Managing Cloud Credentials
Cloud credentials allow OpenPrime to interact with your cloud providers for deploying infrastructure.
Security Model​
Credentials are:
- Encrypted at rest using AES-256-GCM
- User-scoped - each user manages their own credentials
- Never logged - sensitive values are masked in logs
Adding Credentials​
AWS Credentials​
- Navigate to Settings → Cloud Credentials
- Click Add Credential → AWS
- Enter:
- Name: Descriptive identifier
- Access Key ID: Your AWS access key
- Secret Access Key: Your AWS secret key
- Default Region: Primary region
{
"provider": "aws",
"name": "production-aws",
"accessKeyId": "AKIA...",
"secretAccessKey": "...",
"defaultRegion": "us-east-1"
}
IAM Policy Requirements​
Minimum permissions for EKS deployment:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:*",
"ec2:*",
"iam:*",
"autoscaling:*",
"elasticloadbalancing:*"
],
"Resource": "*"
}
]
}
Azure Credentials​
- Click Add Credential → Azure
- Enter:
- Name: Descriptive identifier
- Subscription ID: Your Azure subscription
- Tenant ID: Azure AD tenant
- Client ID: Service principal app ID
- Client Secret: Service principal secret
{
"provider": "azure",
"name": "production-azure",
"subscriptionId": "...",
"tenantId": "...",
"clientId": "...",
"clientSecret": "..."
}
GCP Credentials​
- Click Add Credential → GCP
- Upload or paste service account JSON:
{
"provider": "gcp",
"name": "production-gcp",
"projectId": "my-project",
"serviceAccountKey": { ... }
}
Using Credentials​
Assigning to Environments​
When creating/editing an environment:
- Select the Cloud Credential dropdown
- Choose the appropriate credential
- Credential is referenced, not copied
Generated Code​
Credentials are referenced in generated Terraform:
# AWS provider
provider "aws" {
region = var.aws_region
# Credentials via environment variables
}
Set environment variables when running Terraform:
export AWS_ACCESS_KEY_ID="..."
export AWS_SECRET_ACCESS_KEY="..."
terraform apply
Credential Rotation​
Updating Credentials​
- Navigate to Settings → Cloud Credentials
- Click Edit on the credential
- Update the secret values
- Save changes
Existing environments using this credential will use new values on next deployment.
Best Practices​
- Rotate regularly - Every 90 days recommended
- Use least privilege - Minimal permissions needed
- Separate by environment - Production vs. development
- Monitor usage - Enable CloudTrail/Activity Logs
Troubleshooting​
"Invalid credentials" Error​
- Verify credentials are correct
- Check IAM permissions
- Ensure region is correct
- Test with AWS CLI:
aws sts get-caller-identity
Credentials Not Listed​
- Refresh the page
- Check browser console for errors
- Verify you're logged in as correct user