How Can We Help?

Connecting Your Accounts

Now that you are logged in to Cloudockit (click here if you are not logged in yet), you can connect your subscriptions, accounts, or projects.

Azure Subscription

From the list of platforms, select Azure.

You will be prompted with multiple options to connect to your Azure subscription. Please note that the list of options depends on the identity provider you have chosen when you logged into Cloudockit.

Continue with the same account:

  • Choose this option if you want to continue with your Azure Active Directory account
  • Do not choose this option for Azure Government, China or Germany
  • This option will display only if you are already connected using Azure Active Directory

Use another account:

  • Choose this option if you want to use another Azure Active Directory account
  • Typically, if you are a consultant you may want to use an account provided by your client
  • Do not choose this option for Azure Government, China or Germany
  • This option will display only if you are already connected to Azure Active Directory

AAD Application:

  • Choose this option if you want to connect to your Azure Subscription using an AAD Application (also called Service Principal) instead of your own identity
  • Choose this option for Azure Government, China, Germany or Public
  • Please refer to this procedure on how to create the AAD Application required by Cloudockit.

Log in with Azure Active Directory

  • This option will display only if you are not already connected using the Azure Active Directory
  • Enter the tenant’s name of the Azure Active Directory. Remember that the tenant’s name and the account you are using needs to be linked to at least one Azure Subscription. Click here for more information on how to find your tenant’s name.

Once connected, you should now see the list of Subscriptions you have access to. If you do not see any subscriptions, please click here for help.


Reader permissions is enough to scan your environment and generate complete documentation and diagrams. You can even use an account that has Reader permissions only on a subset of the Subscription like a Resource Group.

Please note that for additional details (App Services Dependencies or AKS inside scan), if you have the Contributor Role, you will see more information.

To see more information about the roles in Azure here visit Azure built-in roles

AWS Account

From the list of platforms, select AWS.

You will be prompted with two options to connect to your AWS Account:

  • Use Access Keys
  • Use another account (AWS Role)

Use Access Keys

With this method, you are using AWS Access Keys to connect your AWS Account. Here are the steps to create the required keys and log in with them.


  • Choose the name of the desired user, the one you want to use in Cloudockit. If you want to create a new user dedicated for Cloudockit, please refer to Create a user in AWS for Cloudockit, and then choose the Security Credentials and click on Create Access Keys
  • Then, under Secret Access Keys, click on show. Copy the Access Key ID and the Secret Access Key to use to connect to your AWS Account in Cloudockit

You need to keep that popup open as you will need this information to create the role in the AWS Console in the step 2 and 3.


  • When AWS authentication pops up, select Use Access Keys:
  • Enter the information you copied in step 1:

Use another account (AWS Role)

By using this method, you will create an AWS role that will allow your Google or Amazon account to have specific privileges in your AWS Account and then connect to Cloudockit using this account.


  • Since Amazon and Google are the ID Providers supported by Cloudockit, you need to be logged in with Amazon or Google. If you are currently connected to Cloudockit using an AAD authentication, you will be prompted to log in using Amazon or Google (if you are already connected using Amazon and Google you will not see the next pop-up):
  • Once connected using Amazon or Google, you will see the following po-pup. Click on Keep Going with this account:
  • Then, you will see the detailed procedure on how to create the specific Role in AWS that will match your account with the specific provider (AWS or Google) for the Application Cloudockit:
  • Keep the pop-up open as you will need the information to create the role in the AWS Console in the next step:


Sign in the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/

  • In the navigation pane of the console, choose Roles and then choose Create role
  • Choose the Web identity role type
  • For the Identity Provider, select Login with Amazon and copy and paste the Application ID supplied below:
    • Application ID: amzn1.application.689808735…. (the one from step 1 – in the pop-up)
  • Click Add condition and complete required fields with the information below:
    • Condition: select StringEquals from the list
    • Value: amzn1.account.YourAccountID (the one from the step 1 above – in the pop-up)
  • Click the Permissions button to continue
    • To attach permissions policies, search for ReadOnlyAccess policy and select it
    • Also, add the following policy to allow billing information to be retrieved: AWS Troubleshooting
    • Also, if you want to drop the document in a S3 Bucket, you need to ensure that you have the Write privileges to this bucket: AWS Troubleshooting
  • Click the Review to continue
  • On the Review page, enter Role name and click Create role

First, you need to get the Role ARN that you just creates:


  • In the navigation pane of the console, choose Roles and click on the role name you gave access to Cloudockit (see Creating an IAM Role (Console) to create a Web identity role)
  • In the Summary page of the selected role, copy the value in Role ARN field and paste it into Role to assume in login pop-up

In the pop-up you left open, enter the role to assume:

Click on Login.

You should now see the list of AWS Account(s).

Google Cloud Platform Projects

From the list of platforms, select Google Cloud Platform.

You will be prompted with the two following options to connect your GCP Environment:

  • Service Account (Recommended)
  • Google Sign-In

Service Account (Recommended)


  • Sign into the GCP Console and click on IAM & Admin/Service Accounts
  • Select the project where you want to create the Service Account (you will then be able to give the appropriate permissions to the other projects with the same service account)
  • Click on Create Service Account and enter the Service Account Name. (e.g., use Cloudockit). Then click on create
  • Select the role Project/Viewer. Then click on Continue
  • Click on Create Key and select JSON and click Create. Save the file locally
  • To save the service account, click Done


Since Cloudockit is using the Cloud Resource Manager API to list all the projects, you need to Enable this API in order for Cloudockit to view your resources. You also need to activate other APIs (see complete list below) depending on the workload you want to document.

Please note that these APIs need to be activated in the Project where you created your service account to scan (created in step 1)

To do so, click on API & Services and then click on Enable APIs and Services.

In the search box, enter Resource Manager

  • Click on Cloud Resource Manager API and click ENABLE.

Once you have activated this API, you should also activate the APIs that are used by Cloudockit to automatically create the documents and diagrams:

  • Compute Engine API
  • Kubernetes Engine API
  • Cloud Resource Manager
  • App Engine Admin
  • Cloud Pub/Sub
  • Cloud Spanner API
  • Dataflow API
  • Cloud Bigtable Admin
  • Cloud SQL Admin API
  • Cloud IoT API
  • Google Cloud Memorystore for Redis API
  • Cloud Functions API


  • When you are prompted for an GCP authentication, select Service Account
  • Then, click on Browse and select the JSON file that you have just downloaded in the previous step
  • Click on Login. You should now see your AWS Account


Note: Google Cloud does not allow OAuth 2 User Authentication to the scope cloud-platform.readonly. You should use Service Account to ensure to get all the information (reason why Method 1 is recommended).

To use your Google Account, you simply need to login using your Google Account that has the required privileges to your Google Cloud Project:

Table of Contents