Skip to main content

Configure Connectors

Connect Aurora to your cloud providers using provider-specific authentication methods. Each provider has unique configuration requirements.

Google Cloud Platform (GCP)

POST /gcp/login

Initiate GCP OAuth 2.0 authentication flow. Request Body:
userId
string
required
Aurora user identifier
Response:
login_url
string
OAuth authorization URL to redirect user to
Example: 
{
  "userId": "user_123"
}

{
  "login_url": "https://accounts.google.com/o/oauth2/v2/auth?client_id=..."
}

OAuth Flow

  1. Frontend calls /gcp/login with userId
  2. Backend returns OAuth URL with encoded state
  3. User redirects to Google consent screen
  4. Google redirects to /gcp/callback with code
  5. Backend exchanges code for tokens
  6. Backend triggers post-auth setup (async)
  7. Frontend polls /gcp/setup/status/:task_id

GET /gcp/setup/status/:task_id

Check post-authentication setup progress. Response:
state
string
Task state: PENDING, STARTED, PROGRESS, SUCCESS, FAILURE
status
string
Human-readable status message
complete
boolean
Whether setup is complete
progress
number
Progress percentage (0-100)
step
number
Current step number
total_steps
number
Total number of setup steps
Example: 
{
  "state": "PROGRESS",
  "status": "Enabling required APIs",
  "complete": false,
  "progress": 42,
  "step": 3,
  "total_steps": 7
}

POST /api/gcp/force-disconnect

Disconnect GCP account and delete credentials. Authentication: Required (X-User-ID header) Response: 
{
  "success": true,
  "message": "GCP disconnected successfully"
}

Amazon Web Services (AWS)

POST /aws/auth

Connect AWS account using IAM role assumption. Authentication: Required (X-User-ID header) Request Body:
userId
string
required
Aurora user identifier
role_arn
string
required
IAM role ARN to assumeFormat: arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME
external_id
string
required
External ID for secure role assumption (from Aurora workspace)
read_only_role_arn
string
Read-only role ARN for Ask mode (optional)
Example Request: 
{
  "userId": "user_123",
  "role_arn": "arn:aws:iam::123456789012:role/AuroraRole",
  "external_id": "aurora-ext-abc123"
}
Response:
status
string
Status: success or error
message
string
Result message
account_id
string
AWS account ID
expires_at
string
Credential expiration timestamp
Success Example: 
{
  "status": "success",
  "message": "Assume-Role successful",
  "account_id": "123456789012",
  "expires_at": "2024-03-15T11:30:00Z"
}

IAM Role Setup

Create an IAM role in your AWS account with:
  1. Trust Policy allowing Aurora to assume the role:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AURORA_ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}
  1. Permissions for infrastructure management (EC2, EKS, VPC, IAM, etc.)

GET /aws/get-credentials

Retrieve stored AWS credentials. Response: 
{
  "status": "success",
  "message": "AWS role credentials found",
  "has_credentials": true,
  "role_arn": "arn:aws:iam::123456789012:role/AuroraRole",
  "account_id": "123456789012"
}

Microsoft Azure

POST /azure/login

Connect Azure using service principal credentials. Request Body:
userId
string
required
Aurora user identifier
tenantId
string
required
Azure tenant ID (Directory ID)
clientId
string
required
Service principal application (client) ID
clientSecret
string
required
Service principal client secret
subscriptionId
string
Specific subscription ID (uses first enabled if not provided)
subscriptionName
string
Subscription display name
readOnlyCredentials
object
Optional read-only credentials for Ask mode
clientId
string
Read-only service principal client ID
clientSecret
string
Read-only service principal secret
Example Request: 
{
  "userId": "user_123",
  "tenantId": "tenant-guid",
  "clientId": "app-guid",
  "clientSecret": "secret-value",
  "subscriptionId": "sub-guid"
}
Response: 
{
  "message": "Successfully logged in to Azure",
  "subscription_id": "sub-guid",
  "subscription_name": "Azure Production"
}

Service Principal Setup

  1. Create app registration in Azure Active Directory
  2. Generate client secret
  3. Assign permissions to subscription (Contributor or custom role)
  4. Note tenant ID, client ID, and client secret

Scaleway

POST /scaleway_api/scaleway/connect

Connect Scaleway account with API credentials. Request Body:
accessKey
string
required
Scaleway access key (starts with SCW)
secretKey
string
required
Scaleway secret key (UUID format)
organizationId
string
Organization ID (auto-detected if not provided)
projectId
string
Default project ID (uses first project if not provided)
Example Request: 
{
  "accessKey": "SCWXXXXXXXXXXXXXXXXX",
  "secretKey": "12345678-1234-1234-1234-123456789012",
  "organizationId": "12345678-1234-1234-1234-123456789012"
}
Response: 
{
  "success": true,
  "message": "Scaleway connected successfully",
  "organizationId": "12345678-1234-1234-1234-123456789012",
  "projectsCount": 3
}

GET /scaleway_api/scaleway/projects

Fetch available Scaleway projects. Response: 
{
  "projects": [
    {
      "projectId": "proj-123",
      "projectName": "Production",
      "organizationId": "org-123",
      "description": "Production environment",
      "enabled": true
    }
  ]
}

POST /scaleway_api/scaleway/disconnect

Disconnect Scaleway account. Response: 
{
  "success": true,
  "message": "Scaleway disconnected successfully"
}

Tailscale

POST /tailscale_api/tailscale/connect

Connect Tailscale account using OAuth client credentials. Request Body:
clientId
string
required
Tailscale OAuth client ID
clientSecret
string
required
Tailscale OAuth client secret
tailnet
string
Specific tailnet name (uses default if not provided)
Example Request: 
{
  "clientId": "client-id-123",
  "clientSecret": "secret-value",
  "tailnet": "example.com"
}
Response: 
{
  "success": true,
  "message": "Tailscale connected successfully",
  "tailnet": "example.com",
  "tailnetName": "Example Organization",
  "deviceCount": 12
}

OAuth Client Setup

  1. Go to Tailscale admin console
  2. Navigate to Settings → OAuth clients
  3. Create new OAuth client
  4. Set appropriate permissions (devices:read, devices:write, etc.)
  5. Copy client ID and secret

GET /tailscale_api/tailscale/ssh-setup

Get SSH setup instructions and public key. Response: 
{
  "success": true,
  "sshPublicKey": "ssh-rsa AAAAB3NzaC1yc2...",
  "tailnet": "example.com",
  "instructions": [
    "1. Copy the SSH public key above",
    "2. On each device you want Aurora to access..."
  ],
  "command": "echo 'ssh-rsa AAAAB3...' >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
}

POST /tailscale_api/tailscale/disconnect

Disconnect Tailscale account. Response: 
{
  "success": true,
  "message": "Tailscale disconnected successfully"
}

Security Considerations

Credential Storage

All credentials are stored securely:
  • HashiCorp Vault - Credentials encrypted at rest
  • Secret References - Only references stored in database
  • Redis Cache - Credentials cached with TTL
  • Automatic Cleanup - Credentials cleared on disconnect

Authentication Validation

Credentials are validated:
  • On Connect - API calls verify access
  • On Use - Credentials refreshed if expired
  • Status Checks - Regular validation for active connections
  • Error Handling - Invalid credentials trigger reconnection

Best Practices

  1. Least Privilege - Grant minimum required permissions
  2. Rotation - Rotate credentials regularly
  3. Monitoring - Monitor for unauthorized access
  4. Separation - Use separate credentials for read-only mode
  5. Expiration - Set credential expiration policies

Multi-Account Support

Connect multiple accounts for the same provider: 
// GCP
await connect('gcp', { userId, projectId: 'prod' });
await connect('gcp', { userId, projectId: 'dev' });

// AWS
await connect('aws', { userId, roleArn: 'arn:...:role/ProdRole', externalId });
await connect('aws', { userId, roleArn: 'arn:...:role/DevRole', externalId });
Each connection is tracked separately in the user_connections table.

Build docs developers (and LLMs) love

Get started for freeTalk to us