Cloud connectors

Read-only, agentless. Cross-account IAM for AWS, Entra federated credentials for Azure, Workload Identity Federation for GCP.

AWS

AccountRoleExternal IDLast syncStatus
prod-us-east-1 (111122223333)arn:aws:iam::111122223333:role/GrandLineReadOnlyeid-a1b22m agohealthy
prod-eu-west-1 (222233334444).../GrandLineReadOnlyeid-a1b23m agohealthy
staging (333344445555).../GrandLineReadOnlyeid-a1b25m agohealthy
sandbox (444455556666).../GrandLineReadOnlyeid-a1b24m agohealthy
network-hub (555566667777).../GrandLineReadOnlyeid-a1b24m agohealthy
security (666677778888).../GrandLineReadOnlyeid-a1b23m agohealthy

AWS Organizations onboarding: member accounts are discovered automatically via organizations:ListAccounts. Roles can be deployed via a StackSet.

Azure

SubscriptionEntra AppFederated credentialLast syncStatus
acme-prod (00000000-0000-0000-0000-000000000001)grandline-readerfc-acme-prod4m agohealthy
acme-nonprodgrandline-readerfc-acme-nonprod5m agohealthy
acme-datagrandline-readerfc-acme-data2m agohealthy
acme-legacygrandline-readerfc-acme-legacy6m agostale

Management Group onboarding: assign Reader at the root MG and GrandLine will sync new subscriptions on a daily cadence.

GCP

ProjectSAWIF poolLast syncStatus
svc-prod[email protected]grandline-pool3m agohealthy
data-prod[email protected]grandline-pool4m agohealthy
net-hub.../grandline-readergrandline-pool3m agohealthy
security.../grandline-readergrandline-pool2m agohealthy
sandbox.../grandline-readergrandline-pool4m agohealthy

Org + Folder onboarding with roles/viewer and roles/iam.securityReviewer. Projects are discovered via Resource Manager.

Add a connector

AWS

We'll show you a CloudFormation StackSet template that creates GrandLineReadOnly with an external ID, trusted to our SaaS account.

Start →

Azure

We'll provide the Entra app ID and federated credential subject pattern. You grant Reader on the target Management Group.

Start →

GCP

We'll show you the WIF pool and principal subject. You create the service account, bind roles/viewer and roles/iam.securityReviewer at the org.

Start →
All credentials are short-lived and exchanged at request time. GrandLine never stores long-lived cloud keys.