Skip to content

Cloud account connections

Cloud account connections give approved ScrinCloud workflows access to a specific AWS account or Azure subscription. The connection belongs to the organization, can be linked to eligible workspaces, and stays bounded by its permission level, regions, and services.

Typical time
15–30 minutes
You need
Organization admin access
Next step
Test and activate
Provider Identity used by ScrinCloud Start here
AWS An organization-owned IAM role assumed with a generated External ID Connect AWS
Azure Workload identity federation or an approved service principal Connect Azure

Only organization owners and admins can add, update, test, activate, suspend, revoke, rotate, or remove cloud accounts. A connection should never use a person’s access key, password, or everyday administrator identity.

Open Cloud Accounts, choose Connect AWS or Connect Azure, then set:

  • Connection name: a recognizable organization label;
  • Environment: the approved environment boundary; and
  • Permission level: Read only, Plan only, or Plan + apply.

Choose the lowest permission level that supports the intended work. Selecting Plan + apply does not bypass workspace approvals or governance.

Cloud 1 of 4 · Screenshot placeholder

Set the account details

Show the Cloud Accounts drawer on Account details with a synthetic connection name, environment, and least-privilege Permission level.

Future capture briefUse documentation-only labels. Do not show a real organization, project, account, subscription, or person.

Provide the organization-owned identity requested for the selected provider:

  • AWS asks for the AWS IAM role ARN and shows a Generated External ID.
  • Azure asks for an Azure identity method, application identity, tenant, subscription, and resource scope.

Use the setup guide in the drawer to configure provider-side trust. Never place a client secret, access key, token, OAuth code, or reusable identity value in a support message or screenshot.

Cloud 2 of 4 · Screenshot placeholder

Configure provider access

Show the provider-access step and its setup-guide trigger without exposing complete identity values.

Future capture briefMask role ARNs, External IDs, client IDs, tenant IDs, subscription IDs, resource scopes, and every credential.

Choose at least one approved region. Then either allow all supported services within the approved identity boundary or select the exact services this connection should use.

The ScrinCloud scope does not grant provider permissions by itself. It narrows which approved regions and services product workflows may request.

Cloud 3 of 4 · Screenshot placeholder

Limit regions and services

Show Account scope with one synthetic region and a small approved service list.

Future capture briefUse generic regions and service names. Do not expose provider account identifiers or customer resources.

Review the provider, environment, permission level, identity method, regions, and service scope. Saving creates a connection record, but a saved connection is not automatically active.

Next:

  1. choose Test connection;
  2. review Verified identity review and permission probes;
  3. acknowledge the returned provider identity; and
  4. choose Activate connection only when the identity and requested access are correct.

Terraform plan and apply capability can remain unverified until a reviewed workspace plan exercises those permissions.

Cloud 4 of 4 · Screenshot placeholder

Verify identity before activation

Show a synthetic Verified identity review, capability probes, acknowledgement, Test connection, and Activate connection controls.

Future capture briefShow only safe status labels. Redact identity values, request IDs, raw provider errors, and account metadata.
  • Pending verification / pending activation: saved but not ready for use.
  • Active: verified, acknowledged, and available to eligible workspaces.
  • Action required / degraded: a test, permission, or credential needs review.
  • Suspended: temporarily unavailable until an administrator reactivates it.
  • Revoked: access was intentionally revoked and must not be used.

See Test and manage cloud accounts for lifecycle actions, workspace links, credential rotation, and removal.

A cloud account is ready when the intended provider identity is verified, the required probes pass, the connection is Active, and its region and service scope match the workspace that will use it.

Ask an organization owner or admin to manage the connection. Project access alone does not grant organization-level connection administration.

Review the exact failed probe, provider trust, identity, and scoped permission. Do not solve a narrow failure by granting administrator access.

Open View details or Review and activate, run Test connection, review the returned identity, acknowledge it, and activate it.

The product source, backend routes, Terraform route wiring, and Lambda deployment matrices include Cloud Accounts. That is deployment wiring, not proof that a specific environment has valid provider credentials or a healthy live connection. Confirm availability with an approved runtime test.