Skip to Content
DocsUser GuideConnecting to a Cloud

Connecting to a Cloud

Map a live cloud account onto the canvas. Strata discovers running resources and renders them as a typed diagram — the same nodes and containment you’d get from an import, but sourced from what’s actually deployed. Three providers are supported:

ProviderDiscovery sourceJoin key (resource type)
AWSCloud Control APICloudFormation type (AWS::S3::Bucket)
GCPCloud Asset InventoryCAI asset type (storage.googleapis.com/Bucket)
AzureAzure Resource GraphARM type (Microsoft.Storage/storageAccounts)

Opening the dialog

Open Connect to cloud any of these ways:

  • Start hub — click + New in the top bar, then the Connect to cloud card.
  • Data menu — click Data ▾ in the top bar, then Connect to cloud….
  • Command palette — press ⌘K (macOS) or Ctrl K, type connect.

A modal titled Connect to cloud opens. Close it any time with the in its top-right corner or the Esc key.

Choosing a provider

The first row of the dialog is a provider selector:

[ AWS ] [ GCP ] [ Azure ]

Pick the cloud you want to scan. Switching providers resets the resource-type selection to that provider’s common defaults and returns you to the setup step (so a review from one cloud can’t be imported under another). A single Strata diagram can hold resources from all three providers — connect to each in turn and Merge the results.

The two tabs

Below the provider selector is a two-button tab strip:

[ Live scan ] [ Paste export ]
  • Live scan — Strata calls the cloud for you (server-side) and returns the resources.
  • Paste export — you run the provider’s CLI yourself and paste the JSON; nothing is sent anywhere.

Live scan tab

Every Live-scan tab opens with a privacy note (🔒) and then a provider-specific scope, the resource-type selector, and the Discover button.

Scope and credentials per provider

  • AWSAccess key ID, Secret access key, Session token (recommended), and Region (defaults to us-east-1). On a local install the keys are optional (the server’s ambient chain is used); on a hosted install they’re required. See When are credentials required?.
  • GCP — a single Scope field: projects/my-project, folders/123, or organizations/456. No credentials are entered — the scan uses the server’s Application Default Credentials.
  • Azure — a Subscription id(s) field (one or more GUIDs, comma-separated). No credentials are entered — the scan uses the server’s DefaultAzureCredential.

GCP and Azure live scans run with the server machine’s ambient credentials, so they’re only available on a local install. On a hosted install they’re disabled — use Paste export instead.

Choosing resource types

Below the scope is the resource-type picker (identical across providers):

  • A header reading Resource types (N selected) with a live count. A common starter set for the chosen provider is pre-selected.
  • A Select all / Clear button that acts on the currently visible (filtered) list.
  • A Filter… box — type part of a service name or the native type.
  • A scrollable checkbox list. Each row shows the friendly label and, dimmed beside it, the provider-native type (e.g. AWS::S3::Bucket, storage.googleapis.com/Bucket, Microsoft.Storage/storageAccounts).

Running the scan

Click Discover. While it runs the button reads Scanning… and is disabled. It’s also disabled when no types are selected, the required scope is empty, or (on a hosted install) live scanning isn’t available for the provider.

Paste export tab

No credentials on the machine running Strata, or you’d rather not use the live path? Run the scan yourself and paste the result:

  • AWSaws cloudcontrol list-resources --type-name AWS::S3::Bucket (accepts the raw response or a plain JSON array).
  • GCPgcloud asset list --format=json (accepts the array or { assets: […] }).
  • Azureaz graph query -q "Resources" -o json (accepts the array or the { data: […] } envelope).

Paste into the box and click Parse. Parsing happens entirely in your browser — nothing is sent anywhere.

When are credentials required?

Live scans run on the server at /api/discover (AWS), /api/discover/gcp, or /api/discover/azure. Where the server gets credentials depends on the provider and deployment:

  • AWS, local install (default). Credential fields are optional — the server’s ambient chain (SSO / ~/.aws profile / env / instance role) is used. Fill them in to scan a different account.
  • AWS, hosted install (NEXT_PUBLIC_STRATA_HOSTED=1). You must bring your own keys; the ambient chain is disabled and a scan without credentials is rejected with a 422.
  • GCP / Azure. No credentials are ever entered in Strata. The server uses its ambient ADC (gcloud auth application-default login) or DefaultAzureCredential (az login). On a hosted install these live scans are disabled entirely.

Supplied AWS credentials are sent over HTTPS, used in-memory for the single scan, then discarded — never written to disk, logged, returned to the browser, or saved into the diagram.

IAM permissions

  • AWScloudcontrol:ListResources + cloudcontrol:GetResource, plus read access to the services you scan. The managed ReadOnlyAccess policy is the simplest safe choice. Prefer temporary, read-only credentials (aws sts get-session-token or a read-only role).
  • GCP — the ADC identity needs cloudasset.assets.listResource (e.g. the Cloud Asset Viewer role) on the project/folder/org.
  • Azure — the signed-in identity needs at least Reader on the target subscriptions (Resource Graph honours RBAC).

Discovery is list/describe only — Strata never mutates your account.

Reviewing and importing

After a successful Discover (or Parse), a review panel appears before anything touches your canvas:

  • N resource(s) ready to import — how many map to a known service.
  • · N unmapped type(s) (if any) — types Strata doesn’t model yet (skipped; listed below).
  • · scanned … — the scope that was covered.
  • For GCP/Azure, a note that resources import as typed nodes with sparse properties (the provider’s field names differ from Strata’s config model), and that relationships aren’t inferred — wire them up on the canvas.
  • Any per-scan warnings.

Then choose Merge into canvas or Replace canvas (swap in the discovered set, with an unsaved-changes guard).

Merge previews before it applies. Choosing Merge into canvas opens a Review merge dialog before anything changes: it summarises what the merge will do — counts of +N new, ~N updated, N unchanged, and N kept (resources already on your canvas that the scan didn’t cover) — and lists the new and changed resources (with which configuration fields differ). Confirm with Apply merge, or back out with Cancel. (Replace canvas applies immediately, subject to the unsaved-work guard.)

Merge reconciles — it doesn’t duplicate. A merged resource that already exists in your diagram (matched by its ARN, or otherwise by service type + name) is updated in place: its configuration is refreshed from the scan while its canvas position and any rename you’ve made are preserved. Genuinely new resources are added; nothing you didn’t scan is removed. So re-scanning the same account to pick up changes keeps a single, tidy diagram instead of piling up duplicate nodes.

What discovery does and doesn’t do

  • Read-only modeling. Discovery only lists and describes resources.
  • Credentials never leave the server or reach the diagram, for any provider — the discovery layer only receives already-fetched descriptions, and the model keeps only the configuration fields Strata recognizes, so stray properties (let alone secrets) can’t end up in a node.
  • Relationships aren’t inferred from a live scan — discovered resources land as nodes. (A CloudFormation / Terraform / ARM import is richer if you have the source.)
  • Nothing is scanned outside the types and scope you chose — the review makes the scope explicit.
Last updated on
Importing & Exporting IaCValidation & Rules