Skip to main content

Connections

Flows can be executed without direct access to cloud resources, but some flows may create, modify, or delete cloud resources. A flow's access to cloud resources is controlled using connections. Connections contain the necessary roles and permissions that allow the flow to perform its actions on the cloud.

Furthermore, depending on your permissions, you can control who can create connections and flows. This separation allows you to:

  • Enforce the principle of least privilege, giving a user permission to build and create connections and flows without granting them access to your cloud resources.

  • Separate the role of flow developer from cloud resource manager. A flow developer can focus on the business logic of the flow, while a DevOps or FinOps team can manage and audit the connections and permissions that the flow uses.

  • Streamline the process of updating permissions. If a flow needs a new permission, the security team can update the connection that the flow uses without affecting the user who created it. This also makes it easier to reuse connections and permissions across multiple flows. Instead of managing permissions for each individual flow, you can manage permissions for a single connection and then use that connection in multiple flows.

For example, your FinOps Head is responsible for setting up the necessary connections. The FinOps Head then delegates control by granting the Technical Leads access to the connections. The Technical Leads use the connections when they are building their flows for their teams. The Technical Leads invite other users to use the flows, without having to give them access to the underlying connections.

Access levels

There are three connection access levels, Owner, Editor, User. You assign access levels when you create your connections. The following table describes the connection permissions associated with each access level.

PermissionsOwnerEditorUser
Create
Access
Edit
Delete

Furthermore, depending on your access level to connections, you can transfer ownership or share connections with others in your tenant.

Permissions hierarchy

The CloudFlow and connections permissions model is based on permissions and access levels.

A flow may or may not include a connection. All connections must be configured with cloud provider roles and permissions which are used to authorize actions on your behalf with your cloud provider.

The following diagram describes the relationship between CloudFlow and connection permissions and access levels.

CloudFlow connection permissions

Configure connections

There are two stages to configuring connections.

  1. Create a connection. You can either:

    • Create from existing permissions: Reuse the existing permissions for AWS accounts or GCP resources already connected to DoiT Cloud Intelligence. Select the connected AWS or GCP resources to import. You are the connection Owner. You can assign access to other DoiT users in Manage permissions.

    • Create a new connection: Create an AWS or GCP connection, depending on the cloud resources your flow is accessing. Select this if you want to define scope, policies, and deploy IAM roles or service accounts for the connection. You can assign access to other DoiT users in User access.

    Select Create connection from existing permissions when accounts or resources are already connected to DoiT Cloud Intelligence and you only need a connection for flows. Select Create connection when you need a dedicated CloudFlow IAM role or service account, custom scope (for example AWS organizational units), or separate policies.

  2. Add a connection. Finally, when configuring your flows, add the connections as necessary. Connections can be used at both flow and node-level.

Last updated on