Connection failures
Common connection errors
AWS: Role validation failed
Causes:
- Incorrect IAM role ARN
- Trust policy missing Costimizer external ID
- Role lacks S3 or Cost Explorer permissions
Fix:
- Re-copy the role ARN from AWS IAM
- Verify the trust relationship includes Costimizer's AWS account ID
- Confirm the role can read the CUR S3 bucket — see Connect AWS
Azure: Authentication failed
Causes:
- Expired client secret
- Missing Cost Management Reader role
- Wrong tenant or subscription ID
Fix:
- Rotate the client secret in Azure AD
- Assign roles at subscription scope minimum
- Re-enter credentials in System → Data Sources
GCP: BigQuery access denied
Causes:
- Service account lacks
bigquery.dataViewer - Wrong dataset or project ID
- Billing export not enabled
Fix:
- Verify billing export exists in GCP Billing
- Grant IAM on the export dataset
- Re-upload service account key in Costimizer
Kubernetes: Agent not reporting
Causes:
- Helm install failed
- Network policy blocking egress
- Invalid API key
Fix:
- Check pod status:
kubectl get pods -n costimizer-system - Review agent logs for auth errors
- Reinstall with a fresh API key from the connection wizard
General checklist
- Correct role/permission scope (read-only billing + discovery)
- No typos in account IDs, ARNs, or bucket paths
- Firewall allows outbound HTTPS from Costimizer to cloud APIs
- Credentials not expired