vault secret immediately; synced cost history is kept.
Both principals are read-only by construction: the AWS policy grants three read actions, and the GCP roles can read the export and run queries but cannot touch resources. Naew never needs — and should never be given — write access to your cloud account. More on credential handling in Security.
Rotating or revoking credentials
To rotate, create a fresh access key (AWS) or JSON key (GCP) for the same principal, disconnect the integration in Naew, and reconnect with the new credential — history is preserved because cost rows belong to the integration's organisation, not the credential. To revoke Naew's access entirely, delete the IAM user or service account in your cloud console; the next sync fails visibly on the integration page and stops after marking the integration as errored.