Cloud Provider Setup | AWS, GCP, and Azure Configuration Guide
This guide provides detailed setup instructions for integrating AWS, Google Cloud Platform (GCP), and Microsoft Azure with Nife VM Management.
AWS Setup Guide
Prerequisites
- AWS account with billing enabled
- IAM user with appropriate permissions
- EC2 instances already created in your AWS account
Step 1: Create IAM User (Recommended)
Instead of using root credentials, create a dedicated IAM user for Nife.
-
Log in to AWS Console
- Go to https://console.aws.amazon.com
- Navigate to IAM → Users
-
Create New User
- Click Create user
- Enter username:
nife-vm-management(or your preference) - Click Next
-
Set Permissions
- Select Attach policies directly
- Search for and attach:
AmazonEC2FullAccess - Optionally: Create custom policy with minimal permissions (see below)
- Click Next
-
Review and Create
- Review user details
- Click Create user
Step 2: Create Access Keys
-
Select the User
- Click on the user you just created
- Go to Security credentials tab
-
Generate Access Key
- Scroll to Access keys section
- Click Create access key
- Select Command Line Interface (CLI)
- Check the confirmation checkbox
- Click Next
-
Save Credentials
- Copy Access Key ID (starts with
AKIA) - Copy Secret Access Key
- Important: Save these securely; you won't see the secret key again
- Download CSV file as backup
- Copy Access Key ID (starts with
-
Complete
- Click Done
Step 3: Find Your EC2 Instance Details
-
Navigate to EC2 Dashboard
- Go to EC2 → Instances
-
Note Instance Information
- Instance ID: Shows as
i-xxxxxxxxxxxx - Region: Displayed at top (e.g.,
us-east-1) - Availability Zone: Shows as zone within region
- Instance ID: Shows as
-
Gather Information
- Instance ID
- Region (e.g.,
us-east-1,us-west-2) - Ensure instance is in Running state
AWS IAM Policy (Minimal Permissions)
For security, create a custom policy with only necessary permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:DescribeRegions",
"ec2:DescribeSnapshots",
"ec2:CreateSnapshot",
"ec2:DescribeVolumes",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
}
]
}
Troubleshooting AWS Setup
Invalid Access Key Error
- Verify Access Key ID format (starts with
AKIA) - Check Secret Key for typos
- Ensure user is not disabled
- Verify user has EC2 permissions
Instance Not Found
- Confirm instance exists in AWS console
- Verify instance is in the correct region
- Check instance ID format (should be
i-xxxx) - Ensure instance is not terminated
Permission Denied Error
- Verify IAM user has EC2 permissions
- Check if attached policy is active
- Verify access keys are from correct user
- Wait 1-2 minutes for IAM changes to propagate
GCP Setup Guide
Prerequisites
- Google Cloud Platform account
- Active project with billing enabled
- Compute Engine API enabled
- Existing VM instances in your project
Step 1: Enable Compute Engine API
-
Go to Google Cloud Console
-
Select Your Project
- Click project selector at top
- Choose or create a project
-
Enable API
- Go to APIs & Services → Library
- Search for "Compute Engine API"
- Click on it
- Click Enable
-
Wait for Activation
- API activation takes a few moments
- Proceed once enabled
Step 2: Create Service Account
-
Go to Service Accounts
- Navigate to APIs & Services → Credentials
- Click Create Credentials → Service Account
-
Fill Service Account Details
- Service account name:
nife-vm-management(or your choice) - Service account ID: Auto-generated
- Description: "Service account for Nife VM Management"
- Click Create and Continue
- Service account name:
-
Grant Permissions
- Select role: Compute Instance Admin (v1)
- This grants necessary permissions for VM management
- Click Continue
-
Complete Creation
- Click Done
- Service account is now created
Step 3: Create and Download Service Account Key
-
Open Service Account
- Go to APIs & Services → Credentials
- Under "Service Accounts," click on your service account
-
Go to Keys
- Click Keys tab
- Click Add Key → Create new key
-
Select JSON Format
- Choose JSON format
- Click Create
- File automatically downloads (keep it safe)
-
Secure the Key
- Important: This file contains sensitive credentials
- Store it securely
- Never commit to version control
- Don't share with others
Step 4: Find Your Instance Details
-
Go to Compute Engine
- Navigate to Compute Engine → VM instances
-
Note Instance Information
- Instance Name: Click instance to see details
- Zone: Shows in the instances list (e.g.,
us-central1-a) - Copy these details for later
-
Verify Permissions
- Service account has permission to access instances
- Usually automatic within same project
GCP Security Best Practices
- Rotate Keys Regularly: Create new keys every 90 days
- Disable Unused Keys: Remove old service account keys
- Monitor Access: Check Cloud Audit Logs
- Use Resource Hierarchy: Organize projects and folders
- Minimal Permissions: Only grant necessary roles
Troubleshooting GCP Setup
Service Account Key Upload Fails
- Verify JSON file is valid
- Check file isn't corrupted
- Try downloading key again
- Ensure file size is reasonable (1-3 KB)
Instance Not Found
- Confirm instance exists in Compute Engine
- Verify instance is in the correct zone
- Check instance name spelling
- Ensure instance is not deleted
Permission Denied Error
- Verify service account has Compute Instance Admin role
- Check project has Compute Engine API enabled
- Confirm service account is in correct project
- Wait 1-2 minutes for IAM changes
API Not Enabled
- Go to APIs & Services → Library
- Search "Compute Engine"
- Click Enable if not already enabled
Azure Setup Guide
Prerequisites
- Microsoft Azure account with active subscription
- Administrator access to Azure AD
- Existing Virtual Machines in your subscription
- Azure CLI installed (optional but helpful)
Step 1: Get Subscription and Tenant Information
-
Navigate to Azure Portal
- Go to https://portal.azure.com
-
Find Subscription ID
- Click on Subscriptions (or search for it)
- Copy your Subscription ID (GUID format)
-
Find Tenant ID
- Click on Azure Active Directory
- Click Properties
- Copy Tenant ID (also called Directory ID)
Step 2: Create Service Principal
-
Go to Azure Active Directory
- Click Azure Active Directory in portal
- Click App registrations
- Click New registration
-
Register Application
- Name:
nife-vm-management(or your choice) - Supported account types: "Accounts in this organizational directory"
- Click Register
- Name:
-
Copy Application Credentials
- Copy Application (client) ID
- Copy Directory (tenant) ID
- Save these values
Step 3: Create Client Secret
-
Go to Certificates & secrets
- In your app registration, click Certificates & secrets
- Click New client secret
-
Create Secret
- Description:
nife-vm-management - Expires: Select appropriate duration (24 months recommended)
- Click Add
- Description:
-
Copy Secret
- Immediately copy the secret Value (not ID)
- Important: You won't see this value again
- Save it securely
Step 4: Assign Permissions
-
Go to Subscriptions
- Click Subscriptions
- Select your subscription
-
Access Control (IAM)
- Click Access Control (IAM)
- Click Add → Add role assignment
-
Assign Role
- Role: Search and select "Virtual Machine Contributor"
- Click Next
-
Assign to Service Principal
- Click Members → Select members
- Search for your service principal name (
nife-vm-management) - Click to select it
- Click Select
- Click Review + assign
Step 5: Get Resource Group and VM Details
-
Navigate to Resource Groups
- Click Resource Groups
- Note your Resource Group Name
-
Get VM Details
- Click into your resource group
- Find your VM
- Copy the VM name (if needed for reference)
-
Verify Permissions
- Service principal now has VM management permissions
- Can start, stop, restart VMs
Azure IAM Role Reference
For VM Management, assign:
- Virtual Machine Contributor: Full VM management
- Virtual Machine Operator: Start/stop/restart only
- Virtual Machine User: Read-only access
Azure Security Best Practices
- Rotate Secrets: Create new secrets every 90 days
- Limit Scope: Assign permissions at resource group level
- Monitor Access: Use Azure Activity Log
- Use Managed Identities: When available instead of secrets
- Enable MFA: For Azure AD accounts
- Review Permissions: Regularly audit role assignments
Troubleshooting Azure Setup
Client Secret Error
- Verify secret value (not ID) is used
- Check secret hasn't expired
- Create new secret if needed
- Ensure secret is copied completely
Subscription Not Found
- Verify subscription ID is correct
- Confirm account has access to subscription
- Check subscription isn't disabled
- Try signing out and back in
Permissions Denied
- Verify service principal has Virtual Machine Contributor role
- Check role assignment scope
- Confirm subscription is selected correctly
- Wait 1-2 minutes for IAM changes to propagate
Resource Group Not Found
- Verify resource group name spelling
- Confirm resource group in correct subscription
- Check it's not deleted
- Ensure permissions to access it
General Cloud Provider Security Tips
For All Providers
-
Store Credentials Securely
- Use password managers or vaults
- Never store in code or version control
- Use environment variables for local development
- Enable encryption at rest
-
Audit Access
- Review credential usage logs
- Monitor API calls
- Check for unusual activity
- Set up alerts for critical operations
-
Rotate Credentials
- AWS: Rotate access keys every 90 days
- GCP: Rotate service account keys every 90 days
- Azure: Rotate client secrets every 90 days
-
Principle of Least Privilege
- Grant only necessary permissions
- Use custom policies when possible
- Regularly audit and remove unused permissions
- Separate credentials by environment (dev/prod)
-
Enable Multi-Factor Authentication (MFA)
- Protect cloud provider console access
- Use authenticator apps (not SMS when possible)
- Require MFA for sensitive operations
Next Steps
- Creating VM Instances - Create instances with your configured providers
- Managing VM Instances - Manage your created instances
- Monitoring VM Performance - Monitor instance metrics