Cloud provider accounts

How linked cloud accounts relate to Organisations, AWS today, and least-privilege habits for infrastructure integrations.

Written By Zoro

Last updated 3 days ago

Cloud provider accounts

Cloud provider accounts are credentials dFlow stores so the control plane can call provider APIs on your behalf. Today AWS is the primary documented provider for infrastructure flows in the product; other providers may appear in the UI as Coming soon or behind feature flags.

Task steps for AWS live in AWS integration. This page explains how those accounts fit Organisations, Environments, and security expectations.

What a linked account is used for

Linked accounts typically enable:

  • Creating or managing compute (for example EC2 instances used as Worker Nodes).
  • Reading regions, VPCs, subnets, or Security groups when the dashboard needs them for provisioning.

They do not replace Git or Docker registry credentials. Those are separate integrations under Integrations overview.

Organisation scope

Connections are stored at the Organisation (tenant) level. Any member who can open Integrations and see secrets depends on Roles and permissions under Security and Team Management in the sidebar and the Tenant access model under Security and Team Management in the sidebar.

Use separate AWS accounts or separate IAM principals per Environment (production vs staging) when your compliance policy requires hard separation. Name connections clearly in dFlow so operators pick the right one.

Least privilege and rotation

  • Create a dedicated IAM user or role per integration; avoid reusing personal admin keys.
  • Attach the minimum IAM policy that still allows the EC2 (and related) actions the UI performs. Start from product docs or support guidance, then tighten with your cloud team.
  • Rotate access keys on a schedule and immediately if a key leaks. Update dFlow before deleting the old key in AWS.

See Security best practices under Security and Team Management in the sidebar and Integration permissions and prerequisites.

Network and access layers

Cloud API credentials are not the same as:

  • SSH keys for Worker Nodes (SSH keys under Security and Team Management in the sidebar).
  • Security groups and firewall rules for instances (Security groups under Security and Team Management in the sidebar).

You need both a healthy cloud account link and correct network paths for provisioned servers to register and run Services.

Related