Skip to content

Connecting Providers

Private Beta

Cloud Security is currently in Private Beta. Features, APIs, and configuration formats described here may change before general availability. Contact us if you would like access.

A provider connection is one cloudsec_provider Hive record: a provider_type, the scope to enumerate, and a read-only credential. All collection is agentless. The credential itself always lives in the secret Hive and is referenced by hive://secret/<name> from the credentials field — it is never stored inline on the provider record.

Connect a provider in the console at Cloud Security → Settings → Providers (the Add provider button), or as code with limacharlie hive set --hive-name cloudsec_provider (see Getting Started). Either way, run the credential test first — it probes every permission a sweep needs and reports exactly which are missing.

The thirteen connectors

provider_type Surface Scope field(s) Credential (JSON stored in the secret)
gcp Cloud infra gcp_scope (projects/{id}, folders/{id}, or organizations/{id}) Service-account key JSON
aws Cloud infra aws_role_arn (+ aws_external_id, aws_regions, aws_member_role_name) STS AssumeRole (secret optional)
azure Cloud infra azure_tenant_id + azure_subscription_id (+ azure_client_id) {"client_secret": "...", "client_id": "..."}
okta Identity okta_org_url {"api_token": "..."} (SSWS) or an API Services app
entra Identity entra_tenant_id (+ entra_client_id) {"client_secret": "..."} (service principal)
google_workspace Identity workspace_customer_id SA key with domain-wide delegation + admin_email
1password Identity onepassword_scim_url {"scim_url": "...", "scim_token": "..."}
auth0 Identity auth0_domain {"client_id": "...", "client_secret": "..."} (M2M)
cloudflare SaaS cloudflare_account_id {"api_token": "...", "user_api_token": "..."}
github SaaS github_org + github_app_id + github_installation_id {"private_key": "-----BEGIN..."} (GitHub App)
openai AI (optional openai_org_id) {"admin_api_key": "sk-admin-..."}
anthropic AI (optional anthropic_org_uuid) {"admin_api_key": "sk-ant-admin01-..."} (+ optional compliance key)
limacharlie LimaCharlie one of limacharlie_oid or limacharlie_uid {"api_key": "..."}

Every record also accepts the shared fields common to all providers — internal_domains, sync_now, refresh, and feed_subscription — documented in Configuration.

Cloud infrastructure

Google Cloud (gcp)

Set gcp_scope to a single project (projects/{id}), a folder (folders/{id}), or a whole organization (organizations/{id}); the collector enumerates every project in scope. The credential is a service-account key JSON with read-only roles across the resource surface (compute, storage, IAM, networking, KMS, BigQuery, Cloud SQL, Secret Manager, Pub/Sub, …). The test report names any missing role.

AWS (aws)

The collector assumes a read-only IAM role you designate in aws_role_arn, using an aws_external_id for the confused-deputy guard. For a single account that is all that's needed. For an AWS Organization, the collector chains from the management role into each member account, assuming the role named by aws_member_role_name in every member (defaults to the role name parsed from aws_role_arn — the common StackSet pattern, e.g. OrganizationAccountAccessRole). Restrict enumeration to specific regions with aws_regions. The secret may carry base credentials for the initial assume, or be omitted to use the collector's default chain.

Azure (azure)

Set azure_tenant_id and azure_subscription_id, and the app-registration (service-principal) client id in azure_client_id. The credential secret carries the client secret: {"client_secret": "..."}. For an Entra directory with no Azure infrastructure to enumerate, use the standalone entra provider instead.

Identity providers

Identity providers ingest a directory — users, groups, and app assignments — into the identity graph rather than cloud infrastructure. They unify with cloud IAM principals by email, which is what makes cross-surface CIEM ("this Workspace user has admin on that GCP bucket") possible.

Okta (okta)

Set okta_org_url to the org base URL (e.g. https://acme.okta.com). The credential is either a user-owned SSWS token ({"api_token": "..."}) or an API Services app using client credentials ({"client_id": "...", "private_key": "..."} or client_secret), which is the recommended, non-user-bound option.

Microsoft Entra ID (entra)

A standalone directory-only connection for organizations that have M365/Entra but no Azure subscription to enumerate. Set entra_tenant_id and the app-registration client id in entra_client_id; the client secret goes in the credential secret. It collects users, groups, service principals, and conditional-access posture. If you also run an azure connection for the same tenant, the Azure connection defers its directory collection to the standalone entra record so the directory is never collected twice.

Google Workspace (google_workspace)

Set workspace_customer_id to my_customer (the delegated super-admin's own account, the common case) or an explicit customer id. The credential is a GCP service-account key with domain-wide delegation, plus the super-admin subject to impersonate; store it as {"service_account_json": "...", "admin_email": "admin@acme.com"}. It ingests users, groups, membership, and managed devices, unifying by email with the GCP IAM principals it references.

1Password (1password)

Set onepassword_scim_url to the account's SCIM bridge URL; the credential is the SCIM bearer token: {"scim_url": "...", "scim_token": "..."}. It collects users and groups into the identity graph.

Auth0 (auth0)

Set auth0_domain to the tenant's canonical domain (e.g. acme.us.auth0.com or the legacy acme.auth0.com — not a custom domain). The credential is a Machine-to-Machine application authorized for the Management API with read-only scopes: {"client_id": "...", "client_secret": "..."}. It collects users, roles, applications, and connections.

SaaS

Cloudflare (cloudflare)

Set cloudflare_account_id to the 32-hex account id from the dashboard. The credential is a read-only account-scoped API token: {"api_token": "..."}. An optional user_api_token covers user-scoped endpoints (account members, API token enumeration); without it those surfaces degrade to unobserved. It collects zones, DNS posture, R2 buckets, members, API tokens, Access applications, and Security Center insights.

GitHub (github)

Auth is a GitHub App installed on the organization — an App, not a personal access token — so access is org-scoped, read-only, and uses short-lived installation tokens. Set github_org (the org login), github_app_id, and github_installation_id; the App private key goes in the credential secret: {"private_key": "-----BEGIN RSA PRIVATE KEY-----..."}. It collects org settings/members/teams (identities), repositories (data stores), installed Apps / webhooks / deploy keys / Actions secrets (non-human identities), and the Actions OIDC subject configuration.

AI security (AISPM)

AI providers bring your model-platform organizations into the estate as first-class subjects, with the same findings and the nist-ai-rmf and owasp-llm compliance frameworks.

OpenAI (openai)

The credential is an Admin API key created with the api.management.read scope at creation time (a freshly created key — scope-upgraded keys have had missing-scope issues): {"admin_api_key": "sk-admin-..."}. openai_org_id (org-...) is optional — the key already implies the org, but when set it is verified against the discovered org so a mismatch fails the connection early. It collects the organization, members, projects, and API keys.

Anthropic (anthropic)

Anthropic has two credential planes and either may stand alone:

  • Console — an Admin key in credentials: {"admin_api_key": "sk-ant-admin01-..."}. Anthropic Console Admin keys carry no scopes (every Admin key is full read/write); the collector uses it strictly read-only.
  • Compliance / Analytics — an optional second secret referenced by compliance_credentials: {"compliance_api_key": "sk-ant-api01-..."} with the read-only compliance/analytics scopes. This unlocks enforced-settings posture and the activity feed.

Set anthropic_org_uuid when connecting only the compliance plane (the Compliance API is addressed by org uuid); with a Console key present it is discovered automatically. The credential secret may also optionally carry an org_oauth_token to reach the Workload Identity Federation admin plane. Findings degrade gracefully to whatever plane is connected.

LimaCharlie (limacharlie)

Inventory your own LimaCharlie tenancy as an estate — useful both directly and as the CAASM source that unifies your sensors with the rest of your assets. Set exactly one of:

  • limacharlie_oid — an org API key, scoping collection to that one organization.
  • limacharlie_uid — a user API key, which enumerates every organization the user reaches (the MSSP fleet case — one connection covers the fleet).

The API key goes in the credential secret: {"api_key": "..."}.

Refresh and event-driven freshness

Every connection re-enumerates on the refresh cadence (a duration such as "6h"; empty uses the service default) and on demand whenever sync_now changes. For sub-sweep freshness on GCP, feed_subscription names a Pub/Sub subscription carrying a cloud change feed, so targeted re-sweeps reflect changes in seconds; the periodic sweep remains the safety net. See Configuration for these shared fields.