Cloud Accounts
Cloud Accounts store your cloud credentials securely so your team can deploy without pasting keys every time. Credentials are encrypted with KMS in AskArchie's database.
Overview
Navigate to Settings → Cloud Accounts to manage your accounts. Each account shows:
- Account name and cloud provider badge (AWS / Azure / GCP)
- Account ID or Subscription ID
- Region
- Last used date
- Edit and Delete actions
Connecting AWS
Three methods available:
Auto-Deploy Role (Recommended)
Archie creates a cross-account IAM role in your AWS account. This is the most secure option — no long-lived credentials are stored.
- Provide a friendly name (e.g., "Production AWS", "Dev Sandbox")
- Paste temporary AWS access keys with IAM permissions
- Review the trust policy showing Archie's Account ID and your External ID
- Click Deploy 2 resources
- Archie creates:
aws:iam:Policy+aws:iam:Role
After creation, Archie stores only the Role ARN and External ID. Your temporary keys are discarded.
Security note: "No secrets stored" — Archie's worker STS-assumes into your role at deploy time using its own IAM identity.
Paste Existing ARN
If you've already created an IAM role manually:
- Copy the trust policy from Archie (includes Account ID + External ID)
- Create the role in your AWS console
- Paste the Role ARN back into Archie
Access Keys
For quick testing, paste an Access Key ID + Secret Access Key directly. These are encrypted and stored.
Not recommended for production. Use a role instead.
Connecting Azure
Azure uses Service Principal authentication:
| Field | Where to find it |
|---|---|
| Tenant ID | Azure AD → Properties → Tenant ID |
| Client ID | App registrations → your app → Application (client) ID |
| Client Secret | App registrations → Certificates & secrets |
| Subscription ID | Subscriptions → your subscription → Subscription ID |
Check the authorization box ("I authorize storing credentials in AskArchie's database") and click Save Account.
Credentials are encrypted with KMS. Revoke anytime by deleting the account.
Connecting GCP
GCP uses Service Account JSON authentication:
| Field | Where to find it |
|---|---|
| Project ID | GCP Console → Dashboard → Project ID |
| Service Account JSON | IAM & Admin → Service Accounts → Keys → Create JSON key |
Paste the full JSON key file contents into the text area.
Managing Multiple Accounts
You can connect as many accounts as you need across all three clouds. Common patterns:
- Per-environment: "AWS Production", "AWS Staging", "AWS Dev"
- Per-cloud: "CloudGuru AWS", "Azure Sandbox", "GCP Sandbox"
- Per-team: "Platform Team AWS", "App Team AWS"
All accounts appear in a dropdown when deploying. Team members see all saved accounts.
Deploy Region
Each Cloud Account has a default region. When deploying, the region is pre-filled from the account but can be overridden per deployment without editing the account.
"Pre-filled from the saved account. Override here without editing it."
What's Next
- Blueprints — browse and fork templates
- Deploying — use your Cloud Account to deploy