> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cloudthinker.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Approval

> Configure agent approval settings and tool permissions

Control when agents require your approval before executing operations. Configure tool-level permissions to balance automation with safety.

***

## Why Approval Matters for Autonomous AI

AI agents that can only read and analyze are safe but limited. Agents that can also *act* — resize instances, modify security groups, apply configurations — are dramatically more powerful, but require trust boundaries.

The approval system is how you build that trust incrementally:

* Start with read-only access (no approval needed, zero risk)
* Enable approval-required write operations (agents ask before acting)
* Gradually move specific routine operations to auto-approved as you verify agent behavior
* Keep high-risk operations (IAM changes, database schema) permanently approval-required for compliance

**This is not a limitation** — it's how responsible automation works. Every approval creates an audit trail, answers "who approved what change and why", and satisfies change management requirements without the overhead of a full ITSM workflow.

***

## Tool Settings

Configure which tools agents can use and whether they require approval.

<Steps>
  <Step title="Open Connections">
    Navigate to [Connections](https://app.cloudthinker.io/connectors?tab=builtin-connections) and select the **Built-in Connections** tab
  </Step>

  <Step title="Select Connection">
    Find the connection you want to configure (e.g., Amazon Web Services)
  </Step>

  <Step title="Open Tool Settings">
    Click **Tool Settings** to open the configuration modal
  </Step>

  <Step title="Configure Each Tool">
    For each tool, set:

    * **Enabled**: Allow or disallow agents from using this tool
    * **Requires User Approval**: Require manual approval before execution
  </Step>
</Steps>

<Frame>
  <img src="https://mintcdn.com/cloudthinker/U5K1Omsn5IZLCI4L/images/agents/tool-settings.png?fit=max&auto=format&n=U5K1Omsn5IZLCI4L&q=85&s=e709dfa9b233d3ad11c6a60c35b7a51e" alt="Tool Settings Configuration" width="1680" height="748" data-path="images/agents/tool-settings.png" />
</Frame>

***

## Approval Modes

| Mode                  | Description                             | Use Case                                 |
| --------------------- | --------------------------------------- | ---------------------------------------- |
| **Auto-Approved**     | Agent executes without asking           | Read-only analysis, safe operations      |
| **Requires Approval** | Agent pauses and waits for confirmation | Write operations, infrastructure changes |
| **Disabled**          | Agent cannot use this tool              | Restrict sensitive capabilities          |

***

## Recommended Configuration

<CardGroup cols={2}>
  <Card title="Read-Only Tools" icon="eye">
    **Enable without approval**

    Safe for autonomous analysis:

    * `aws_use_cli_read_only`
    * `gcp_use_cli_read_only`
    * `azure_use_cli_read_only`
  </Card>

  <Card title="Write Tools" icon="pen">
    **Enable with approval required**

    Require confirmation for changes:

    * `aws_use_cli_write_only`
    * `gcp_use_cli_write_only`
    * `azure_use_cli_write_only`
  </Card>
</CardGroup>

***

## Agent Interruption

When an agent attempts an operation requiring approval, it pauses and presents an approval prompt.

<Frame>
  <img src="https://mintcdn.com/cloudthinker/U5K1Omsn5IZLCI4L/images/agents/approval-prompt.png?fit=max&auto=format&n=U5K1Omsn5IZLCI4L&q=85&s=dcb70550af9e35ed37b9f44efb935041" alt="Agent Approval Prompt" width="1242" height="1042" data-path="images/agents/approval-prompt.png" />
</Frame>

### What You'll See

| Element       | Description                                               |
| ------------- | --------------------------------------------------------- |
| **Operation** | What the agent wants to do (e.g., "Restart EC2 instance") |
| **Reasoning** | Why the agent is taking this action                       |
| **Details**   | The exact command or script to be executed                |
| **Cancel**    | Stop the operation                                        |
| **Proceed**   | Approve and execute                                       |

### Approval Actions

* **Proceed**: Approve the operation and let the agent continue
* **Cancel**: Stop the operation and notify the agent
* **Review Details**: Expand to see the exact command before deciding

***

## When Approvals Are Triggered

Agents request approval for potentially impactful operations:

| Category                   | Examples                                                   |
| -------------------------- | ---------------------------------------------------------- |
| **Infrastructure Changes** | Restart instances, resize resources, modify configurations |
| **Write Operations**       | Create, update, or delete cloud resources                  |
| **Security Actions**       | IAM changes, security group modifications                  |
| **Database Operations**    | Schema changes, data modifications                         |
| **Kubernetes Changes**     | Scale deployments, modify configurations                   |

***

## Safety Controls

| Control                   | Description                                       |
| ------------------------- | ------------------------------------------------- |
| **Per-Tool Approval**     | Configure approval requirements at the tool level |
| **Review Before Execute** | See exact commands before they run                |
| **Cancel Anytime**        | Stop operations that don't look right             |
| **Audit Trail**           | All approvals and actions logged for compliance   |

***

## Best Practices

<AccordionGroup>
  <Accordion title="Start with approval required">
    When first connecting a new service, enable approval for all write operations. As you build confidence in agent behavior, selectively enable auto-approval for routine operations.
  </Accordion>

  <Accordion title="Separate read and write permissions">
    Use different tools for read vs write operations. Enable read tools without approval for faster analysis, but require approval for any changes.
  </Accordion>

  <Accordion title="Review the details">
    Always expand the Details section before approving. Verify the exact command matches your expectations.
  </Accordion>

  <Accordion title="Use for compliance">
    Requiring approval creates an audit trail showing who approved what changes, useful for compliance requirements.
  </Accordion>
</AccordionGroup>

***

## Related

<CardGroup cols={2}>
  <Card title="Auto Mode" icon="bolt" href="/guide/auto-mode">
    Let AI auto-approve safe agent actions so chats flow without stopping
  </Card>

  <Card title="Agents" icon="robot" href="/guide/agents">
    Learn how agents work and collaborate
  </Card>

  <Card title="Connections" icon="plug" href="/guide/connections/overview">
    Set up cloud and service connections
  </Card>
</CardGroup>