Setting Up Read-Only Credentials

Follow these guides to create secure, read-only access credentials for your CloudThinker connections. Using read-only credentials is a security best practice that allows CloudThinker to analyze your infrastructure without the ability to make changes.
Always use the principle of least privilege when setting up credentials. Grant only the minimum permissions necessary for CloudThinker to perform its analysis and monitoring functions.

Cloud Providers

AWS Credentials

Create IAM users with read-only permissions for AWS services

Google Cloud Credentials

Set up service accounts with viewer roles for GCP resources

Azure Credentials

Configure service principals with read permissions for Azure resources

Databases & Services

PostgreSQL

Create read-only database users for PostgreSQL connections

MySQL

Set up read-only users for MySQL database monitoring

Kubernetes

Configure service accounts with view-only cluster access

AWS Credentials

Create an IAM user with read-only permissions for CloudThinker to access your AWS resources.

Step 1: Create IAM User

1

Open AWS Console

Navigate to the AWS IAM Console and sign in to your account.
2

Create New User

Click UsersCreate user and enter a username (e.g., cloudthinker-readonly).
3

Set Permissions

Choose Attach policies directly and search for the following read-only policies:
  • ReadOnlyAccess (comprehensive read-only access)
  • Or specific policies like AmazonEC2ReadOnlyAccess, AmazonS3ReadOnlyAccess, etc.
4

Review and Create

Review the configuration and click Create user.

Step 2: Generate Access Keys

1

Select User

Click on the newly created user from the Users list.
2

Create Access Key

Go to Security credentials tab → Create access key.
3

Choose Use Case

Select Third-party service and acknowledge the recommendation.
4

Save Credentials

Important: Copy and securely store both the Access Key ID and Secret Access Key.

Connection Details

You’ll need:
  • Access Key ID: The access key for your IAM user
  • Secret Access Key: The secret key for your IAM user
  • Region: Your preferred AWS region (e.g., us-east-1)

Google Cloud Credentials

Set up a service account with viewer permissions for CloudThinker to access your GCP resources.

Step 1: Create Service Account

1

Open GCP Console

Go to the Google Cloud Console and select your project.
2

Navigate to IAM

Go to IAM & AdminService accounts.
3

Create Service Account

Click Create Service Account and enter:
  • Name: cloudthinker-readonly
  • Description: Read-only access for CloudThinker monitoring
4

Assign Roles

Add these roles:
  • Viewer (basic read access)
  • Monitoring Viewer (for monitoring data)
  • Security Reviewer (for security analysis)

Step 2: Generate Key File

1

Select Service Account

Click on the created service account from the list.
2

Create Key

Go to Keys tab → Add keyCreate new key.
3

Choose JSON Format

Select JSON and click Create to download the key file.
4

Secure Storage

Store the JSON key file securely and note the file path for CloudThinker configuration.

Connection Details

You’ll need:
  • Project ID: Your GCP project identifier
  • Service Account Key: JSON key file downloaded from GCP
  • Key File Path: Location of the JSON key file
Service Account Key Format: 
{
  "type": "service_account",
  "project_id": "your-project-id",
  "private_key_id": "key-id",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
  "client_email": "cloudthinker-readonly@your-project.iam.gserviceaccount.com",
  "client_id": "123456789012345678901",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token"
}

Azure Credentials

Configure a service principal with read permissions for Azure resources.

Step 1: Create Service Principal

1

Open Azure Portal

Navigate to the Azure Portal and sign in.
2

Azure Active Directory

Go to Azure Active DirectoryApp registrationsNew registration.
3

Register Application

Enter application name (e.g., CloudThinker-ReadOnly) and click Register.
4

Note Application Details

Copy and save:
  • Application (client) ID
  • Directory (tenant) ID

Step 2: Create Client Secret

1

Certificates & Secrets

In your app registration, go to Certificates & secrets.
2

New Client Secret

Click New client secret, add a description and set expiration.
3

Copy Secret Value

Important: Copy the secret value immediately (it won’t be shown again).

Step 3: Assign Permissions

1

Subscription Access

Go to Subscriptions → Select your subscription → Access control (IAM).
2

Add Role Assignment

Click AddAdd role assignment.
3

Assign Reader Role

Select Reader role and assign it to your service principal.

Connection Details

You’ll need these four values for CloudThinker:
  • Client ID (Application ID)
  • Client Secret (the secret value you copied)
  • Tenant ID (Directory ID)
  • Subscription ID (from your Azure subscription)

PostgreSQL Credentials

Create a read-only database user for PostgreSQL monitoring.

Step 1: Connect as Admin

1

Connect to Database

Connect to your PostgreSQL instance using an admin account (e.g., postgres):
psql -h your-host -U postgres -d your-database

Step 2: Create Read-Only User

1

Create User

Create a new user for CloudThinker:
CREATE USER cloudthinker_readonly WITH PASSWORD 'your-secure-password';
2

Grant Connection

Allow connection to the database:
GRANT CONNECT ON DATABASE your_database TO cloudthinker_readonly;
3

Grant Schema Usage

Grant usage on schemas:
GRANT USAGE ON SCHEMA public TO cloudthinker_readonly;
GRANT USAGE ON SCHEMA information_schema TO cloudthinker_readonly;
4

Grant Select Permissions

Grant SELECT on all tables and views:
GRANT SELECT ON ALL TABLES IN SCHEMA public TO cloudthinker_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO cloudthinker_readonly;

Connection Details

You’ll need:
  • Host: Your PostgreSQL server hostname
  • Port: Usually 5432
  • Database: Database name
  • Username: cloudthinker_readonly
  • Password: The password you set
Connection String Format: 
postgresql://cloudthinker_readonly:your-secure-password@your-host:5432/your-database
Example: 
postgresql://cloudthinker_readonly:mypassword123@db.example.com:5432/production

MySQL Credentials

Set up a read-only user for MySQL database monitoring.

Step 1: Create Read-Only User

1

Connect as Root

Connect to MySQL as root or admin user:
mysql -h your-host -u root -p
2

Create User

Create the CloudThinker user:
CREATE USER 'cloudthinker_readonly'@'%' IDENTIFIED BY 'your-secure-password';
3

Grant Read Permissions

Grant SELECT privileges on all databases:
GRANT SELECT ON *.* TO 'cloudthinker_readonly'@'%';
GRANT SHOW DATABASES ON *.* TO 'cloudthinker_readonly'@'%';
GRANT PROCESS ON *.* TO 'cloudthinker_readonly'@'%';
4

Apply Changes

Flush privileges to apply changes:
FLUSH PRIVILEGES;

Connection Details

You’ll need:
  • Host: Your MySQL server hostname
  • Port: Usually 3306
  • Username: cloudthinker_readonly
  • Password: The password you set
Connection String Format: 
mysql://cloudthinker_readonly:your-secure-password@your-host:3306/database-name
Example: 
mysql://cloudthinker_readonly:mypassword123@mysql.example.com:3306/production

Kubernetes Credentials

Configure a service account with view-only access to your Kubernetes cluster.

Step 1: Create Service Account

1

Create Namespace

Create a dedicated namespace (optional):
apiVersion: v1
kind: Namespace
metadata:
  name: cloudthinker
2

Create Service Account

Create the service account:
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cloudthinker-readonly
  namespace: cloudthinker

Step 2: Create ClusterRole and Binding

1

Create ClusterRole

Define read-only permissions:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cloudthinker-readonly
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps", "extensions"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
2

Create ClusterRoleBinding

Bind the role to the service account:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cloudthinker-readonly
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cloudthinker-readonly
subjects:
- kind: ServiceAccount
  name: cloudthinker-readonly
  namespace: cloudthinker

Step 3: Get Access Token

1

Create Token

Generate a token for the service account:
kubectl create token cloudthinker-readonly -n cloudthinker
2

Get Cluster Info

Get your cluster endpoint:
kubectl cluster-info

Connection Details

You’ll need:
  • Cluster Endpoint: Your Kubernetes API server URL
  • Token: The service account token
  • Certificate: Cluster CA certificate (from kubeconfig)
Kubeconfig Format: 
apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: <base64-encoded-ca-cert>
    server: https://your-cluster-endpoint:6443
  name: your-cluster
contexts:
- context:
    cluster: your-cluster
    user: cloudthinker-readonly
  name: cloudthinker-context
current-context: cloudthinker-context
users:
- name: cloudthinker-readonly
  user:
    token: <your-service-account-token>

Security Best Practices

Credential Rotation

  • Rotate access keys and passwords regularly (every 90 days)
  • Use short-lived tokens when possible
  • Monitor credential usage and access logs

Network Security

  • Use TLS/SSL for all database connections
  • Implement IP whitelisting where possible
  • Use VPN or private networks for sensitive resources

Monitoring

  • Enable audit logging for all services
  • Monitor for unusual access patterns
  • Set up alerts for credential misuse

Storage

  • Store credentials in secure credential managers
  • Never commit credentials to version control
  • Use environment variables or secure configuration

Troubleshooting

Next Steps

Connect Services

Use your credentials to set up connections in CloudThinker

Test Connections

Verify your connections are working properly