Cloud accounts in InfraAudit are called providers. Each provider stores your encrypted credentials, a display name, and sync metadata. You can connect multiple providers at the same time — for example, three AWS accounts, one GCP project, and two Kubernetes clusters all running concurrently.
Adding a provider
Open Cloud Providers
In the sidebar, click Cloud Providers.
Choose your cloud
Click Connect provider and select the provider type.
Fill in credentials
Complete the credential form. Details for each provider type are below.
Connect
Click Connect. InfraAudit validates the credentials and starts the initial resource sync. The provider card shows Syncing while this runs.
AWS
You need an IAM user or role with read access. The minimum required policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"rds:Describe*",
"lambda:ListFunctions",
"lambda:GetFunctionConfiguration",
"cloudfront:ListDistributions",
"ce:GetCostAndUsage",
"ce:GetCostForecast",
"ce:GetDimensionValues"
],
"Resource": "*"
}
]
}
| Field | Description |
|---|
| Access Key ID | From an IAM user or assumed role |
| Secret Access Key | The corresponding secret |
| Default region | e.g. us-east-1 |
| Display name | A label for this account in InfraAudit |
Credentials are encrypted at rest using AES-GCM with the server’s ENCRYPTION_KEY. InfraAudit never stores plaintext credentials.
GCP
You need a GCP service account with the following roles:
roles/viewer — basic read access across the projectroles/bigquery.dataViewer — needed for BigQuery billing export
Create a service account
In the GCP console, go to IAM & Admin → Service Accounts. Create a new service account and assign the two roles above.
Download the JSON key
On the service account, create a key in JSON format and download it.
Paste into InfraAudit
In the InfraAudit credential form, paste the full JSON key file contents into the Service Account JSON field.
| Field | Description |
|---|
| Service Account JSON | The full contents of the downloaded key file |
| Project ID | Your GCP project ID |
| Display name | A label for this project in InfraAudit |
Azure
You need a service principal with the Reader role on your subscription.
Create the service principal using the Azure CLI:
az ad sp create-for-rbac \
--name infraudit-reader \
--role Reader \
--scopes /subscriptions/<subscription-id>
clientId, clientSecret, tenantId, and subscriptionId. Copy all four.
Credential form fields:
| Field | Description |
|---|
| Client ID | clientId from the service principal output |
| Client Secret | clientSecret |
| Tenant ID | tenantId |
| Subscription ID | subscriptionId |
| Display name | A label for this subscription in InfraAudit |
Kubernetes
Connect a Kubernetes cluster by uploading a kubeconfig file or pasting its contents directly.
Minimum RBAC permissions:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: infraudit-reader
rules:
- apiGroups: ["", "apps", "batch"]
resources:
- deployments
- pods
- services
- namespaces
- replicasets
- daemonsets
- statefulsets
- jobs
- cronjobs
verbs: ["get", "list", "watch"]
| Field | Description |
|---|
| Kubeconfig | File upload or paste the kubeconfig contents |
| Cluster display name | A label for this cluster in InfraAudit |
Sync status
After connecting, the provider card shows one of the following statuses:
| Status | Meaning |
|---|
| Syncing | Initial or recurring sync in progress |
| Synced | Last sync completed successfully |
| Error | Last sync failed — hover to see the error message |
| Disconnected | Provider is paused; credentials have been removed |
infraudit provider sync <provider-id>
Disconnecting a provider
Click the provider card, then Disconnect. This removes the stored credentials but keeps all historical scan data — resources, drifts, costs, and compliance results. Historical data is only deleted if you explicitly delete the provider record.
Next steps