Skip to content

Connect an AWS profile

If the AWS CLI works on your machine, CloudPouch already has what it needs: it reads the same ~/.aws/credentials and ~/.aws/config files, so there is no separate credential setup and no pasting keys into the app — credentials stay in your local ~/.aws files and are used to sign requests to AWS. You just pick which profile to analyze.

CloudPouch works with the credential patterns you likely already use with the AWS CLI:

  • Static IAM user credentials in ~/.aws/credentials.
  • AWS SSO profiles in ~/.aws/config (IAM Identity Center).
  • Shared sso-session blocks referenced by multiple profiles — the AWS CLI’s newer SSO format.
  • Role-chaining profiles that assume a role via source_profile.

If you have no default profile in ~/.aws/credentials, CloudPouch shows a welcome screen on startup until a usable profile is available.

CloudPouch supports the AWS CLI’s SSO session sharing format: define one sso-session block and reference it from as many profiles as you need. When you select an SSO profile whose session has expired or was never started, CloudPouch launches the browser-based AWS SSO sign-in automatically — complete it in your browser and CloudPouch picks up the session.

[profile my-dev-profile]
sso_session = my-sso
sso_account_id = 123456789011
sso_role_name = readOnly
region = us-west-2
[profile my-other-profile]
sso_session = my-sso
sso_account_id = 555555555555
sso_role_name = readOnly
region = us-west-2
[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access

For full details, see the AWS CLI SSO guide or Simplified Configuration of SSO Profiles in AWS CLI Using SSO Sessions.

  1. Open CloudPouch and choose the AWS profile to analyze.
  2. To switch accounts later, press Cmd/Ctrl + K to open the quick AWS profile switcher — type to search by profile name and navigate with the keyboard.
  3. If you edited ~/.aws/config or ~/.aws/credentials while CloudPouch was running, use the profile reload option to pick up the changes without restarting.

Multi-account work is the normal case, not the exception: FinOps reviews usually mean hopping between a payer account and several member accounts, and the Cmd/Ctrl + K switcher is built for exactly that.

CloudPouch needs read access to billing data and resource metadata for the Cost Insights you run — it never creates, modifies, or deletes AWS resources. A profile you already use for read-only auditing usually works. For a precise policy, see AWS permissions or follow Create a CloudPouch IAM policy.

If a bulk Cost Insights run hits missing permissions, CloudPouch does not silently show empty results: it reports the affected AWS service, region, API operation, and error code (such as AccessDenied), so you can tell “nothing to optimize” apart from “could not check”.

  • Invalid or expired SSO session — CloudPouch shows an error message; re-run the browser authentication for that profile.
  • SSO sign-in not completed — if you abandon the browser flow, CloudPouch will not show another profile’s data in its place; select the profile again and finish the sign-in.
  • More cases in Troubleshooting.