Skip to main content

Credentials

Follow these guides to create secure, read-only access credentials for your CloudThinker connections. Using read-only credentials is a security best practice that allows CloudThinker to analyze your infrastructure without the ability to make changes.
Always use the principle of least privilege when setting up credentials. Grant only the minimum permissions necessary for CloudThinker to perform its analysis and monitoring functions.

Cloud Providers

AWS Credentials

Set up IAM role-based access (recommended) or IAM user credentials for AWS

Google Cloud Credentials

Set up service accounts with viewer roles for GCP resources

Azure Credentials

Configure service principals with read permissions for Azure resources

Databases & Services

PostgreSQL

Create read-only database users for PostgreSQL connections

MySQL

Set up read-only users for MySQL database monitoring

Kubernetes

Configure service accounts with view-only cluster access

Grafana

Create service account tokens for Grafana access

Elasticsearch

Generate API keys for Elasticsearch monitoring

AWS Credentials

CloudThinker supports two authentication methods for connecting to your AWS account. Role-Based authentication using IAM AssumeRole is strongly recommended as it follows AWS security best practices and doesn’t require sharing long-term credentials.
AWS connection dialog showing Role-Based and Access Keys authentication options

Google Cloud Credentials

Set up a service account with viewer permissions for CloudThinker to access your GCP resources.

Step 1: Create Service Account

1

Open GCP Console

Go to the Google Cloud Console and select your project.
2

Navigate to IAM

Go to IAM & AdminService accounts.
3

Create Service Account

Click Create Service Account and enter:
  • Name: cloudthinker-readonly
  • Description: Read-only access for CloudThinker monitoring
4

Assign Roles

Add these roles:
  • Viewer (basic read access)
  • Monitoring Viewer (for monitoring data)
  • Security Reviewer (for security analysis)

Step 2: Generate Key File

1

Select Service Account

Click on the created service account from the list.
2

Create Key

Go to Keys tab → Add keyCreate new key.
3

Choose JSON Format

Select JSON and click Create to download the key file.
4

Secure Storage

Store the JSON key file securely and note the file path for CloudThinker configuration.

Connection Details

You’ll need:
  • Project ID: Your GCP project identifier
  • Service Account Key: JSON key file downloaded from GCP
  • Key File Path: Location of the JSON key file
Service Account Key Format: 
{
  "type": "service_account",
  "project_id": "your-project-id",
  "private_key_id": "key-id",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "123456789012345678901",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token"
}

Azure Credentials

Configure a service principal with read permissions for Azure resources.

Step 1: Create Service Principal

1

Open Azure Portal

Navigate to the Azure Portal and sign in.
2

Azure Active Directory

Go to Azure Active DirectoryApp registrationsNew registration.
3

Register Application

Enter application name (e.g., CloudThinker-ReadOnly) and click Register.
4

Note Application Details

Copy and save:
  • Application (client) ID
  • Directory (tenant) ID

Step 2: Create Client Secret

1

Certificates & Secrets

In your app registration, go to Certificates & secrets.
2

New Client Secret

Click New client secret, add a description and set expiration.
3

Copy Secret Value

Important: Copy the secret value immediately (it won’t be shown again).

Step 3: Assign Permissions

1

Subscription Access

Go to Subscriptions → Select your subscription → Access control (IAM).
2

Add Role Assignment

Click AddAdd role assignment.
3

Assign Reader Role

Select Reader role and assign it to your service principal.

Connection Details

You’ll need these four values for CloudThinker:
  • Client ID (Application ID)
  • Client Secret (the secret value you copied)
  • Tenant ID (Directory ID)
  • Subscription ID (from your Azure subscription)

PostgreSQL Credentials

Create a read-only database user for PostgreSQL monitoring.

Step 1: Connect as Admin

1

Connect to Database

Connect to your PostgreSQL instance using an admin account (e.g., postgres):
psql -h your-host -U postgres -d your-database

Step 2: Create Read-Only User

1

Create User

Create a new user for CloudThinker:
CREATE USER cloudthinker_readonly WITH PASSWORD 'your-secure-password';
2

Grant Connection

Allow connection to the database:
GRANT CONNECT ON DATABASE your_database TO cloudthinker_readonly;
3

Grant Schema Usage

Grant usage on schemas:
GRANT USAGE ON SCHEMA public TO cloudthinker_readonly;
GRANT USAGE ON SCHEMA information_schema TO cloudthinker_readonly;
4

Grant Select Permissions

Grant SELECT on all tables and views:
GRANT SELECT ON ALL TABLES IN SCHEMA public TO cloudthinker_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO cloudthinker_readonly;

Connection Details

You’ll need:
  • Host: Your PostgreSQL server hostname
  • Port: Usually 5432
  • Database: Database name
  • Username: cloudthinker_readonly
  • Password: The password you set
Connection String Format: 
postgresql://cloudthinker_readonly:your-secure-password@your-host:5432/your-database
Example: 
postgresql://cloudthinker_readonly:[email protected]:5432/production

MySQL Credentials

Set up a read-only user for MySQL database monitoring.

Step 1: Create Read-Only User

1

Connect as Root

Connect to MySQL as root or admin user:
mysql -h your-host -u root -p
2

Create User

Create the CloudThinker user:
CREATE USER 'cloudthinker_readonly'@'%' IDENTIFIED BY 'your-secure-password';
3

Grant Read Permissions

Grant SELECT privileges on all databases:
GRANT SELECT ON *.* TO 'cloudthinker_readonly'@'%';
GRANT SHOW DATABASES ON *.* TO 'cloudthinker_readonly'@'%';
GRANT PROCESS ON *.* TO 'cloudthinker_readonly'@'%';
4

Apply Changes

Flush privileges to apply changes:
FLUSH PRIVILEGES;

Connection Details

You’ll need:
  • Host: Your MySQL server hostname
  • Port: Usually 3306
  • Username: cloudthinker_readonly
  • Password: The password you set
Connection String Format: 
mysql://cloudthinker_readonly:your-secure-password@your-host:3306/database-name
Example: 
mysql://cloudthinker_readonly:[email protected]:3306/production

Kubernetes Credentials

Configure a service account with view-only access to your Kubernetes cluster.

Step 1: Create Service Account

1

Create Namespace

Create a dedicated namespace (optional):
apiVersion: v1
kind: Namespace
metadata:
  name: cloudthinker
2

Create Service Account

Create the service account:
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cloudthinker-readonly
  namespace: cloudthinker

Step 2: Create ClusterRole and Binding

1

Create ClusterRole

Define read-only permissions:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cloudthinker-readonly
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps", "extensions"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
2

Create ClusterRoleBinding

Bind the role to the service account:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cloudthinker-readonly
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cloudthinker-readonly
subjects:
- kind: ServiceAccount
  name: cloudthinker-readonly
  namespace: cloudthinker

Step 3: Create Long-Lived Token

Starting from Kubernetes 1.24, tokens are no longer automatically created for service accounts. You need to create a Secret to generate a long-lived token.
1

Create Token Secret

Create a Secret that will hold the long-lived token:
apiVersion: v1
kind: Secret
metadata:
  name: cloudthinker-readonly-token
  namespace: cloudthinker
  annotations:
    kubernetes.io/service-account.name: cloudthinker-readonly
type: kubernetes.io/service-account-token
Apply with:
kubectl apply -f cloudthinker-token-secret.yaml
2

Retrieve the Token

Get the long-lived token from the Secret:
kubectl get secret cloudthinker-readonly-token -n cloudthinker -o jsonpath='{.data.token}' | base64 --decode
3

Get Cluster Info

Get your cluster endpoint:
kubectl cluster-info
4

Get CA Certificate

Extract the CA certificate for secure connections:
kubectl get secret cloudthinker-readonly-token -n cloudthinker -o jsonpath='{.data.ca\.crt}' | base64 --decode

Connection Details

You’ll need:
  • Cluster Endpoint: Your Kubernetes API server URL
  • Token: The service account token
  • Certificate: Cluster CA certificate (from kubeconfig)
Kubeconfig Format: 
apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: <base64-encoded-ca-cert>
    server: https://your-cluster-endpoint:6443
  name: your-cluster
contexts:
- context:
    cluster: your-cluster
    user: cloudthinker-readonly
  name: cloudthinker-context
current-context: cloudthinker-context
users:
- name: cloudthinker-readonly
  user:
    token: <your-service-account-token>

Grafana Credentials

Create a service account token for CloudThinker to access your Grafana dashboards and metrics.

Step 1: Create Service Account

1

Open Grafana

Navigate to your Grafana instance and sign in with admin access.
2

Navigate to Service Accounts

Go to AdministrationUsers and accessService Accounts.
3

Create Service Account

Click Add service account and enter:
  • Name: cloudthinker-readonly
  • Role: Select Viewer
4

Save

Click Create to create the service account.

Step 2: Generate Token

1

Add Token

Click Add service account token on your new service account.
2

Configure Token

Enter a token name (e.g., cloudthinker-token) and optionally set an expiration date.
3

Generate and Copy

Click Generate token and immediately copy the token (it won’t be shown again).

Connection Details

You’ll need:
  • GRAFANA_URL: Your Grafana instance URL
  • GRAFANA_SERVICE_ACCOUNT_TOKEN: The generated token
URL Format: 
https://your-instance.grafana.net
Example: 
https://mycompany.grafana.net

Elasticsearch Credentials

Generate an API key for CloudThinker to access your Elasticsearch cluster for log analysis and monitoring.

Step 1: Create API Key

1

Open Kibana

Navigate to your Kibana instance and sign in.
2

Navigate to API Keys

Go to Stack ManagementSecurityAPI Keys.
3

Create API Key

Click Create API key and enter:
  • Name: cloudthinker-readonly
4

Set Permissions (Optional)

For read-only access, add role descriptors:
{
  "cluster": ["monitor"],
  "indices": [{"names": ["*"], "privileges": ["read", "view_index_metadata"]}]
}
5

Generate and Copy

Click Create API key and immediately copy the encoded key (it won’t be shown again).

Connection Details

You’ll need:
  • ES_URL: Your Elasticsearch cluster URL
  • ES_API_KEY: The generated API key (base64 encoded)
URL Format: 
https://your-cluster.es.region.cloud.es.io:9243
Example: 
https://mycompany.es.us-east-1.aws.found.io:9243

Security Best Practices

Credential Rotation

  • Rotate access keys and passwords regularly (every 90 days)
  • Use short-lived tokens when possible
  • Monitor credential usage and access logs

Network Security

  • Use TLS/SSL for all database connections
  • Implement IP whitelisting where possible
  • Use VPN or private networks for sensitive resources

Monitoring

  • Enable audit logging for all services
  • Monitor for unusual access patterns
  • Set up alerts for credential misuse

Storage

  • Store credentials in secure credential managers
  • Never commit credentials to version control
  • Use environment variables or secure configuration

Troubleshooting

Common Issues:
  • Expired or invalid credentials
  • Incorrect permissions or roles
  • Network connectivity problems
  • Service endpoint changes
Solutions:
  • Verify credentials are current and valid
  • Check that required permissions are granted
  • Test network connectivity to services
  • Confirm service endpoints haven’t changed
Common Causes:
  • Insufficient read permissions
  • Missing resource access
  • Policy restrictions
  • Service-specific permission requirements
Troubleshooting:
  • Review and expand read-only permissions
  • Check resource-specific access requirements
  • Verify policy configurations
  • Consult service documentation for required permissions

Next Steps

Connect Services

Use your credentials to set up connections in CloudThinker

Test Connections

Verify your connections are working properly