Basics

This guide walks you through getting started with Reply CMP: setting up your tenant, inviting users, creating cloud connections, and understanding roles and permissions. It also highlights first‑run data sync and where to go next (Discovery, FinOps, Monitoring, Automation).

Quick start

Accept your invite and sign in.
In Tenant → Settings, review tenant details and set the preferred currency.
Invite teammates and assign roles (Owner, Contributor, Reader, or specialized roles).
In Tenant → Connections, add your cloud provider connections (Azure, AWS, GCP).
- Prepare credentials/identities per provider (see Connections).
- Prefer least‑privilege for read‑only scenarios; elevate only for Provisioning/Automation.
Run an initial Discovery to populate the CMDB.
- Use Filters (Provider, Connection, Tags) to validate coverage.
Open FinOps to set allocation rules and budgets; costs load daily (T‑1).
- Start with a top‑level budget and a few allocation rules; refine later.
- Explore the Optimize tab for AI-powered cost recommendations and savings estimates.
- Create custom dashboards in the Monitor tab for personalized cost tracking.
Explore Monitoring dashboards and, if needed, create Automation policies.
- Dashboards are customizable on request via your CMP administrator/contact.

Note

Tenant currency: All costs and budgets are shown in the tenant currency across FinOps and exports. Administrators can change this in Tenant settings.

Tenants

A tenant is your organization’s isolated workspace in Reply CMP. Users, connections, data, and permissions are scoped to your tenant.

Isolation: Your data and dashboards are not visible to other tenants.
Ownership: Tenant Owners manage users, roles, and connections.
Currency: One currency is applied consistently across FinOps views and budgets.
Auditing: Tenant activity (users, connections, runs) is captured for traceability.

Onboarding flow (at a glance)

        %%{init: {
  'theme': 'base',
  'themeVariables': {
    'primaryColor': '#FF9800',
    'primaryTextColor': '#fff',
    'primaryBorderColor': '#FF7D00',
    'lineColor': '#FF9800',
    'secondaryColor': '#42A5F5',
    'tertiaryColor': '#f4f4f4'
  }
}}%%
flowchart TD
  A([👥 Customer]) -->|📩 Onboarding Request| B([📨 Reply CMP])
  subgraph Flow [Onboarding]
    direction TB
    C[🏢 Tenant Created]:::p --> D[👤 Users Invited]:::p --> E[🔗 Connections Added]:::p --> F[🔎 First Discovery]:::p --> G[💶 FinOps Setup]:::p
  end
  B -.-> C
  classDef p fill:#FF9800,stroke:#FF7D00,stroke-width:2px,color:white,font-weight:bold
  style Flow fill:#FFF8E1,stroke:#FFECB3,stroke-width:2px,color:#333

Roles and permissions (RBAC)

Reply CMP uses fine‑grained RBAC. Assign broad “comprehensive” roles or targeted “specialized” roles.

Comprehensive roles:

Owner: Full control, including RBAC.
Contributor: Full management across modules (no RBAC changes).
Reader: Read‑only access across modules.

Specialized roles (examples):

Provisioning Reader/Contributor
Discovery Reader/Contributor
FinOps Reader/Contributor
Policy (Automation) Reader/Contributor
Monitoring Reader
Tenant Reader / User Administrator

Tip

Use specialized roles to apply least‑privilege. The “Effective Permissions” panel shows exactly what a user can do.

Assign roles in Tenant → Users.

Connections

Connections link your tenant to provider scopes (Azure subscription, AWS account, GCP project). They use service principals/identities and can be read‑only or read‑write depending on granted permissions.

        %%{init: {
  'theme': 'base',
  'themeVariables': {
    'primaryColor': '#FF9800',
    'primaryTextColor': '#fff',
    'primaryBorderColor': '#FF7D00',
    'lineColor': '#5D87FF',
    'secondaryColor': '#42A5F5',
    'tertiaryColor': '#f4f4f4'
  }
}}%%
flowchart TD
    T((🏢 Tenant)):::tenant -->|Connection| AZ[☁️ Azure]
    T -->|Connection| AWS[☁️ AWS]
    T -->|Connection| GCP[☁️ GCP]
    T --> KV[(🔐 Azure Key Vault)]
    subgraph Security[Secrets]
      KV ---|store| SP1[(Azure SP Secret)]
      KV ---|store| AK[(AWS Access Keys)]
      KV ---|store| SA[(GCP SA Key)]
    end
    classDef tenant fill:#FF9800,stroke:#FF7D00,stroke-width:3px,color:white,font-weight:bold
    classDef azure fill:#0078D4,stroke:#005A9E,stroke-width:2px,color:white,font-weight:bold
    classDef gcp fill:#34A853,stroke:#0F9D58,stroke-width:2px,color:white,font-weight:bold
    classDef aws fill:#FF9900,stroke:#FF8000,stroke-width:2px,color:white,font-weight:bold

Security & secrets:

Credentials are stored as secrets in Azure Key Vault, encrypted at rest and in transit.
Secrets are never shown after creation and are only accessed by the platform at runtime.
Vault access is restricted via RBAC and network rules; all access is audited.
Rotate credentials per your security policy; update the connection to pick up the new secret.

Azure

Provide an App Registration (service principal) with subscription‑level role:

Reader for Discovery, FinOps (cost), and Monitoring
Contributor for Provisioning and Automation

What you need:

Subscription ID
Tenant ID (Azure AD)
Client ID (Application ID from App Registration)
Client Secret or Certificate

Connection validation:

Reply CMP tests ARM authentication with subscription ID
Queries a sample resource to verify role permissions

Common errors and fixes:

AADSTS7000222: Client secret expired → Rotate secret in Azure portal and update connection
invalid_client: App registration not found or deleted → Recreate app registration
AADSTS65001: Permissions removed → Re-grant Reader/Contributor role on subscription

Tip

Client secrets can expire. Set a reminder to rotate them before expiry and update the connection in Reply CMP.

AWS

Provide an IAM user with account‑level permissions:

ReadOnlyAccess for Discovery, FinOps (cost), and Monitoring
PowerUserAccess for Provisioning and Automation

What you need:

Account ID
Access Key ID
Secret Access Key
Default region (for Resource Explorer)

Prerequisites:

Resource Explorer 2 must be enabled in the connection’s region
Resource-level cost allocation tags must be enabled (provides 14-day cost granularity per resource)

Connection validation:

Calls sts:GetCallerIdentity to verify account ID
Queries Resource Explorer to confirm it’s enabled
Checks for cost allocation tag configuration

Common errors and fixes:

InvalidAccessKeyId: Access key doesn’t exist (deleted or wrong account) → Recreate access key in IAM
SignatureDoesNotMatch: Secret access key is incorrect (rotated or typo) → Update with correct secret
UnrecognizedClientException: Credentials wrong or disabled → Check IAM user status
AccessDenied: Key exists but permissions removed → Re-attach ReadOnlyAccess or PowerUserAccess policy

Note

Access keys cannot expire, but they can be rotated or deleted. Use IAM credential rotation policies and update Reply CMP connections when keys change.

To enable Resource Explorer 2:

Open AWS Console → Resource Explorer 2
Turn on Resource Explorer in your preferred region
Create an index with a global view
Use that region in your Reply CMP connection

To enable resource-level costs:

Open AWS Billing Console (as payer/management account)
Navigate to Cost Allocation Tags
Enable user-defined tags and activate resource-level cost allocation
Wait 24 hours for data to populate

GCP

Provide a Service Account with project‑level roles:

Project Viewer and Cloud Asset Viewer (discovery/inventory)
BigQuery Data Viewer (billing export access)
Editor (when using Provisioning/Automation)

What you need:

Target project ID
Service account JSON key file
(Optional) Billing project ID if different from target project
BigQuery billing export dataset and table

Prerequisites:

Target project must be active and accessible
BigQuery billing export must exist and be configured
Required APIs enabled in the project:
- Compute Engine API
- Cloud SQL Admin API
- Kubernetes Engine API
- Cloud Asset Inventory API
- BigQuery API
- Service Usage API
- Recommender API

Connection validation:

Authenticates with service account JSON key
Queries Cloud Asset Inventory for project resources
Attempts to read from BigQuery billing export table
Verifies required APIs are enabled via Service Usage API

Common errors and fixes:

TokenResponseException: Service account key rotated or deleted → Generate new key in GCP Console → Service Accounts
403 Forbidden: Missing API enablement or insufficient permissions → Enable required APIs in APIs & Services
404 Not Found (BigQuery table): Billing export not configured or wrong dataset/table name → Verify billing export settings in Billing → Billing Export

Note

Service account keys cannot expire but can be rotated or deleted. GCP recommends rotating keys every 90 days. Update Reply CMP connection when rotating.

To enable BigQuery billing export:

Open GCP Console → Billing → Billing Export
Choose “BigQuery export”
Select or create a dataset (e.g., billing_export)
Enable detailed usage cost export
Note the project, dataset, and table name for Reply CMP connection
Grant the service account roles/bigquery.dataViewer on the billing project

To enable required APIs:

Open GCP Console → APIs & Services → Library
Search for each required API and click “Enable”

Or use gcloud command line:

gcloud services enable \
  compute.googleapis.com \
  sqladmin.googleapis.com \
  container.googleapis.com \
  cloudasset.googleapis.com \
  bigquery.googleapis.com \
  serviceusage.googleapis.com \
  recommender.googleapis.com \
  --project=YOUR_PROJECT_ID

Onboarding requirements matrix

Provider onboarding at a glance
Provider	Scope to connect	Identity / auth	Minimum permissions (read‑only)	Additional permissions (Provisioning/Automation)	Cost data requirements	Required APIs / services
Azure	Subscription (or Management Group)	App Registration (Service Principal) + Client Secret/Certificate	Reader at subscription; Monitoring Reader optional	Contributor at subscription or target resource groups	No export required. Costs pulled daily (T‑1) via Azure Cost Management APIs	Azure Resource Graph, Cost Management (no manual enablement). Use Key Vault for secrets
AWS	Account (member) and optionally Payer/Management for consolidated costs	IAM User (access keys)	ReadOnlyAccess; CloudWatchReadOnlyAccess (for metrics)	PowerUserAccess (or scoped set for required services)	Enable resource‑level costs at the payer/management account	Cost Explorer, CloudWatch. Use Key Vault to store access keys
GCP	Project (plus Billing Account for export)	Service Account (JSON key)	roles/viewer, roles/cloudasset.viewer; BigQuery Data Viewer on billing dataset	roles/editor (when provisioning/automation is needed)	Enable Billing Export to BigQuery dataset/table	BigQuery, Cloud Asset Inventory, Cloud Resource Manager, Service Usage, Recommender

Tip

Least‑privilege first: start with the read‑only column to enable Discovery, Monitoring, and FinOps. Grant write only when you adopt Provisioning or Automation. Secrets are stored encrypted in Azure Key Vault.

Secrets management with Azure Key Vault

Reply CMP uses Azure Key Vault to protect connection secrets.

Encryption: Secrets are encrypted at rest (AES‑256) and in transit (TLS).
Isolation: Each tenant’s secrets are scoped and not exposed to other tenants.
Access: Only platform components with explicit RBAC can read a secret at runtime; users cannot retrieve secrets once saved.
Network: Vault access is restricted; private endpoints and firewall rules are used where applicable.
Audit: All secret operations are logged for compliance.
Rotation: Update the secret in CMP after rotating credentials; historical secrets are not retained in plain form.

Initial data sync

Discovery: Run immediately after adding connections to populate the CMDB (resources, relationships, history).
FinOps: Cost data refreshes daily and includes charges up to the previous day (T‑1). Providers may backfill prior days; Reply CMP reconciles updates automatically.
Monitoring: Operational metrics arrive near real time (minutes) directly from provider monitoring APIs.

Administration

In the Tenant Panel, it’s possible to manage:

Users & RBAC (invite, assign roles, view effective permissions)
Connections (create, rotate credentials, review last sync)
Reports (scheduled email reports)
Auditing (activity logs for tenant, connections, deployments, policies, discovery)

Note

Reports: In the next release, Reports will move under FinOps. Until then, access them in Tenant → Reports.

Self‑service connections: Users with the right role can add provider connections without admin intervention. Use the least‑privilege permissions listed above.

Troubleshooting

Unauthorized when opening Monitoring or dashboards: wait 1–2 minutes after tenant creation or role changes for permissions to propagate.
Empty Discovery results: verify permissions and regions; run a manual refresh.
No costs: confirm provider billing export (AWS resource‑level costs, GCP BigQuery export) and wait for the next daily load (T‑1).
Provisioning apply fails: review errors and AI explanation in the deployment panel; fix and re‑apply.

FAQ

Who can create connections?
Owners and users with the appropriate Tenant/Connection roles.

Do I need write permissions to see costs and discovery?
No. Reader‑level is sufficient. Write is only needed for Provisioning/Automation.

Can I change the tenant currency later?
Yes. Admins can update it in Tenant settings; FinOps views and budgets reflect the new currency.

Is data shared across tenants?
No. Each tenant is isolated.

How do I grant least‑privilege?
Use specialized Reader roles for visibility and grant Contributor only where changes are required.

Where are my secrets stored and who can access them?
In Azure Key Vault. Only platform components with RBAC access can read them at runtime; users cannot retrieve saved secrets.

Glossary

Tenant: Isolated workspace for your organization.
Connection: Binding to a provider scope (subscription/account/project).
CMDB: Configuration Management Database of discovered resources with relationships and history.
Allocation Rule: Tag‑based mapping (Group + Environment + Project) used in FinOps.
T‑1 costs: Cost data available up to the previous day, with provider backfills automatically reconciled.
Key Vault: Azure service for secure secret storage with RBAC, auditing, and network controls.