Connect an AWS profile
If the AWS CLI works on your machine, CloudPouch already has what it needs: it reads the same ~/.aws/credentials and ~/.aws/config files, so there is no separate credential setup and no pasting keys into the app — credentials stay in your local ~/.aws files and are used to sign requests to AWS. You just pick which profile to analyze.
Supported profile types
Section titled “Supported profile types”CloudPouch works with the credential patterns you likely already use with the AWS CLI:
- Static IAM user credentials in
~/.aws/credentials. - AWS SSO profiles in
~/.aws/config(IAM Identity Center). - Shared
sso-sessionblocks referenced by multiple profiles — the AWS CLI’s newer SSO format. - Role-chaining profiles that assume a role via
source_profile.
If you have no default profile in ~/.aws/credentials, CloudPouch shows a welcome screen on startup until a usable profile is available.
AWS SSO configuration
Section titled “AWS SSO configuration”CloudPouch supports the AWS CLI’s SSO session sharing format: define one sso-session block and reference it from as many profiles as you need. When you select an SSO profile whose session has expired or was never started, CloudPouch launches the browser-based AWS SSO sign-in automatically — complete it in your browser and CloudPouch picks up the session.
Sample ~/.aws/config
Section titled “Sample ~/.aws/config”[profile my-dev-profile]sso_session = my-ssosso_account_id = 123456789011sso_role_name = readOnlyregion = us-west-2
[profile my-other-profile]sso_session = my-ssosso_account_id = 555555555555sso_role_name = readOnlyregion = us-west-2
[sso-session my-sso]sso_region = us-east-1sso_start_url = https://my-sso-portal.awsapps.com/startsso_registration_scopes = sso:account:accessFor full details, see the AWS CLI SSO guide or Simplified Configuration of SSO Profiles in AWS CLI Using SSO Sessions.
Selecting and switching profiles
Section titled “Selecting and switching profiles”- Open CloudPouch and choose the AWS profile to analyze.
- To switch accounts later, press
Cmd/Ctrl + Kto open the quick AWS profile switcher — type to search by profile name and navigate with the keyboard. - If you edited
~/.aws/configor~/.aws/credentialswhile CloudPouch was running, use the profile reload option to pick up the changes without restarting.
Multi-account work is the normal case, not the exception: FinOps reviews usually mean hopping between a payer account and several member accounts, and the Cmd/Ctrl + K switcher is built for exactly that.
What permissions the profile needs
Section titled “What permissions the profile needs”CloudPouch needs read access to billing data and resource metadata for the Cost Insights you run — it never creates, modifies, or deletes AWS resources. A profile you already use for read-only auditing usually works. For a precise policy, see AWS permissions or follow Create a CloudPouch IAM policy.
If a bulk Cost Insights run hits missing permissions, CloudPouch does not silently show empty results: it reports the affected AWS service, region, API operation, and error code (such as AccessDenied), so you can tell “nothing to optimize” apart from “could not check”.
If sign-in fails
Section titled “If sign-in fails”- Invalid or expired SSO session — CloudPouch shows an error message; re-run the browser authentication for that profile.
- SSO sign-in not completed — if you abandon the browser flow, CloudPouch will not show another profile’s data in its place; select the profile again and finish the sign-in.
- More cases in Troubleshooting.