Start here

What nable is, in one minute

nable answers questions about your cloud and AI bill right inside Claude or Cursor. Ask why a bill went up, it finds the cause, drafts the fix, and proves the savings. No SQL, no dashboards.

What you connect
  • Read-only access to one cloud account (AWS, Azure, or GCP) to start. nable only ever reads your bill.
  • Your credentials stay in your OS keyring, on your machine. Nothing reaches our servers.
  • It proposes, you approve. nable never changes anything in your cloud on its own.
1
Install

One command, uvx nable, on your machine.

2
Connect, read-only

Point it at AWS, Azure, or GCP. The setup wizard walks you through it.

3
Ask

In Claude or Cursor, ask why the bill went up. Get the cause, the cost, and the fix.

An engineer installs nable and connects the read-only access once. The IAM, CloudFormation, and SSO pages below are for them. After that, anyone on the team just asks questions, no setup, no terminal.

Quickstart

Quickstart

Install nable, point it at your AI editor, then ask about your cloud spend. You only need one provider to start. Everything stays on your machine.

What you need
  • Python 3.11+ with pip. Check with python3 --version.
  • Claude Desktop or Cursor (or any MCP-compatible editor)
  • Read-only credentials for at least one cloud account (AWS, Azure, or GCP)
1
Install and connect, one command
terminal
uvx nable

uv fetches a matching Python and runs the setup wizard. No PATH setup, no separate install step. Want a look first? uvx nable welcome --demo runs it on sample data. Already on Python 3.11+? pip install -U finops-mcp && finops welcome. No uv? brew install uv.

2
Prefer a permanent install? (optional)
terminal
uv tool install finops-mcp && uv tool update-shell

Installs the finops commands on your PATH so you can run finops welcome, finops doctor, and the rest directly. Open a new terminal after update-shell, then fully quit and reopen your editor.

Prefer manual MCP setup? Add this to your editor's config:

mcp.json
// Claude Desktop: ~/Library/Application Support/Claude/claude_desktop_config.json
// Cursor: ~/.cursor/mcp.json
{
  "mcpServers": {
    "finops": { "command": "finops-mcp" }
  }
}

Tip: replace finops-mcp with the full path from which finops-mcp. macOS GUI apps inherit a minimal PATH and may not find the command otherwise.

3
Ask your first question
In Claude Desktop or Cursor, type

"What are my top 5 AWS cost drivers this month, and did anything spike unexpectedly?"

nable breaks down your spend by service, flags anomalies, and explains what changed. No SQL, no dashboards.

Security note: Credentials are stored in your OS keyring (macOS Keychain, Windows Credential Manager, or libsecret on Linux). They never leave your machine. Full detail in Security & permissions.

Detailed installation

The long version of the quickstart, with verification and the manual MCP path spelled out. Takes about five minutes including IAM setup.

1
Install and run the welcome wizard
terminal
uvx nable

The welcome command walks you through connecting Claude and your first cloud account, then shows your first cost number right in the terminal. uv fetches a matching Python automatically. Already on Python 3.11+? pip install -U finops-mcp && finops welcome works too.

2
Or connect everything at once
terminal
# Scans this machine for credentials (env vars, gcloud, gh, ~/.modal.toml…)
# and connects everything it finds in one keystroke:
finops connect
# Or pick providers individually:
finops setup aws
finops setup gcp
finops setup azure

AWS and GCP are detect-and-confirm: nable finds working credentials (profiles, SSO, gcloud ADC), auto-discovers the billing accounts, and connects on one keystroke. Every paste-a-key wizard links the exact page where the key lives. Credentials go to your OS keyring; nothing leaves the machine. You don't need all 30 connectors, one is enough to start.

3
Add nable to your editor's MCP config
claude_desktop_config.json
{
  "mcpServers": {
    "finops": { "command": "finops-mcp" }
  }
}

Run finops setup to have this written automatically, or paste it manually. Then fully quit and reopen your editor , most clients only read config at startup.

4
Verify everything is connected
terminal
finops doctor
✓ aws      configured
✓ datadog  configured
– azure    not configured

If a provider shows red, re-run finops setup <provider> or check the troubleshooting section.

Security note: Credentials are encrypted with Fernet and stored in your OS keyring (macOS Keychain, Windows Credential Manager, or libsecret on Linux). They never leave your machine.

Activate your Team license

After purchase, your license key is emailed to you. Keys start with FINOPS-2-. Run one command and it handles everything.

1
Run the license command with your key
terminal
finops setup license FINOPS-2-your-key-here

This validates the key, stores it in your OS keyring, and writes it directly into your Claude Desktop config. No manual JSON editing.

2
Restart your editor

Team features turn on immediately on restart.

Check your status anytime with finops setup license-status.

AI client setup

Add the MCP server to your AI client's config. You only need to do this once. If you ran finops setup, it was configured automatically with the correct path.

Claude Desktop

Edit ~/Library/Application Support/Claude/claude_desktop_config.json

claude_desktop_config.json
{
  "mcpServers": {
    "finops": { "command": "finops-mcp" }
  }
}

Cursor

Settings → MCP → Add server, or edit ~/.cursor/mcp.json

mcp.json
{ "mcpServers": { "finops": { "command": "finops-mcp" } } }

Windsurf

Edit ~/.codeium/windsurf/mcp_config.json

mcp_config.json
{ "mcpServers": { "finops": { "command": "finops-mcp" } } }

OpenAI Codex / other MCP clients

Run the server manually and point your client at the stdio transport.

terminal
finops-mcp  # listens on stdio
If your editor can't find the server, replace finops-mcp with the full path from which finops-mcp. macOS GUI apps inherit a minimal PATH.
Cloud providers

AWS

Connects to Cost Explorer for spend data and CloudWatch for rightsizing metrics. Supports IAM keys, IAM Identity Center SSO, and cross-account role assumption.

Cost Explorer must be enabled before the API will work. Go to Billing → Cost Explorer → Enable. It can take up to 24 hours to activate on a new account.

Permission tiers

nable works with whatever you're comfortable giving it. Start with Cost Explorer read-only for cost queries, anomaly detection, and budgets. Add the audit permissions when you're ready for the deep waste scanner.

Bare bones
Full audit
What you get
  • Cost queries across all services
  • Anomaly detection
  • Budget alerts and soft checks
  • Savings Plan coverage
  • Forecasting
Everything above, plus
  • Deep waste audit (16 scanners)
  • CloudWatch rightsizing per instance
  • Idle NAT / EIP / EBS detection
  • Lambda memory analysis
  • S3 storage class optimization
iam · read-only
ce:GetCostAndUsage
ce:GetSavingsPlans*
ce:GetReservation*
sts:GetCallerIdentity
iam · audit
# everything on the left, plus:
cloudwatch:GetMetricData
ec2:Describe{Instances,Volumes,
  Snapshots,Addresses,NatGateways}
rds:Describe{DBInstances,DBSnapshots}
lambda:ListFunctions
logs:DescribeLogGroups
s3:ListAllMyBuckets
compute-optimizer:Get*
Permissions are read-only except one: logs:PutRetentionPolicy, for optional auto-remediation of infinite-retention log groups. Destructive cleanup requires explicitly setting FINOPS_CLEANUP_ENABLED=true. Run finops setup aws --iam-template to generate a least-privilege CloudFormation policy. Full policy in Least-privilege IAM.

Setup

1

Create an IAM user with the permissions above, or use an existing SSO role.

2
terminal
finops setup aws
3

Enter your Access Key ID and Secret Access Key when prompted. For SSO, enter your profile name.

Manual env vars

.env
AWS_ACCESS_KEY_ID=AKIA...
AWS_SECRET_ACCESS_KEY=your-secret
AWS_DEFAULT_REGION=us-east-1  # CE requires us-east-1

Azure

Connects to the Azure Cost Management API. Supports a Service Principal (recommended for automation) and device-code flow (interactive login).

Required Azure role
  • Cost Management Reader , scoped to your Subscription or Management Group

Setup

1

Create a Service Principal:

terminal
az ad sp create-for-rbac --name finops-mcp \
  --role "Cost Management Reader" \
  --scopes /subscriptions/YOUR_SUB_ID
2
terminal
finops setup azure
3

Enter Tenant ID, Client ID, Client Secret, and Subscription ID when prompted.

Manual env vars

.env
AZURE_TENANT_ID=your-tenant-id
AZURE_CLIENT_ID=your-client-id
AZURE_CLIENT_SECRET=your-client-secret
AZURE_SUBSCRIPTION_ID=your-subscription-id

GCP

Primary path: BigQuery billing export (recommended, richer data). Fallback: Cloud Billing API. Both use a service-account JSON key stored encrypted in your vault.

Required IAM roles
  • roles/billing.viewer , Billing API access
  • roles/bigquery.dataViewer , only if using BigQuery export
  • roles/bigquery.jobUser , only if using BigQuery export

Setup

1

Create a service account in GCP Console → IAM → Service Accounts. Assign the roles above, then download the JSON key file.

2

(Recommended) Enable billing export to BigQuery: Billing → Billing export → BigQuery export.

3
terminal
finops setup gcp
4

Paste the path to your JSON key file and your GCP Project ID when prompted.

Manual env vars

.env
GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json
GCP_PROJECT_ID=my-project-123
GCP_BIGQUERY_DATASET=billing_export  # if using BQ export
GCP_PROJECT_IDS=my-prod,my-staging  # enables the GCP waste audit
SaaS tools
Alerts & automation
What nable does
Agent guardrail

Cost guardrail for agents

One command wires nable into an AI coding agent so it checks every infrastructure-mutating command against your policy before it runs. No prompt engineering. It is advisory and propose-only: nable pauses or blocks an action and shows why, but it never executes anything itself. Read the agent cost controls overview for the why.

Install

In your project (or add --global for every repo), run:

terminal
finops guard install

This writes a Claude Code PreToolUse hook to .claude/settings.json. Restart Claude Code so it picks up the hook. Uses uvx nable? The hook is finops guard hook either way. Check status with finops guard status, remove with finops guard uninstall.

What it does

Before your agent runs an infrastructure command, nable classifies it and applies your policy:

Command
Verdict
One-way door: terraform destroy, kubectl delete, aws ec2 terminate-instances, a commitment purchase
ask — pauses for a human, with the reason. Irreversible or financial moves always escalate.
Reversible but not in your allowlist
deny — the agent is told why and proposes something else
Reversible and in policy: terraform apply, helm upgrade, stopping an instance
silent — runs as normal, zero friction

Try any command against your policy without an agent:

terminal
finops guard check --command "terraform destroy"

Policy knobs

  • ·FINOPS_POLICY_MAX_AUTO_USD — a monthly-dollar threshold; a cost increase above it escalates. Default 500.
  • ·FINOPS_POLICY_ALLOWED_ACTIONS — comma-separated action types a human can apply (e.g. rightsizing,tag_fix,stop_idle). Anything else is denied.
  • ·FINOPS_GUARD_STRICT=1 — also pause on reversible mutations (terraform apply, helm upgrade) with a nudge to cost the change first.

Safety

The guard never executes a command; it only returns ask, deny, or nothing. It fails open, any internal error exits cleanly so a guard bug can never break your agent, and it adds about 80ms per command. Propose-only stays fully intact: nable does not auto-execute infrastructure. Outside Claude Code (Cursor, Windsurf, your own loop), point the agent at the same gate with a one-line system-prompt instruction, see the adoption paths.

Security

Security & permissions

nable is not SaaS. It runs on your machine, holds credentials in your OS keyring, queries your cloud providers directly, and has no backend that receives your data. It reads your cloud bill. It cannot change your cloud. Full detail on the security page and the access scope page.

What nable can and cannot do

nable can
nable cannot
Read cost, usage and billing data (Cost Explorer, Cost Management, BigQuery billing export)
Create, modify, delete or terminate any resource (EC2, RDS, S3, Lambda, anything)
Read resource metadata and CloudWatch metrics for rightsizing (describe calls, GetMetricData)
Read your application data, S3 object contents, database rows, log content, or customer data
Read rightsizing and commitment recommendations (Compute Optimizer, Advisor)
Move, spend, or commit money: no purchase, no Savings Plan or RI buy, no budget changes

There is exactly one optional write permission in the whole footprint: logs:PutRetentionPolicy, used only if you explicitly ask nable to fix a CloudWatch Log Group that has no retention policy. You can omit it and lose nothing but that one auto-fix. Destructive cleanup is off entirely unless you set FINOPS_CLEANUP_ENABLED=true yourself.

Where things live

  • ·Credentials: your OS keyring (macOS Keychain, Windows Credential Manager, libsecret on Linux), encrypted at rest with Fernet. Never written to config files in plaintext, never transmitted to nable.
  • ·Cost data: cached in a local SQLite database on your machine (Postgres in team mode, hosted by you). nable has no data lake; there is nothing of yours on our side to breach.
  • ·License verification: offline. Keys are Ed25519-signed and verified against a public key bundled in the package. No license server, no phone-home check.
  • ·The website and billing are the only nable-operated systems. They never see cloud credentials or cost data.

Verify before you trust

You do not have to take this on faith. nable ships the tools to generate a scoped credential and prove it is read-only:

  • ·finops setup aws --iam-template prints the exact CloudFormation policy
  • ·finops setup aws --iam-terraform prints it as a Terraform snippet
  • ·finops setup aws --check-scope inspects a credential and confirms it has no write permissions

Because nable runs entirely on your machine with no backend, you can watch the wire yourself: run it behind a packet capture (tcpdump, Little Snitch, your egress firewall) and confirm the only outbound destinations are your own cloud provider APIs. Two exceptions, both yours to disable: anonymous opt-out usage telemetry (no cost figures, account IDs, or credentials; off with NABLE_NO_TELEMETRY=1); and, only if you opt into peer benchmarking which is off by default, anonymized differentially-private cost ratios. FINOPS_AIRGAP=1 forbids all non-provider traffic including both.

AI exposure, stated plainly

When you ask a question in Claude, Cursor or another MCP editor, the cost figures nable returns are sent to that editor's AI model to compose the answer, the same as anything else in the chat. nable itself sends nothing to any model. For zero model exposure, use the local dashboard or CLI, which never touch one. Enterprises routing AI through private endpoints (Bedrock, Azure OpenAI) keep that boundary too.

Team mode

  • ·RBAC: viewer, analyst and admin roles with team scoping; API keys stored as SHA-256 hashes.
  • ·SSO: OIDC with strict validation (algorithm allowlist, issuer, audience, expiry and CSRF state all enforced).
  • ·Audit log: every tool call recorded with duration and outcome.
  • ·Remediation approvals: drafted actions require a second-person approval by default (analyst or above, 24-hour expiry, replay-proof).

Least-privilege IAM

The exact, least-privilege read-only permissions nable needs on each provider. Hand the policy below to your platform team, or run finops setup aws --iam-template to generate it. Every action is a Get, List, Describe, or read.

AWS least-privilege read-only policy

iam-policy.json
{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "NableReadOnlyFinOps",
    "Effect": "Allow",
    "Action": [
      "ce:GetCostAndUsage", "ce:GetCostForecast",
      "ce:GetReservationUtilization", "ce:GetReservationCoverage",
      "ce:GetSavingsPlansPurchaseRecommendation",
      "ce:GetSavingsPlansUtilization", "ce:GetSavingsPlansCoverage",
      "ce:GetRightsizingRecommendation", "ce:ListCostAllocationTags",
      "compute-optimizer:GetEC2InstanceRecommendations",
      "compute-optimizer:GetLambdaFunctionRecommendations",
      "compute-optimizer:GetRDSDatabaseRecommendations",
      "compute-optimizer:GetECSServiceRecommendations",
      "compute-optimizer:GetEnrollmentStatus",
      "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics",
      "cloudwatch:ListMetrics",
      "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:DescribeVolumes",
      "ec2:DescribeSnapshots", "ec2:DescribeAddresses",
      "ec2:DescribeNatGateways", "ec2:DescribeImages",
      "elasticloadbalancing:DescribeLoadBalancers",
      "rds:DescribeDBInstances", "rds:DescribeDBSnapshots",
      "lambda:ListFunctions", "lambda:GetFunctionConfiguration",
      "ecr:DescribeRepositories", "ecr:DescribeImages",
      "ecs:ListClusters", "ecs:ListServices",
      "ecs:DescribeServices", "ecs:DescribeTaskDefinition",
      "logs:DescribeLogGroups", "logs:DescribeLogStreams",
      "logs:PutRetentionPolicy",  // the one optional write, omit to be pure read-only
      "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus",
      "cloudtrail:GetEventSelectors",
      "s3:ListAllMyBuckets", "s3:GetBucketLocation",
      "s3:GetBucketIntelligentTieringConfiguration",
      "s3:ListBucketMultipartUploads",
      "organizations:ListAccounts", "organizations:DescribeAccount",
      "organizations:DescribeOrganization",
      "sts:GetCallerIdentity", "sts:AssumeRole"
    ],
    "Resource": "*"
  }]
}

Every action is a Get, List, Describe, or read. There is no Create, Delete, Modify, Run, Terminate, or Put anywhere except the single annotated log-retention line.

One optional, separate backend: if you turn on the detailed CUR-via-Athena cost path (off by default, not part of this policy), it also needs read access to Athena and Glue plus a scoped s3:PutObject to its own Athena query-results bucket. That is the only write outside log retention, it is opt-in, and it is scoped to a bucket you designate.

Google Cloud roles to grant the service account

  • ·roles/billing.viewer on the billing account, to read cost
  • ·roles/bigquery.dataViewer on the billing-export dataset
  • ·roles/bigquery.jobUser on the project, to run the export queries
  • ·roles/compute.viewer on each audited project (optional, for the GCP waste audit)
  • ·roles/monitoring.viewer on each audited project (optional, for the GCP waste audit)
  • ·roles/recommender.viewer on each project (optional, to pull Google's native Recommender API: rightsizing, committed-use, Cloud SQL, idle resources)

All are read and query roles. nable reads your Cloud Billing export in BigQuery and, for the optional waste audit, lists Compute resources and reads Monitoring metrics. It writes to nothing. Set GCP_PROJECT_IDS to turn the resource audit on.

Azure RBAC roles per subscription

  • ·Cost Management Reader, for cost and usage queries
  • ·Reader, for Advisor cost recommendations and the VM list
  • ·Monitoring Reader, for VM CPU metrics used in rightsizing

All three are Reader-tier roles. nable performs no write operation on Azure.

Want a dedicated credential rather than your own keys? Hand your platform team the policy above (or finops setup aws --iam-template), they create a scoped read-only credential in minutes, and nable runs on your machine with that. Read the full write-up on the access scope page.

Enterprise SSO (OIDC)Enterprise

Lets your whole team sign in with their company credentials via Okta, Azure AD, Google Workspace, Auth0, or any OIDC-compatible IdP. IdP groups automatically map to nable RBAC roles, with no manual API key distribution.

How it works: user clicks "Sign in with SSO" → browser redirects to your IdP → IdP authenticates and returns an ID token → nable validates the token, reads the groups claim, and maps groups to admin / analyst / viewer → user receives a Team license key automatically.

Setup

1

Create an OAuth2 app in your IdP. Set the redirect URI to https://getnable.com/api/sso/oidc-callback. Request scopes openid email profile groups.

2

Enable the groups claim in the ID token. Steps vary by IdP: Okta (Authorization Server → Claims), Azure AD / Entra ID (Token configuration → groups claim, set OIDC_GROUPS_CLAIM=roles), Google Workspace (custom claim via Admin SDK), Auth0 (Action or Rule).

3

Run the wizard to configure and store credentials:

terminal
finops setup sso
4

Add the env vars to your deployment (or wherever nable runs). Test by visiting /api/sso/oidc-start.

Role mapping example

.env
OIDC_ISSUER=https://yourcompany.okta.com
OIDC_CLIENT_ID=0oa1abc...
OIDC_CLIENT_SECRET=your-client-secret
OIDC_GROUPS_CLAIM=groups
OIDC_ROLE_MAP={"finops-admins":"admin","engineering":"analyst","finance":"viewer"}
OIDC_DEFAULT_ROLE=viewer  # fallback for users not in any mapped group

RBAC roles

RoleCan do
adminAll queries, set budgets, manage API keys, create tickets, view all teams
analystAll queries and recommendations, cannot manage keys or budgets
viewerRead-only: cost summaries, anomalies, rightsizing. Cannot set budgets or create tickets
Reference

All environment variables

Every variable nable reads. The setup wizard writes these for you; this table is for manual config, CI, and containerized runs.

Click any row to copy the variable name. Or skip the table entirely: finops connect detects credentials already on your machine and connects everything it finds.

Variable
Provider
Required
AWS_ACCESS_KEY_ID
AWS
Required
AWS_SECRET_ACCESS_KEY
AWS
Required
AWS_DEFAULT_REGION
AWS
Optional
AZURE_TENANT_ID
Azure
Required
AZURE_CLIENT_ID
Azure
Required
AZURE_CLIENT_SECRET
Azure
Required
AZURE_SUBSCRIPTION_ID
Azure
Required
GOOGLE_APPLICATION_CREDENTIALS
GCP
Required
GCP_PROJECT_ID
GCP
Required
GCP_PROJECT_IDS
GCP
Optional
GCP_BIGQUERY_DATASET
GCP
Optional
DATADOG_API_KEY
Datadog
Required
DATADOG_APP_KEY
Datadog
Required
DATADOG_SITE
Datadog
Optional
SNOWFLAKE_ACCOUNT
Snowflake
Required
SNOWFLAKE_USER
Snowflake
Required
SNOWFLAKE_PASSWORD
Snowflake
Required
SNOWFLAKE_WAREHOUSE
Snowflake
Required
SNOWFLAKE_CREDIT_PRICE
Snowflake
Optional
SNOWFLAKE_ROLE
Snowflake
Optional
STRIPE_SECRET_KEY
Stripe
Required
TWILIO_ACCOUNT_SID
Twilio
Required
TWILIO_AUTH_TOKEN
Twilio
Required
MONGODB_ATLAS_PUBLIC_KEY
MongoDB
Required
MONGODB_ATLAS_PRIVATE_KEY
MongoDB
Required
MONGODB_ATLAS_ORG_IDS
MongoDB
Optional
CLOUDFLARE_API_TOKEN
Cloudflare
Required
CLOUDFLARE_ACCOUNT_ID
Cloudflare
Optional
VERCEL_TOKEN
Vercel
Required
VERCEL_TEAM_ID
Vercel
Optional
NEW_RELIC_API_KEY
New Relic
Required
NEW_RELIC_ACCOUNT_ID
New Relic
Required
NEW_RELIC_INGEST_PRICE_PER_GB
New Relic
Optional
LANGFUSE_PUBLIC_KEY
Langfuse
Required
LANGFUSE_SECRET_KEY
Langfuse
Required
LANGFUSE_HOST
Langfuse
Optional
DATABRICKS_HOST
Databricks
Required
DATABRICKS_TOKEN
Databricks
Required
DATABRICKS_ACCOUNT_ID
Databricks
Optional
DATABRICKS_DBU_PRICE
Databricks
Optional
FINOPS_IMAP_HOST
Invoices
Optional
FINOPS_IMAP_USER
Invoices
Optional
FINOPS_IMAP_PASSWORD
Invoices
Optional
Alerts & automation
SLACK_WEBHOOK_URL
Slack
Optional
TEAMS_WEBHOOK_URL
Teams
Optional
FINOPS_SMTP_HOST
Email
Optional
FINOPS_DIGEST_TO
Email
Optional
JIRA_URL
Jira
Optional
JIRA_API_TOKEN
Jira
Optional
LINEAR_API_KEY
Linear
Optional
GITHUB_ISSUES_REPO
GitHub Issues
Optional
Slack bot
SLACK_BOT_TOKEN
Slack bot
Required
SLACK_APP_TOKEN
Slack bot
Required
ANTHROPIC_API_KEY
Slack bot
Required
SLACK_DAILY_CHANNEL
Slack bot
Optional
PR cost comments
GITHUB_WEBHOOK_SECRET
PR comments
Optional
PR_COST_THRESHOLD_USD
PR comments
Optional
PR_WEBHOOK_PORT
PR comments
Optional
Idle resource cleanup
FINOPS_CLEANUP_ENABLED
Cleanup
Optional
FINOPS_PROTECTED_TAGS
Cleanup
Optional
Rate detection (CUR / Athena)
CUR_ATHENA_DATABASE
Rate detection
Optional
CUR_ATHENA_TABLE
Rate detection
Optional
Enterprise SSO (OIDC)
OIDC_ISSUER
SSO
Required
OIDC_CLIENT_ID
SSO
Required
OIDC_CLIENT_SECRET
SSO
Required
OIDC_ROLE_MAP
SSO
Optional
License
FINOPS_LICENSE_KEY
Team
Team
Every SaaS connector follows the same pattern: a provider key plus any IDs the provider needs. Run finops setup <provider> and the wizard writes them for you.

Troubleshooting

The usual suspects, and how to clear them fast.

Editor can't find finops-mcp

macOS GUI apps inherit a minimal PATH. Use the absolute path from which finops-mcp in your MCP config, or install with uv tool install finops-mcp && uv tool update-shell.

AWS returns empty cost data

Cost Explorer isn't enabled yet, or it's still warming up (up to 24h on new accounts). Confirm under Billing → Cost Explorer, make sure your region is us-east-1, and check the IAM user has ce:GetCostAndUsage. Run aws sts get-caller-identity to confirm which account you're reading.

Tools don't appear after config

Most MCP clients only read config at startup. Fully quit and reopen the editor , not just close the window. Then run finops doctor to confirm each provider.

Credentials not persisting after restart

Install the keyring extra: pip install finops-mcp[keyring]. Without it, credentials fall back to a local encrypted file. Re-run finops setup after installing.

Snowflake: "Object does not exist"

The user needs IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE granted to its role. Run as ACCOUNTADMIN: GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE your_role;

command not found: finops after pip install

pip installed the package but the executable isn't on your PATH, common on macOS with system or Homebrew Python. Find and add the pip bin directory, or use pipx install finops-mcp which handles PATH automatically.

terminal
# Find where pip puts executables
python3 -m site --user-base
# Add /bin to that path, e.g.:
export PATH="$HOME/Library/Python/3.11/bin:$PATH"

Still stuck?

Email us with your finops doctor output and we'll debug with you: hello@getnable.com.

Next steps

Was this page helpful?