Help Center← Back to Dashboard
Getting Started
What is Aithroyz?Quickstart: First EnvironmentCloud CredentialsPlans & Approvals
Environments
OverviewLifecycle PhasesTTL Auto-DestroyExtending TTLDestroying an Environment
Tools Reference
OverviewElastic Stack (SIEM)Wazuh (XDR)MITRE CalderaTheHive & DFIR-IRISVelociraptorOpenCTIGrafana + PrometheusShuffle SOARn8nUptime KumaLLM GatewayOpen WebUIFlowiseOpenClawOllamaQdrantLangfusePortainerGiteaSonarQubeCode ServerMattermostMinIOMetabaseHashiCorp VaultKeycloak SSONetBoxLocalStack
Access & Security
Google SSOTenant IsolationPasskeys & MFATeam Members
API & Integrations
API KeysMCP Tools (Clevername)Terraform ExportWebhooks & Callbacks
Stack Presets
SOC PlatformIR / DFIR LabThreat HuntingQuick Sandbox
Settings
Cloud KeysAPI KeysBillingAudit Log
Troubleshooting
Common IssuesDeployment FailuresDNS & ConnectivityTool Health Checks
Aithroyz Help
Help CenterGetting StartedCloud Credentials

Cloud Credentials

Aithroyz deploys into your cloud account. Before any deployment you must provide credentials with sufficient permissions to create VMs, DNS records, and storage.

Aithroyz uses OpenTofu (open-source Terraform) to provision infrastructure. Your credentials are encrypted and stored in GCP Secret Manager — they are never logged or exposed after upload.

GCP (Google Cloud Platform)

GCP is the primary and best-tested provider. Use a dedicated GCP project for Aithroyz environments to keep billing and quotas separate.

Required IAM roles
Compute AdminCreate/manage VMs and firewall rules
DNS AdministratorCreate Cloud DNS zones and records
Storage AdminCreate GCS buckets for Terraform state
Cloud Run AdminDeploy provisioner service
Service Account Token CreatorAllow the provisioner to sign tokens
Alternatively, the Editor role covers all of the above.

Create a service account:

# In GCP Console: IAM & Admin → Service Accounts → Create
# Name: aithroyz-deployer (or any name)
# Grant roles listed above
# Create JSON key → download

# Then in Aithroyz:
# Settings → Cloud Keys → + Add → paste JSON content

AWS (beta)

AWS support is in beta. You'll need an IAM user or role with EC2, Route53, S3, and VPC permissions. In the Cloud Keys settings, select AWS and provide your Access Key ID and Secret Access Key.

⚠
AWS deployments use us-east-1 by default. Multi-region support is planned. Some tool modules may not be available on AWS — check the plan preview for compatibility warnings.

Security — how credentials are stored

✓ Encrypted at rest
Credentials are stored in GCP Secret Manager with CMEK encryption. The raw key is never written to disk or logged.
✓ Scoped access
Only the Aithroyz provisioner Cloud Run service has access to your secret. No other service or user can read it.
✓ No retention after delete
When you delete a Cloud Key in settings, the secret is immediately destroyed in Secret Manager. No backups are kept.
✓ Audit trail
Every read of your credential secret is logged in GCP audit logs and the Aithroyz audit log.
✓
Create a dedicated GCP project for Aithroyz. This keeps quotas, billing, and IAM separate from your production workloads, and makes cleanup easy — just delete the project to remove everything.
Related Articles
QuickstartRead article →Cloud Keys SettingsRead article →Tenant IsolationRead article →