Before you can deploy infrastructure or scan for existing resources, you need to connect ops0 to your cloud provider. This guide covers AWS, GCP, Azure, and Oracle Cloud setup.
ops0 connects to AWS using an IAM Role with cross-account trust. This is the most secure method - no long-lived credentials are stored.
Go to Settings > Integrations > Add Integration > AWS
ops0 provides a CloudFormation template that creates the required IAM role. You have two options:
The default IAM policy includes permissions for:
| Category | Permissions |
|---|---|
| Read (Discovery) | ec2:Describe*, s3:List*, rds:Describe*, etc. |
| Write (Deployments) | ec2:, s3:, rds:, iam:, etc. |
| State Management | s3:GetObject, s3:PutObject for state bucket |
To restrict permissions: Edit the IAM policy in CloudFormation before deploying. ops0 only needs permissions for resources you want to manage.
After CloudFormation completes, copy the Role ARN from the Outputs tab and paste it into ops0.
arn:aws:iam::123456789012:role/ops0-integration-role
Click Test Connection. ops0 will attempt to assume the role and list resources. If successful, you'll see a green checkmark.
| Error | Solution |
|---|---|
| "Access Denied" | Verify the trust policy includes ops0's AWS account ID |
| "Role does not exist" | Confirm CloudFormation completed successfully |
| "Invalid external ID" | Use the external ID shown in ops0, not a custom one |
ops0 connects to GCP using a Service Account with Workload Identity Federation. This avoids storing long-lived service account keys.
Go to Settings > Integrations > Add Integration > GCP
Go to IAM & Admin > Service Accounts in GCP Console.
Click Create Service Account.
Use a clear name like ops0-integration.
Grant Editor or a custom least-privilege role.
Go to IAM & Admin > Workload Identity Federation.
Create a new pool named ops0-pool.
Use the issuer URL shown in brew.ops0.ai.
Bind the service account to the identity pool so ops0 can authenticate without long-lived keys.
In ops0, enter:
ops0-integration@project-id.iam.gserviceaccount.comClick Test Connection to verify ops0 can access your GCP project.
ops0 connects to Azure using a Service Principal with federated credentials (OIDC). No client secrets are stored.
Go to Settings > Integrations > Add Integration > Azure
ops0-integration, select Single tenantEnter:
Click Test Connection to verify ops0 can access your Azure subscription.
ops0 connects to Oracle Cloud Infrastructure (OCI) using API Key authentication. You provide your tenancy OCID, user OCID, API key fingerprint, and private key.
Go to Settings > Integrations > Add Integration > Oracle Cloud
| Field | Required | Description |
|---|---|---|
| Name | Yes | Integration name |
| Tenancy OCID | Yes | Your OCI tenancy identifier |
| User OCID | Yes | The user performing API calls |
| Fingerprint | Yes | API key fingerprint |
| Private Key | Yes | PEM-encoded private key |
| Region | Yes | Home region (e.g., us-ashburn-1) |
Choose your scan scope:
| Scope | Description |
|---|---|
| Tenancy | Discover resources across all compartments |
| Compartment | Target a specific compartment and its children |
Click Test Connection. ops0 will authenticate using your API key and attempt to list compartments.
For Terraform state storage in OCI Object Storage, you can provide S3-compatible credentials:
| Field | Description |
|---|---|
| S3 Endpoint | OCI S3 compatibility endpoint |
| Access Key | S3-compatible access key |
| Secret Key | S3-compatible secret key |
| Error | Solution |
|---|---|
| "NotAuthenticated" | Verify tenancy OCID, user OCID, and fingerprint match |
| "API key not found" | Upload the public key to the OCI user's API Keys |
| "Authorization failed" | Add an IAM policy granting the user inspect/read permissions |
You can connect multiple cloud accounts to a single ops0 organization. This is useful for:
Each integration appears separately in ops0, and you choose which one to use when creating projects.