Skip to main content
Aurora needs access to your cloud infrastructure to investigate incidents. This guide covers connecting AWS, GCP, and Azure accounts.

Why Connect Cloud Accounts?

Cloud provider access enables Aurora to:
  • Query logs from CloudWatch, Cloud Logging, or Azure Monitor
  • Fetch metrics and traces
  • Inspect resource configurations (EC2 instances, K8s clusters, databases)
  • Execute diagnostic commands (kubectl, aws cli, gcloud)
  • Apply automated fixes to infrastructure

Authentication Architecture

Aurora stores credentials securely:
  • Vault: User tokens stored in HashiCorp Vault (KV v2 engine)
  • Database references: PostgreSQL stores Vault paths like vault:kv/data/aurora/users/{secret_name}
  • Runtime resolution: Credentials fetched from Vault when needed

Connecting AWS

1

Create an IAM role for Aurora

Aurora needs read access to CloudWatch, EC2, ECS, EKS, and RDS:
2

Configure credentials

Set environment variables in .env:
Or use IAM role assumption for cross-account access.
3

Test the connection

Aurora will verify credentials on first use. Check logs:
Successful connection shows:

Connecting GCP

Aurora supports GCP via OAuth2 or service accounts.
1

Configure OAuth credentials

Set in .env:
2

Authorize via UI

Navigate to Settings → Integrations → GCP and click “Connect”.Aurora requests these scopes:
3

Select projects

Choose which GCP projects Aurora can access for investigations.
1

Create a service account

2

Grant permissions

3

Download the key

Place the JSON file in server/connectors/gcp_connector/.

Connecting Azure

1

Register an app in Azure AD

  1. Go to Azure Portal → Azure Active Directory → App registrations
  2. Click “New registration”
  3. Set redirect URI to https://your-aurora-url/api/azure/callback
2

Create a client secret

Under “Certificates & secrets”, create a new client secret and save it.
3

Grant API permissions

Required permissions:
  • Azure Service Managementuser_impersonation
  • Microsoft GraphUser.Read
4

Configure Aurora

Add to .env:
5

Authorize subscriptions

Grant the app “Reader” role on subscriptions you want Aurora to access:

Credential Storage

All credentials are stored in Vault, not the database:
Database stores only references:
Vault init happens automatically:

Multi-Account and Cross-Account Access

AWS Role Assumption

For multiple AWS accounts:

GCP Service Account Impersonation

Azure Lighthouse

Use Azure Lighthouse for managing multiple tenants from a single Aurora instance.

Verifying Connections

Test AWS CLI access:
Should return your account ID and ARN.

Credential Caching

Aurora caches credentials for performance:
Cache keys stored in Redis:

Troubleshooting

Check:
  1. Environment variables are set correctly
  2. IAM role has required permissions
  3. Region is correct for your resources
View detailed errors:
Verify:
  • CLIENT_ID and CLIENT_SECRET are correct
  • Redirect URI matches OAuth config
  • Required scopes are enabled in GCP Console
Check Aurora server logs for OAuth errors:
Ensure Vault is initialized:
Check Vault token:
Aurora logs will show which API calls are failing. Example:
Add the missing permission to your IAM policy/role.

Security Best Practices

Never commit credentials to version control. Use environment variables and Vault.
  1. Use least-privilege permissions - Grant only what Aurora needs
  2. Rotate credentials regularly - Set up automatic rotation for long-lived keys
  3. Enable MFA for privileged actions - Require MFA for destructive operations
  4. Audit access logs - Monitor CloudTrail, Cloud Audit Logs, and Azure Activity Logs
  5. Use temporary credentials - Prefer STS/OAuth tokens over long-lived keys

Next Steps

Set Up Monitoring

Connect Datadog, Grafana, or PagerDuty

First Investigation

Run your first incident investigation