Connect read-only billing sources with permission checks
Rateplane connects to AWS, Azure, and GCP using read-only billing credentials. Preflight checks verify the required billing permissions, credentials are encrypted at rest, and imported spend appears after a successful sync.
1. Connect
Add a cloud account label plus the provider-specific billing credentials or export details the product needs.
2. Sync
The connection is saved, then spend is imported when you run a sync. No fake “instant AI audit” story — it is a billing import pipeline.
3. Review
After a successful sync, Rateplane shows imported spend in the dashboard and records whether the last import succeeded or needs attention.
How spend ingestion works
The core idea is straightforward: Rateplane does not guess your spend from list prices alone. It imports spend from the billing source you configure, using the provider-specific path the current product actually supports. That matters, because trust comes from understanding the real mechanism, not from vague promises.
Connection: You connect a dedicated IAM access key for a billing-only identity.
Import path: During sync, Rateplane queries AWS Cost Explorer to import spend data.
Important: Use a read-only billing identity. Do not use the root user.
Connection: You connect a service principal with Cost Management read access.
Import path: During sync, Rateplane runs a Cost Management query against the configured scope.
Important: Subscription scope is the default; a billing scope override is only needed when your billing data lives elsewhere.
Connection: You connect a service account key for a project that already has billing export configured.
Import path: During sync, Rateplane reads spend from your existing BigQuery billing export dataset and table.
Important: Rateplane does not turn the export on for you. The export must already exist.
Built on security-first principles
Least-privilege by design
Rateplane only ever needs read-only access to billing data. Create a dedicated identity in minutes and never share owner, root, or admin credentials.
Encrypted at rest, scoped to billing
Every connection credential is encrypted with AES-256 and used only for billing and cost reads. Rateplane never makes infrastructure changes, deployments, or write actions in your cloud account.
Focused on cost intelligence
Rateplane focuses on pricing and spend visibility across AWS, Azure, and GCP. It does not use read-only billing credentials for infrastructure changes or hidden write actions.
What you get from day one
- • Connected-account cards that show sync state, imported rows, and permission errors.
- • Spend dashboards after AWS Cost Explorer, Azure Cost Management, or GCP billing export rows import successfully.
- • Budget, anomaly, and attribution workflows that become useful as connected spend history grows.
- • Catalog pricing freshness context for configured provider feeds.
Frequently asked questions
What data gets imported?
Spend data from the provider billing source you connect. In practice that means AWS Cost Explorer data, Azure Cost Management query results, or rows from an existing GCP BigQuery billing export.
When does spend show up in the product?
After you save the connection and run a sync. The first successful sync imports records and updates the account state in the dashboard.
Does Rateplane need production infrastructure access?
Not for the connection model shown in the product. The implementation is centered on billing and spend reads, not VM lifecycle actions or broad resource administration.
Will this import every possible cloud cost detail?
Not necessarily. The imported view depends on what the provider makes available through the configured billing source and how your account or export is set up. Some teams will still want deeper internal tagging, allocation, or warehouse analysis elsewhere.
Ready to connect your first billing source?
Start free, connect one account with a read-only identity, run a preflight check, then sync billing data into the dashboard.