Connections

CloudFlows can be executed without direct access to cloud resources, but some flows may create, modify, or delete cloud resources. A flow's access to cloud resources is controlled using connections. Connections contain the necessary roles and permissions that allow the flow to perform its actions on the cloud.

Furthermore, depending on your permissions, you can control who can create connections and flows. This separation allows you to:

• Enforce the principle of least privilege, giving a user permission to build and create connections and flows without granting them access to your cloud resources.

• Separate the role of CloudFlow developer from cloud resource manager. A CloudFlow developer can focus on the business logic of the flow, while a DevOps or FinOps team can manage and audit the connections and permissions that the flow uses.

• Streamline the process of updating permissions. If a flow needs a new permission, the security team can update the connection that the flow uses without affecting the user who created it. This also makes it easier to reuse connections and permissions across multiple flows. Instead of managing permissions for each individual flow, you can manage permissions for a single connection and then use that connection in multiple CloudFlows.

For example, your FinOps Head is responsible for setting up the necessary connections. The FinOps Head then delegates control by granting the Technical Leads access to the connections. The Technical Leads use the connections when they are building their CloudFlows for their teams. The Technical Leads invite other users to use the CloudFlows, without having to give them access to the underlying connections.

Access levels

There are three connection access levels, Owner, Editor, User. You assign access levels when you create your connections. The following table describes the connection permissions associated with each access level.

Permissions	Owner	Editor	User
Create	✓	✓
Access	✓	✓	✓
Edit	✓	✓
Delete	✓

Furthermore, depending on your access level to connections, you can transfer ownership or share connections with others in your tenant.

Permissions hierarchy

The CloudFlow and connections permissions model is based on permissions and access levels.

A flow may or may not include a connection. All connections must be configured with cloud provider roles and permissions which are used to authorize actions on your behalf with your cloud provider.

The following diagram describes the relationship between CloudFlow and connection permissions and access levels.

Configure connections

There are two stages to configuring connections.

1. Create a connection. You must:

   • Create a connection specific to AWS or GCP, depending on the cloud resources your CloudFlow is accessing.

   • Grant connection permissions to the connection to create, access, update, delete, cloud resources, as necessary.

   • Assign one or more DoiT accounts to use the connection. This includes both DoiT accounts that you have created in the DoiT console and cloud billing accounts that are connected to the DoiT platform.

2. Add a connection. Finally, when configuring your CloudFlows, add the connections as necessary. Connections can be used at both CloudFlow and node-level.