Why Connect Cloud Accounts?
Cloud provider access enables Aurora to:- Query logs from CloudWatch, Cloud Logging, or Azure Monitor
- Fetch metrics and traces
- Inspect resource configurations (EC2 instances, K8s clusters, databases)
- Execute diagnostic commands (kubectl, aws cli, gcloud)
- Apply automated fixes to infrastructure
Authentication Architecture
Aurora stores credentials securely:- Vault: User tokens stored in HashiCorp Vault (KV v2 engine)
- Database references: PostgreSQL stores Vault paths like
vault:kv/data/aurora/users/{secret_name} - Runtime resolution: Credentials fetched from Vault when needed
Connecting AWS
1
Create an IAM role for Aurora
Aurora needs read access to CloudWatch, EC2, ECS, EKS, and RDS:
2
Configure credentials
Set environment variables in Or use IAM role assumption for cross-account access.
.env:3
Test the connection
Aurora will verify credentials on first use. Check logs:Successful connection shows:
Connecting GCP
Aurora supports GCP via OAuth2 or service accounts.Option 1: OAuth2 (Recommended for Development)
1
Configure OAuth credentials
Set in
.env:2
Authorize via UI
Navigate to Settings → Integrations → GCP and click “Connect”.Aurora requests these scopes:
3
Select projects
Choose which GCP projects Aurora can access for investigations.
Option 2: Service Account (Recommended for Production)
1
Create a service account
2
Grant permissions
3
Download the key
server/connectors/gcp_connector/.Connecting Azure
1
Register an app in Azure AD
- Go to Azure Portal → Azure Active Directory → App registrations
- Click “New registration”
- Set redirect URI to
https://your-aurora-url/api/azure/callback
2
Create a client secret
Under “Certificates & secrets”, create a new client secret and save it.
3
Grant API permissions
Required permissions:
Azure Service Management→user_impersonationMicrosoft Graph→User.Read
4
Configure Aurora
Add to
.env:5
Authorize subscriptions
Grant the app “Reader” role on subscriptions you want Aurora to access:
Credential Storage
All credentials are stored in Vault, not the database:Multi-Account and Cross-Account Access
AWS Role Assumption
For multiple AWS accounts:GCP Service Account Impersonation
Azure Lighthouse
Use Azure Lighthouse for managing multiple tenants from a single Aurora instance.Verifying Connections
- AWS
- GCP
- Azure
Test AWS CLI access:Should return your account ID and ARN.
Credential Caching
Aurora caches credentials for performance:Troubleshooting
AWS credentials not working
AWS credentials not working
Check:
- Environment variables are set correctly
- IAM role has required permissions
- Region is correct for your resources
GCP OAuth fails
GCP OAuth fails
Verify:
- CLIENT_ID and CLIENT_SECRET are correct
- Redirect URI matches OAuth config
- Required scopes are enabled in GCP Console
Vault connection issues
Vault connection issues
Ensure Vault is initialized:Check Vault token:
Permission denied errors
Permission denied errors
Aurora logs will show which API calls are failing. Example:Add the missing permission to your IAM policy/role.
Security Best Practices
- Use least-privilege permissions - Grant only what Aurora needs
- Rotate credentials regularly - Set up automatic rotation for long-lived keys
- Enable MFA for privileged actions - Require MFA for destructive operations
- Audit access logs - Monitor CloudTrail, Cloud Audit Logs, and Azure Activity Logs
- Use temporary credentials - Prefer STS/OAuth tokens over long-lived keys
Next Steps
Set Up Monitoring
Connect Datadog, Grafana, or PagerDuty
First Investigation
Run your first incident investigation