Skip to content

Set up Cloud Discovery

Cloud Discovery reads approved provider metadata so your team can understand existing resources before deciding what belongs in a ScrinCloud design or management workflow.

Setup is complete only when the project provider, cloud account, allowed region, identity test, and workspace context agree.

Typical time
15–30 minutes
You need
Cloud connection approval
Next step
Run read-only discovery

Discovery:

  • reads supported resource metadata in the selected scope;
  • checks approved connectivity and permissions;
  • records safe operational evidence; and
  • can show supported resources and relationships for later review.

Discovery does not create, update, or delete cloud resources. It also does not automatically adopt every discovered resource into management.

Use an organization-owned cloud identity. Never paste long-lived access keys, user passwords, tokens, or credentials into a screenshot, documentation note, canvas property, or support message.

Confirm that you have:

  • the correct ScrinCloud project;
  • the project’s provider, such as AWS or Azure;
  • the intended environment and region;
  • permission to view or manage cloud account connections;
  • an approved provider identity with the required read access; and
  • a workspace when discovery results should stay attached to workspace context.

For a first run, choose one approved region and a narrow scope.

Step 1: Confirm the project discovery scope

Section titled “Step 1: Confirm the project discovery scope”
  1. Open the intended project.
  2. Confirm the cloud provider.
  3. Confirm the project environment and default region.
  4. Open or select the intended workspace.
  5. Decide whether the run should be workspace-scoped or project-level.
  6. Write down the approved account or subscription and region without placing any secret values in the project description.

Provider accounts shown later are filtered by the project provider. An AWS project cannot use an Azure connection, and an Azure project cannot use an AWS connection.

Setup 1 of 6 · Screenshot placeholder

Confirm project and workspace scope

Show the selected synthetic project, provider, environment, region, and optional workspace before opening cloud account settings.

Future capture briefUse documentation-only names and obscure cloud account, subscription, tenant, organization, and project identifiers.

If no suitable connection exists:

  1. Open Cloud Accounts from the dashboard.
  2. Choose the action to connect a cloud account.
  3. Select the same provider as the project.
  4. Enter a clear connection name that describes its approved purpose.
  5. Choose the minimum Permission level needed for the intended work.

Permission levels can include:

  • Read only: metadata reads for discovery and review.
  • Plan only: read and Terraform planning capability where approved.
  • Plan + apply: broader delivery capability that should only be selected when the organization has approved it.

For discovery alone, prefer the lowest level that satisfies the provider permission checks.

Setup 2 of 6 · Screenshot placeholder

Start a least-privilege cloud connection

Show the Cloud Accounts connection flow with provider, synthetic connection name, and Permission level set to Read only.

Future capture briefCapture before entering provider identity details. Do not show credentials, real role ARNs, tenant IDs, subscription IDs, External IDs, or secrets.

Step 3: Configure the provider identity safely

Section titled “Step 3: Configure the provider identity safely”

Follow the provider-specific setup shown in ScrinCloud.

Use the guided IAM role setup:

  1. Create or select an organization-owned IAM role.
  2. Use the unique External ID provided by the current setup session.
  3. Apply only the approved trust policy and read permissions.
  4. Return to ScrinCloud and provide the role information requested by the guided flow.
  5. Do not use AWS access keys for this connection.

Use an organization-owned Entra identity with scoped Azure RBAC:

  1. Choose the approved authentication method, such as Workload identity federation or Service principal.
  2. Confirm the intended tenant and subscription.
  3. Assign only the approved read roles and scopes.
  4. Complete the guided federation or service-principal fields.
  5. Never expose a client secret after it has been stored.

If your organization has a cloud platform or security team, have that team review the provider-side role before activation.

Setup 3 of 6 · Screenshot placeholder

Follow the provider identity guide

Show either the AWS role and External ID guidance or the Azure authentication method and scoped identity guidance.

Future capture briefUse a staged setup with every identifier masked. Never capture a client secret, access key, token, complete role ARN, tenant ID, subscription ID, or reusable External ID.

Step 4: Limit regions and review the connection

Section titled “Step 4: Limit regions and review the connection”
  1. Select only the Allowed regions required for the approved discovery scope.
  2. Review the provider and connection name.
  3. Review the Permission level.
  4. Review the authentication method.
  5. Review the allowed regions.
  6. Confirm that the connection purpose and scope match the project.
  7. Save or continue to verification.

Do not add every region merely to avoid choosing one. A narrower list reduces accidental scope and makes discovery results easier to understand.

Setup 4 of 6 · Screenshot placeholder

Review permission and region boundaries

Show the connection review with provider, Read only permission level, authentication method, and a narrow Allowed regions list.

Future capture briefUse one synthetic region and mask all identity values. Keep the permission level and region boundary clearly visible.
  1. Choose Test connection or continue to the verification step.
  2. Wait while ScrinCloud checks provider identity and permission probes.
  3. Review Last tested and Last healthy.
  4. Confirm the connection health is Healthy.
  5. Review every permission probe result.
  6. Resolve failed required probes before activation.
  7. Activate or complete the connection only after the identity and requested capability are verified.

Warnings and failed permission probes should be read individually. Do not broaden the role without confirming which exact read action is necessary and approved.

Setup 5 of 6 · Screenshot placeholder

Verify cloud identity and discovery access

Show a successful connection test with Healthy status, Last tested, Last healthy, and safe permission probe results.

Future capture briefUse a synthetic or redacted connection. Hide request IDs, role or subscription identifiers, raw provider errors, and any credential material.
  1. Return to the project and open Architecture Studio.
  2. Open the Discovery area or choose the discovery action.
  3. If helpful, choose Quick intro to open Start Cloud Discovery.
  4. Read the read-only explanation.
  5. In Run read-only discovery, choose the tested Account.
  6. Choose an allowed Region.
  7. Choose Check access.
  8. Wait for the success notice.
  9. Confirm Ready to start appears.

Stop before Start Discovery if the account, region, project, or workspace is not the one you intended.

Setup 6 of 6 · Screenshot placeholder

Confirm the account is ready to scan

Show Start Cloud Discovery with a synthetic account, allowed region, Check access, Read-only status, and Ready to start notice.

Future capture briefUse a documentation-only account label and region. Exclude account numbers, subscription identifiers, tenant data, and any real resource counts.

Cloud Discovery is ready when:

  • the project and connection use the same provider;
  • the intended region appears in Allowed regions;
  • the permission level is no broader than approved;
  • the connection identity and required permission probes are verified;
  • connection health is Healthy;
  • Check access succeeds in the discovery panel; and
  • the panel shows Ready to start for the intended account and region.

Connect a cloud account to start discovery

Section titled “Connect a cloud account to start discovery”

No provider connection exists for this project. Open Cloud Accounts, create the provider connection, test it, and return to the project.

The connection may be inactive, unhealthy, missing credentials required by its authentication method, or unavailable in the selected region. Open the account details and test it again.

The connection’s Allowed regions do not include the selected project region. Confirm approval before editing the connection scope.

Check the role trust policy, the current setup’s External ID, and approved role permissions. Do not reuse an expired setup value or add administrator access.

Confirm the authentication method, organization-owned identity, tenant, subscription, and scoped RBAC. For a service principal, confirm the stored secret is configured without exposing it.

You do not have permission to manage connections

Section titled “You do not have permission to manage connections”

Ask a project or organization administrator to create or verify the connection. Do not use a personal cloud identity as a workaround.

With Ready to start visible, begin the safe scan and learn how to read its status and results.

Continue with Run and review Cloud Discovery.