Onboard a cloud account
The pattern is the same for every cloud:
- Create a read-only IAM principal in the cloud.
- Generate a credential for it.
- Paste the credential in Settings, Cloud Providers.
- Wait for the first scan.
The exact IAM principal and permissions differ per cloud, see the per-cloud tabs below.
Pick your cloud
1. Create the IAM application
In the Scaleway console:
- Open IAM, Applications, Create application.
- Name it
ctadel-scanner.
2. Attach the policy
- Open IAM, Policies, Create policy.
- Principal: the application from step 1.
- Permission sets:
- Project Read Access Manager (project scope).
- Project Observer (project scope).
- Apply to the project(s) you want Ctadel to scan.
3. Generate an API key
- Open the application's page, API keys, Generate.
- Copy the Access Key and Secret Key. The Secret Key is shown once.
4. Connect in Ctadel
- Settings, Cloud Providers, Scaleway, Connect.
- Paste:
- Access Key, Secret Key.
- Project ID (from the Scaleway console URL).
- Organization ID.
- Click Test credentials. Expect a green check.
- Click Save.
Coverage: Compute, Storage, IAM, KMS, VPC, LB, Kubernetes, Database, Functions, and more.
After saving
The first inventory scan starts within seconds. You can watch the Inventory page populate. Posture rules start firing once the first scan completes.
Toxic combinations need enough graph to compute (10 to 30 minutes after connection on a fresh tenant).
Common pitfalls
- Wrong scope. Granting permission at the wrong scope (organisation vs project, resource group vs subscription) causes the scan to look successful but discover nothing. Test credentials in the Ctadel wizard before saving.
- Missing audit log permissions. If you intend to enable CDR (runtime detection), the read-only credential needs additional permissions on the audit log stream. See the CDR concept.
- MFA on the root account. AWS root account, GCP organisation owner, and Azure global admin should never be used to provision Ctadel. Use a delegated admin.