1. We need access only to metadata, i.e. – cost, names, tags, configuration, performance metrics for your resources.
2. We do not need access to read the data itself, i.e. – we cannot login to VM’s or read the objects inside the storage accounts \ S3 buckets.
3. 2 types of access:
a. Applicative user – for our automation platform (cloudhiro) to log in. Azure – Service principal, AWS – role
b. Standard users – for our Devops\FinOps to login to your portal.
4. At the beginning, we will need read-only for this metadata, and if you would like us to change \ add \ delete we will need more permissions, for example to tag all resources, to create policies, etc.
5. We are not handling or storing any PII (Personal Identifiable Information).