Connect Your Cloud
Before you can deploy infrastructure or scan for existing resources, you need to connect ops0 to your cloud provider. This guide covers AWS, GCP, Azure, and Oracle Cloud setup.
Choose Your Cloud Provider
AWS
ops0 connects to AWS using an IAM Role with cross-account trust. This is the most secure method - no long-lived credentials are stored.
AWS Prerequisites
- AWS account with IAM admin access
- ops0 account with Settings access
Step 1: Open AWS Integration Setup
Go to Settings > Integrations > Add Integration > AWS
Step 2: Create IAM Role
ops0 provides a CloudFormation template that creates the required IAM role. You have two options:
Step 3: Configure Permissions
The default IAM policy includes permissions for:
| Category | Permissions |
|---|---|
| Read (Discovery) | ec2:Describe*, s3:List*, rds:Describe*, etc. |
| Write (Deployments) | ec2:, s3:, rds:, iam:, etc. |
| State Management | s3:GetObject, s3:PutObject for state bucket |
To restrict permissions: Edit the IAM policy in CloudFormation before deploying. ops0 only needs permissions for resources you want to manage.
Step 4: Enter Role ARN
After CloudFormation completes, copy the Role ARN from the Outputs tab and paste it into ops0.
arn:aws:iam::123456789012:role/ops0-integration-role
Step 5: Verify AWS Connection
Click Test Connection. ops0 will attempt to assume the role and list resources. If successful, you'll see a green checkmark.
Troubleshooting AWS
| Error | Solution |
|---|---|
| "Access Denied" | Verify the trust policy includes ops0's AWS account ID |
| "Role does not exist" | Confirm CloudFormation completed successfully |
| "Invalid external ID" | Use the external ID shown in ops0, not a custom one |
GCP
ops0 connects to GCP using a Service Account with Workload Identity Federation. This avoids storing long-lived service account keys.
GCP Prerequisites
- GCP project with Owner or IAM Admin role
- ops0 account with Settings access
Step 1: Open GCP Integration Setup
Go to Settings > Integrations > Add Integration > GCP
Step 2: Create Service Account
Open Service Accounts
Go to IAM & Admin > Service Accounts in GCP Console.
Create Service Account
Click Create Service Account.
Name the Account
Use a clear name like ops0-integration.
Assign Roles
Grant Editor or a custom least-privilege role.
Step 3: Configure Workload Identity Federation
Open Workload Identity Federation
Go to IAM & Admin > Workload Identity Federation.
Create a Pool
Create a new pool named ops0-pool.
Add the OIDC Provider
Use the issuer URL shown in brew.ops0.ai.
Link the Service Account
Bind the service account to the identity pool so ops0 can authenticate without long-lived keys.
Step 4: Enter Project Details
In ops0, enter:
- Project ID: Your GCP project ID
- Service Account Email:
ops0-integration@project-id.iam.gserviceaccount.com - Workload Identity Pool: Full resource name of the pool
Step 5: Verify GCP Connection
Click Test Connection to verify ops0 can access your GCP project.
Azure
ops0 connects to Azure using a Service Principal with federated credentials (OIDC). No client secrets are stored.
Azure Prerequisites
- Azure subscription with Owner or User Access Administrator role
- ops0 account with Settings access
Step 1: Open Azure Integration Setup
Go to Settings > Integrations > Add Integration > Azure
Step 2: Register Application
ops0-integration, select Single tenantStep 3: Configure Federated Credentials
Step 4: Assign Roles
Step 5: Enter Credentials in ops0
Enter:
- Subscription ID: Your Azure subscription ID
- Tenant ID: Directory (tenant) ID from app registration
- Client ID: Application (client) ID from app registration
Step 6: Verify Connection
Click Test Connection to verify ops0 can access your Azure subscription.
Oracle Cloud
ops0 connects to Oracle Cloud Infrastructure (OCI) using API Key authentication. You provide your tenancy OCID, user OCID, API key fingerprint, and private key.
Oracle Cloud Prerequisites
- OCI tenancy with IAM administrative access
- API signing key pair generated in OCI
- ops0 account with Settings access
Step 1: Open Oracle Cloud Integration Setup
Go to Settings > Integrations > Add Integration > Oracle Cloud
Step 2: Generate API Key
Step 3: Enter Credentials in ops0
| Field | Required | Description |
|---|---|---|
| Name | Yes | Integration name |
| Tenancy OCID | Yes | Your OCI tenancy identifier |
| User OCID | Yes | The user performing API calls |
| Fingerprint | Yes | API key fingerprint |
| Private Key | Yes | PEM-encoded private key |
| Region | Yes | Home region (e.g., us-ashburn-1) |
Step 4: Configure Scope
Choose your scan scope:
| Scope | Description |
|---|---|
| Tenancy | Discover resources across all compartments |
| Compartment | Target a specific compartment and its children |
Step 5: Verify Oracle Cloud Connection
Click Test Connection. ops0 will authenticate using your API key and attempt to list compartments.
Step 6: Optional State Backend
For Terraform state storage in OCI Object Storage, you can provide S3-compatible credentials:
| Field | Description |
|---|---|
| S3 Endpoint | OCI S3 compatibility endpoint |
| Access Key | S3-compatible access key |
| Secret Key | S3-compatible secret key |
Troubleshooting OCI
| Error | Solution |
|---|---|
| "NotAuthenticated" | Verify tenancy OCID, user OCID, and fingerprint match |
| "API key not found" | Upload the public key to the OCI user's API Keys |
| "Authorization failed" | Add an IAM policy granting the user inspect/read permissions |
Multiple Accounts
You can connect multiple cloud accounts to a single ops0 organization. This is useful for:
- Multi-account AWS - Separate accounts for dev, staging, production
- Multi-cloud - AWS for compute, GCP for ML, Azure for enterprise apps
- Multiple regions - Different integrations per region for compliance
Each integration appears separately in ops0, and you choose which one to use when creating projects.