Skip to main content
Multi-Cloud Manager provides secure authentication mechanisms for connecting to Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Each provider uses industry-standard OAuth 2.0 flows or IAM role assumption to grant the application access to your cloud resources.

Supported Providers

Azure

OAuth 2.0 with MSAL library

GCP

OAuth 2.0 with Google Identity

AWS

IAM Role Assumption with STS

Authentication Architecture

The authentication system is built on Flask blueprints with session-based state management: 
# Located in backend/auth/routes.py
from .azure_auth import azure_auth
from .gcp_auth import gcp_auth
from .aws_auth import aws_auth

auth_bp = Blueprint("auth_bp", __name__)
auth_bp.register_blueprint(azure_auth)
auth_bp.register_blueprint(gcp_auth)
auth_bp.register_blueprint(aws_auth)

Session Management

All authentication providers store account information in Flask sessions:

Session Structure

session = {
    "user": {
        # User identity information (varies by provider)
    },
    "access_token": "<provider_access_token>",
    "accounts": [
        {
            "provider": "azure",
            "tenantId": "...",
            "displayName": "...",
            "subscriptions": ["sub-id-1", "sub-id-2"]
        },
        {
            "provider": "gcp",
            "email": "[email protected]",
            "displayName": "...",
            "access_token": "...",
            "refresh_token": "..."
        },
        {
            "provider": "aws",
            "accountId": "123456789012",
            "displayName": "AWS Account (123456789012)",
            "roleArn": "arn:aws:iam::...",
            "externalId": "..."
        }
    ]
}

Multi-Account Support

The system supports connecting multiple accounts from the same or different providers. Accounts are stored in the session["accounts"] array and are deduplicated based on provider-specific identifiers:
  • Azure: By tenantId
  • GCP: By email
  • AWS: By roleArn
When a user reconnects an existing account, the session automatically updates the account details rather than creating duplicates.

Environment Configuration

Each authentication module requires specific environment variables. See the individual provider documentation for details:

Security Considerations

Ensure all environment variables containing secrets (client secrets, access keys) are properly secured and never committed to version control.

Best Practices

  1. Use HTTPS: Always run the application behind HTTPS in production
  2. Secure Sessions: Configure Flask session encryption with a strong SECRET_KEY
  3. Token Storage: Access tokens are stored in server-side sessions, not exposed to the client
  4. Credential Rotation: Regularly rotate OAuth client secrets and AWS access keys
  5. External ID: AWS uses a unique External ID for additional security when assuming roles

Redirect Flow

After successful authentication, all providers redirect to the dashboard: 
return redirect("http://localhost:3000/dashboard")
Update this hardcoded URL to use an environment variable (e.g., FRONTEND_URL) for production deployments.

Next Steps

1

Choose a Provider

Select the cloud provider you want to authenticate with
2

Configure Environment

Set up the required environment variables for your chosen provider
3

Create OAuth Application

Register an OAuth application or IAM role with your cloud provider
4

Test Authentication

Navigate to /api/login/{provider} to test the authentication flow

Build docs developers (and LLMs) love

Get started for freeTalk to us