Skip to main content
Aurora supports all major cloud providers, allowing you to manage resources across multiple clouds from a single interface.

Available Cloud Providers

Google Cloud Platform

OAuth 2.0 authentication

Amazon Web Services

IAM Role with External ID

Microsoft Azure

Service Principal authentication

OVH Cloud

OAuth 2.0 (multi-region support)

Google Cloud Platform

Authentication Method

OAuth 2.0

Setup Overview

  1. Create OAuth Credentials in GCP Console > Credentials
    • Configure OAuth consent screen (External, add test users)
    • Create OAuth client ID (Web application)
    • Set redirect URI: http://localhost:5000/callback
  2. Configure Environment Variables 
    CLIENT_ID=your-client-id.apps.googleusercontent.com
CLIENT_SECRET=your-client-secret
  3. Restart Aurora 
    make down
make dev
  4. Connect via UI by completing the OAuth flow

Troubleshooting

“Redirect URI mismatch” — Ensure NEXT_PUBLIC_BACKEND_URL matches exactly what’s configured in GCP Console.
For detailed setup instructions, see the GCP Connector README.

Amazon Web Services

Authentication Method

IAM Role with External ID for cross-account access

Setup Overview

  1. Create IAM User for Aurora
    • Create user with sts:AssumeRole permission
    • Generate access keys (programmatic access only)
  2. Configure Aurora Environment 
    AWS_ACCESS_KEY_ID=your-access-key-id
AWS_SECRET_ACCESS_KEY=your-secret-access-key
AWS_DEFAULT_REGION=us-east-1
  3. Rebuild and Restart Aurora 
    make down
make dev-build
make dev
  4. Create IAM Role in Your Account
    • Trusted entity: Another AWS account
    • Require external ID (displayed in Aurora UI)
    • Attach permissions (PowerUserAccess or ReadOnlyAccess)
    • Copy the Role ARN
  5. Complete Onboarding in Aurora UI
    • Enter your Role ARN
    • Aurora will assume the role using STS

How It Works

Aurora uses its own AWS credentials to call sts:AssumeRole with your Role ARN and External ID. AWS returns temporary credentials that Aurora uses to access your resources.

Security Best Practices

  • External ID prevents the “confused deputy” problem
  • Least Privilege: Attach only required permissions to the role
  • Role Permissions: Aurora inherits permissions from the assumed role

Troubleshooting

“Aurora cannot assume this role”
  • Wait 5 minutes after creating/updating IAM role (AWS propagation delay)
  • Verify trust policy has correct Account ID and External ID
  • Check External ID matches exactly (case-sensitive)
“Unable to determine Aurora’s AWS account ID”
  • Ensure credentials are set in .env
  • Verify credentials with: aws sts get-caller-identity
  • Rebuild and restart Aurora
IAM changes can take up to 5 minutes to propagate across AWS services. If role assumption fails immediately after creating the role, wait a few minutes and try again.

Microsoft Azure

Authentication Method

Service Principal (App Registration)

Setup Overview

  1. Create App Registration
    • Go to Azure Portal > App registrations
    • Create new registration with redirect URI: http://localhost:5000/azure/callback
    • Copy Application (client) ID and Directory (tenant) ID
    • Create client secret and copy the value
  2. Grant Permissions
    • Add API permission: Azure Service Management > user_impersonation
    • Grant admin consent
  3. Assign Role to Subscription
    • Go to Subscriptions > Access control (IAM)
    • Add role assignment: Contributor (or Reader)
    • Assign to your Aurora app
  4. Connect via Aurora UI using the credentials

Troubleshooting

“No enabled subscription found” — Assign Contributor/Reader role to the app in your subscription’s IAM.
For production deployments, use a dedicated subscription or resource group with minimal permissions.

OVH Cloud

Authentication Method

OAuth 2.0 (multi-region support: EU, CA, US)

Setup Overview

  1. Create OAuth App in OVH
  2. Configure Environment Variables (for each region) 
    NEXT_PUBLIC_ENABLE_OVH=true

# Europe region
OVH_EU_CLIENT_ID=your-eu-client-id
OVH_EU_CLIENT_SECRET=your-eu-client-secret
OVH_EU_REDIRECT_URI=https://your-domain.com/ovh_api/ovh/oauth2/callback

# Canada region (optional)
OVH_CA_CLIENT_ID=your-ca-client-id
OVH_CA_CLIENT_SECRET=your-ca-client-secret
OVH_CA_REDIRECT_URI=https://your-domain.com/ovh_api/ovh/oauth2/callback

# US region (optional)
OVH_US_CLIENT_ID=your-us-client-id
OVH_US_CLIENT_SECRET=your-us-client-secret
OVH_US_REDIRECT_URI=https://your-domain.com/ovh_api/ovh/oauth2/callback
  3. Restart Aurora 
    make down
make dev
  4. Connect via UI by selecting your region and completing OAuth flow

Local Development

OVH OAuth2 only accepts HTTPS callback URLs. For local development, use a tunnel service like ngrok or cloudflared.
To run locally with OVH OAuth:
  1. Start ngrok tunnel: 
    ngrok http 5080
  2. Copy the HTTPS URL (e.g., https://your-ngrok-url.ngrok-free.dev)
  3. Update .env redirect URIs with the tunnel URL
  4. Update OVH OAuth app callback URL via API console

Troubleshooting

“OAuth2 credentials not configured for [region]” — Set OVH_[REGION]_CLIENT_ID and OVH_[REGION]_CLIENT_SECRET. “OVH connector not enabled” — Ensure NEXT_PUBLIC_ENABLE_OVH=true and restart Aurora.

Next Steps

Set up Observability

Connect monitoring and alerting tools to track your cloud resources

Build docs developers (and LLMs) love

Get started for freeTalk to us