⌘K
v2026.1 Open Portal ↗
On this page

Cloud Accounts

Connecting Cloud Accounts

StackFlow Cloud Management supports multi-cloud visibility and management across AWS, Microsoft Azure, and Google Cloud Platform. Each cloud account is connected with read-only credentials for discovery and monitoring, plus optional write permissions for auto-remediation actions. Credentials are stored in AWS Secrets Manager, encrypted with CMK.

⚙️ Minimum Requirements
  • IAM Role: StackFlowDiscoveryRole in each connected AWS account with read-only cross-account trust to account 373544523367
  • DynamoDB: StackFlow_CloudAccount table with account credentials/role ARNs (encrypted)
  • Secrets Manager: Cloud provider credentials at stackflow/cloud-accounts/{accountId}
  • Feature Flag: cloud_management enabled in StackFlow_FeatureFlag for the tenant

AWS Account Setup

Connect AWS accounts using cross-account IAM roles. Create a role in the target account that trusts the StackFlow account (373544523367) and attach the StackFlowDiscoveryPolicy managed policy.

aws iam create-role   --role-name StackFlowDiscoveryRole   --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::373544523367:role/StackFlowAPIRole"},
      "Action": "sts:AssumeRole",
      "Condition": {"StringEquals": {"sts:ExternalId": "stackflow-{your-tenant-id}"}}
    }]
  }'

aws iam attach-role-policy   --role-name StackFlowDiscoveryRole   --policy-arn arn:aws:iam::373544523367:policy/StackFlowDiscoveryPolicy
External ID: The external ID condition on the trust policy prevents the "confused deputy" attack. Always use the tenant-specific external ID provided in the StackFlow console when setting up cross-account roles.

Azure Subscription Setup

Connect Azure subscriptions using a service principal with the Reader role. Navigate to Cloud Management → Accounts → Add Azure Account and follow the guided setup. The setup wizard generates the Azure CLI commands needed to create the service principal and assign the role.

az ad sp create-for-rbac   --name "StackFlow-CloudMgmt"   --role Reader   --scopes /subscriptions/{subscription-id}   --sdk-auth |   aws secretsmanager create-secret     --name "stackflow/cloud/azure/{account-name}"     --secret-string file:///dev/stdin     --kms-key-id mrk-bd842691514c4d74a02992b8dc11fe16     --region us-east-1

GCP Project Setup

Connect GCP projects using service account keys. Create a service account with the roles/cloudasset.viewer and roles/monitoring.viewer IAM roles. Download the JSON key and upload it via the StackFlow console or store directly in Secrets Manager.

Account Health

Connected accounts display a health status in Cloud Management → Accounts. Health is determined by: last successful API call (freshness), credential validity (no expired keys), discovery coverage (% of expected resource types discovered), and active alerts. Accounts with degraded health generate a StackFlow incident automatically if configured.

← Previous
Business Hours
Hours and maintenance windows
Cloud Fleet Health
Real-time infrastructure health