Cloud Connectors
QueryWise connects to your cloud and database vendors through read-only APIs and (where applicable) read-only database accounts. We never modify customer data; the recommendation system surfaces fixes, your team applies them.
This page is the credential and permission reference.
Capability matrix
| Vendor | Billing | Query Metrics | Schema Metadata | Explain Plans | Tags |
|---|---|---|---|---|---|
| AWS (RDS PG / MySQL / SQL Server) | ✓ | ✓ (Performance Insights) | ✓ | ✓ | ✓ |
| GCP (Cloud SQL PG / MySQL, BigQuery) | ✓ | ✓ | ✓ | ✓ | ✓ |
| Azure (PG / MySQL Flex, SQL DB) | ✓ | ✓ | ✓ | ✓ | ✓ |
| Snowflake | ✓ | ✓ | ✓ | ✓ | ✓ |
| Databricks | ✓ | ✓ | ✓ | ✓ | ✓ |
| MongoDB Atlas | ✓ | ✓ | ✓ | ✓ | ✓ |
| Redshift | ✓ | ✓ | ✓ | ✓ | ✓ |
| Azure Synapse | ✓ | ✓ | ✓ | ✓ | ✓ |
| Azure Cosmos DB | ✓ | ✓ | ✓ | ✓ | ✓ |
| Oracle (OCI) | ✓ | ✓ | ✓ | ✓ | ✓ |
Every connector supports tag/label extraction, schema metadata sync (for index/partition awareness), and explain plan capture for the queries that matter most.
AWS
Auth: Cross-account IAM role (recommended) or static access keys. CloudFormation Quick Create deploys the role in one click.
APIs accessed:
- Cost Explorer —
ce:GetCostAndUsage,ce:GetCostForecast,ce:ListCostAllocationTags - CloudWatch —
cloudwatch:GetMetricData,cloudwatch:ListMetrics - RDS —
rds:DescribeDBInstances,rds:DescribeDBClusters,rds:ListTagsForResource - Performance Insights —
pi:GetResourceMetrics,pi:DescribeDimensionKeys,pi:GetDimensionKeyDetails - Redshift —
redshift:DescribeClusters - EC2 —
ec2:DescribeReservedInstances(for discount discovery) - Tagging —
tag:GetResources
For database-level query stats, QueryWise also accepts a read-only RDS user (pg_read_all_stats for Postgres, PROCESS, REPLICATION CLIENT for MySQL). Without it, query metrics come from Performance Insights only.
GCP
Auth: Service account (workload identity federation supported) or OAuth-based onboarding via cloud shell.
APIs accessed:
- Cloud Billing — billing export reads
- BigQuery — INFORMATION_SCHEMA reads for query stats and slot usage
- Cloud Resource Manager — project metadata, labels
- Cloud Monitoring — metric reads
Roles required:
roles/billing.viewer(on the billing account)roles/bigquery.metadataViewerandroles/bigquery.jobUser(project)roles/monitoring.viewer(project)
Azure
Auth: Managed Identity (recommended), OAuth, or service principal.
APIs accessed:
- Cost Management —
Microsoft.CostManagement/query/action - Azure Monitor —
Microsoft.Insights/metrics/read - ResourceManager —
Microsoft.Resources/subscriptions/resourceGroups/read - SQL DB / Synapse — DMV reads via SQL auth
Built-in roles:
Cost Management Reader(subscription)Monitoring Reader(subscription)
Snowflake
Auth: Username + password, RSA key-pair (recommended), or OAuth.
Required grants:
CREATE ROLE QUERYWISE_READ;
GRANT USAGE ON WAREHOUSE <wh> TO ROLE QUERYWISE_READ;
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE QUERYWISE_READ;
GRANT MONITOR USAGE ON ACCOUNT TO ROLE QUERYWISE_READ;
GRANT IMPORTED PRIVILEGES ON SHARE SNOWFLAKE TO ROLE QUERYWISE_READ;
GRANT ROLE QUERYWISE_READ TO USER <querywise_user>;
QueryWise reads from SNOWFLAKE.ACCOUNT_USAGE (warehouse metering, query history, login history), INFORMATION_SCHEMA for schema metadata, and TAG_REFERENCES for tag inventory.
Databricks
Auth: Personal Access Token (PAT) or service principal token.
APIs / tables accessed:
system.billing.usage— billing system tablesystem.query.history— query stats- Workspace API for cluster / job inventory
- DBFS / Unity Catalog metadata
The PAT needs workspace admin or sufficient scope to read system tables. Unity Catalog access is required for the schema metadata collector.
MongoDB Atlas
Auth: Programmatic API key (Project / Org level).
APIs accessed:
/api/atlas/v2/orgs/{orgId}/invoices— billing/api/atlas/v2/groups/{groupId}/processes/{hostname}/measurements— metrics/api/atlas/v2/groups/{groupId}/clusters— cluster inventory/api/atlas/v2/groups/{groupId}/processes/{hostname}/databases/{dbName}/collections/{coll}/measurements— collection metrics
Permissions: Project Read Only plus Project Data Access Read Only for query profiler.
Redshift
Auth: IAM role (cross-account) for cluster discovery; database user (read-only) for system table queries.
System tables read:
STL_QUERY,STL_SCAN,STL_DDLTEXT,STL_QUERYTEXT,STL_WLM_QUERYSVV_TABLE_INFO,SVV_DISKUSAGEpg_catalog.*views
The DB user needs SELECT on the system tables above.
Azure Synapse
Auth: Service principal with Synapse role assignment + SQL auth for dedicated SQL pool DMVs.
Resources accessed:
- DMVs:
sys.dm_pdw_*(workload, queue, request stats) sys.dm_exec_*(query plan stats)- Cost Management API for billing
Azure Cosmos DB
Auth: Service principal with Cosmos DB Account Reader (resource APIs) + read-only key for data plane metrics.
Accessed:
- Cosmos DB resource APIs (account, throughput, partition stats)
- Cost Management
- Diagnostic logs (if enabled, for query stats)
Oracle (OCI)
Auth: API key signing for OCI APIs + Oracle DB user for V$SQL access.
Resources accessed:
- OCI Cost & Usage Reports
- OCI Monitoring
V$SQL,V$SQLAREA,DBA_HIST_*views (Oracle DB)
The Oracle DB user needs SELECT_CATALOG_ROLE.
Azure SQL
Auth: Service principal + SQL user.
Accessed:
- Cost Management
- Azure Monitor for resource metrics
- DMVs:
sys.dm_db_resource_stats,sys.query_store_*
Credential storage
Credentials are stored in QueryWise's credential vault (CredentialStore abstraction with Fernet or AWS Secrets Manager backends). They are never logged, never returned in API responses, and never persisted in plaintext.
Connector-side, credentials are fetched at task time via the credential vault and passed only to the connector that needs them.
Where to next
- Getting Started — the high-level onboarding path.
- Tags & Allocation — what to do once tags start flowing.