Cloud Integrations

Cloud integrations are project-scoped. The platform does not use one shared customer credential for every tenant.

On This Page

Shared Rules

  • connect integrations at the project level

  • keep storage and deployment auth aligned with the same target project

  • prefer workload identity or OIDC over long-lived keys

  • use the provider-specific bucket check and bucket config endpoints to verify artifact storage access

Azure

Current Azure onboarding is based on Workload Identity plus template-assisted resource setup.

Key endpoints:

  • POST /api/v1/projects/{projectId}/integrations/azure/wif/register

  • POST /api/v1/projects/{projectId}/integrations/azure/wif/verify

  • POST /api/v1/projects/{projectId}/integrations/azure/resources/template

  • POST /api/v1/projects/{projectId}/integrations/azure/resources/verify

Azure storage uploads require the connected identity to have data-plane access. For Blob uploads that means Storage Blob Data Contributor on the target storage account or container.

AWS

Current AWS onboarding is based on OIDC plus project-scoped role verification.

Key endpoints:

  • POST /api/v1/projects/{projectId}/integrations/aws/oidc/setup-commands

  • POST /api/v1/projects/{projectId}/integrations/aws/oidc/verify

  • POST /api/v1/projects/{projectId}/integrations/aws/bucket/check

  • POST /api/v1/projects/{projectId}/integrations/aws/bucket/config

Deployment requests then pass the AWS target plus the role information needed by the runner.

GCP

GCP now uses one strict public request shape for Workload Identity Federation.

Canonical fields:

  • gcpProjectId

  • serviceAccountEmail

  • workloadIdentityProjectNumber

  • workloadIdentityPool

  • workloadIdentityProvider

Public endpoints:

  • POST /api/v1/projects/{projectId}/integrations/gcp/wif/connect

  • POST /api/v1/projects/{projectId}/integrations/gcp/wif/verify

  • POST /api/v1/projects/{projectId}/integrations/gcp/bucket/check

  • POST /api/v1/projects/{projectId}/integrations/gcp/bucket/config

Example request:

{
  "gcpProjectId": "customer-app-prod",
  "serviceAccountEmail": "dcf-deployer@customer-app-prod.iam.gserviceaccount.com",
  "workloadIdentityProjectNumber": "123456789012",
  "workloadIdentityPool": "dcf-pool",
  "workloadIdentityProvider": "dcf-provider"
}

Important distinction:

  • gcpProjectId is the customer project where DCF deploys or validates resources

  • workloadIdentityProjectNumber is the numeric host project for the workload identity pool and provider

The backend normalizes the provider resource and STS audience internally after validation. That normalization is for runtime use only. The public API no longer accepts shortcut forms such as workloadIdentityAudience.