IntegrationsCloud providers (AWS, GCP, Azure)

36. Cloud providers (AWS, GCP, Azure)

The reference for every cloud integration: credential model, what Daalu sees, and how to add write access safely.

Chapter 7 walked through the first-time AWS setup with full hand-holding. This chapter is the reference: every cloud provider, every credential option, and what each one unlocks.

The shape is the same across all three clouds. You grant Daalu a read-only identity first, get comfortable with what it sees, and add a separate write-capable identity later if you want the Assistant to be able to act. Daalu never asks for a long-lived access key — every cloud here uses a federated or assumable identity you can revoke in one click on your side.

At a glance

What it connectsAWS, GCP, or Azure accounts — inventory, cost, and (optionally) write actions
Auth modelFederated / assumable identity: cross-account IAM role (AWS), workload identity federation (GCP), federated app registration (Azure). No static keys.
Where to set it upManaged Infra → Cloud Accounts → Add

AWS

Setup

Pattern: a cross-account IAM role with an External ID. Chapter 7 has the step-by-step; the External ID is what stops a confused-deputy attack, so don’t skip it.

Capabilities

  • Inventory: EC2, RDS, S3, Lambda, ECS/EKS clusters, CloudFront, Route53, ELB/ALB/NLB, Auto Scaling Groups, IAM users and roles (read-only).
  • Cost: pulled from the Cost Explorer API; daily granularity, with per-service / per-region / per-tag breakdowns.
  • Investigation tools (Assistant): describe-instance, list-functions, get-log-events (CloudWatch), get-metrics.
  • Action tools (write only): restart-ecs-service, scale-asg, terminate-instance, update-launch-template, restart-rds-instance. Each one is gated on a change proposal.

Permissions

  • Minimum read-only: the AWS-managed ReadOnlyAccess policy.
  • Recommended read-only: the custom policy published at https://docs.daalu.io/aws-minimum-policy.json — smaller surface area, same coverage.
  • Read-write add-on: a separate role granting only the actions you want the Assistant to perform.

Regions

The wizard asks for the regions to scope to and defaults to all enabled regions. Add or remove them later from the integration detail page.

Troubleshooting

  • AccessDenied on AssumeRole — the External ID is missing from the trust policy, or the Daalu account ID is typoed.
  • AccessDenied on individual APIs — the role policy doesn’t grant the action. Widen the policy or fall back to ReadOnlyAccess.
  • Throttled — Daalu retries with backoff. If it persists, you’re hitting AWS’s per-account rate limits.

GCP

Setup

Pattern: workload identity federation with a Google service account. No service-account key file ever leaves Google.

  1. Create a service account in your GCP project.
  2. Grant it roles/viewer for read-only access; add other roles for write capabilities.
  3. Add Daalu’s service account as a member with roles/iam.workloadIdentityUser.
  4. Paste the service-account email and project ID into Daalu.

Capabilities

  • Inventory: Compute Engine, Cloud SQL, GCS, GKE clusters, Cloud Functions, Cloud Run services, Load Balancers, DNS zones.
  • Cost: pulled from the Cloud Billing API.
  • Tools: equivalent to AWS — describe, list, scale, restart.

Per-project vs organization-wide

For multi-project orgs, two options:

  • Add each project separately. Tidy but tedious.
  • Add one “platform” service account with org-wide viewer. Less granular, easier to operate.

Troubleshooting

  • “Project not found” — the service account can’t see the project. Check the IAM bindings.
  • “Permission denied” — same, but for a specific resource type. Add the role it names.

Azure

Setup

Pattern: an app registration with a federated workload identity credential.

  1. Register an app in Azure AD (Entra ID).
  2. Add a federated credential whose issuer is Daalu’s IdP and whose subject is your tenant string (the wizard shows both).
  3. Assign the Reader role at the subscription level.
  4. Paste the app ID, tenant ID, and subscription ID into Daalu.

Capabilities

  • Inventory: Compute, Storage, SQL DB, Azure Functions, AKS, App Service, Front Door.
  • Cost: pulled from the Cost Management API.
  • Tools: equivalent surface area to AWS.

Scope: subscription vs management group

If you have many subscriptions, grant Reader at the management-group level for unified visibility. Per-subscription is fine when you want each one scoped separately.

Troubleshooting

  • “InvalidAuthenticationToken” — the federated credential is misconfigured. Compare the issuer and subject to what the wizard showed.
  • “AuthorizationFailed” — the identity doesn’t have Reader.

Adding write access

Tip: Treat read and write as two separate integrations. The blast radius of a misconfigured write role stays contained, and you can revoke write without losing visibility.

The recommended pattern for all three clouds:

  1. Start read-only.
  2. Get comfortable with what Daalu sees and how the Assistant uses it.
  3. Add a separate write-capable role / service account / service principal as a second integration.
  4. The Assistant detects both and uses each appropriately — reads through the read identity, proposes writes through the write one.

Remember that every write still goes through a human-approved change proposal. The write identity is what executes an approved proposal, not a standing grant for the Assistant to act on its own.

Disconnection

Two-step revocation, in this order:

  1. Managed Infra → Cloud Accounts → row → Disconnect. Daalu stops calling immediately.
  2. In your cloud, delete the role / service account / service principal. Belt and braces.

Existing inventory and cost data ages out after 30 days.

Next: Chapter 37 — Notifications

The coding workspaceNotifications (Slack, PagerDuty, email)