Cloud Provider Setup | AWS, GCP, and Azure Configuration Guide
This guide provides detailed setup instructions for integrating AWS, Google Cloud Platform (GCP), and Microsoft Azure with Nife VM Management.
AWS Setup Guide#
Prerequisites#
- AWS account with billing enabled
- IAM user with appropriate permissions
- EC2 instances already created in your AWS account
Step 1: Create IAM User (Recommended)#
Instead of using root credentials, create a dedicated IAM user for Nife.
Log in to AWS Console
- Go to https://console.aws.amazon.com
- Navigate to IAM โ Users
Create New User
- Click Create user
- Enter username:
nife-vm-management(or your preference) - Click Next
Set Permissions
- Select Attach policies directly
- Search for and attach:
AmazonEC2FullAccess - Optionally: Create custom policy with minimal permissions (see below)
- Click Next
Review and Create
- Review user details
- Click Create user
Step 2: Create Access Keys#
Select the User
- Click on the user you just created
- Go to Security credentials tab
Generate Access Key
- Scroll to Access keys section
- Click Create access key
- Select Command Line Interface (CLI)
- Check the confirmation checkbox
- Click Next
Save Credentials
- Copy Access Key ID (starts with
AKIA) - Copy Secret Access Key
- Important: Save these securely; you won't see the secret key again
- Download CSV file as backup
- Copy Access Key ID (starts with
Complete
- Click Done
Step 3: Find Your EC2 Instance Details#
Navigate to EC2 Dashboard
- Go to EC2 โ Instances
Note Instance Information
- Instance ID: Shows as
i-xxxxxxxxxxxx - Region: Displayed at top (e.g.,
us-east-1) - Availability Zone: Shows as zone within region
- Instance ID: Shows as
Gather Information
- Instance ID
- Region (e.g.,
us-east-1,us-west-2) - Ensure instance is in Running state
AWS IAM Policy (Minimal Permissions)#
For security, create a custom policy with only necessary permissions:
Troubleshooting AWS Setup#
Invalid Access Key Error
- Verify Access Key ID format (starts with
AKIA) - Check Secret Key for typos
- Ensure user is not disabled
- Verify user has EC2 permissions
Instance Not Found
- Confirm instance exists in AWS console
- Verify instance is in the correct region
- Check instance ID format (should be
i-xxxx) - Ensure instance is not terminated
Permission Denied Error
- Verify IAM user has EC2 permissions
- Check if attached policy is active
- Verify access keys are from correct user
- Wait 1-2 minutes for IAM changes to propagate
GCP Setup Guide#
Prerequisites#
- Google Cloud Platform account
- Active project with billing enabled
- Compute Engine API enabled
- Existing VM instances in your project
Step 1: Enable Compute Engine API#
Go to Google Cloud Console
Select Your Project
- Click project selector at top
- Choose or create a project
Enable API
- Go to APIs & Services โ Library
- Search for "Compute Engine API"
- Click on it
- Click Enable
Wait for Activation
- API activation takes a few moments
- Proceed once enabled
Step 2: Create Service Account#
Go to Service Accounts
- Navigate to APIs & Services โ Credentials
- Click Create Credentials โ Service Account
Fill Service Account Details
- Service account name:
nife-vm-management(or your choice) - Service account ID: Auto-generated
- Description: "Service account for Nife VM Management"
- Click Create and Continue
- Service account name:
Grant Permissions
- Select role: Compute Instance Admin (v1)
- This grants necessary permissions for VM management
- Click Continue
Complete Creation
- Click Done
- Service account is now created
Step 3: Create and Download Service Account Key#
Open Service Account
- Go to APIs & Services โ Credentials
- Under "Service Accounts," click on your service account
Go to Keys
- Click Keys tab
- Click Add Key โ Create new key
Select JSON Format
- Choose JSON format
- Click Create
- File automatically downloads (keep it safe)
Secure the Key
- Important: This file contains sensitive credentials
- Store it securely
- Never commit to version control
- Don't share with others
Step 4: Find Your Instance Details#
Go to Compute Engine
- Navigate to Compute Engine โ VM instances
Note Instance Information
- Instance Name: Click instance to see details
- Zone: Shows in the instances list (e.g.,
us-central1-a) - Copy these details for later
Verify Permissions
- Service account has permission to access instances
- Usually automatic within same project
GCP Security Best Practices#
- Rotate Keys Regularly: Create new keys every 90 days
- Disable Unused Keys: Remove old service account keys
- Monitor Access: Check Cloud Audit Logs
- Use Resource Hierarchy: Organize projects and folders
- Minimal Permissions: Only grant necessary roles
Troubleshooting GCP Setup#
Service Account Key Upload Fails
- Verify JSON file is valid
- Check file isn't corrupted
- Try downloading key again
- Ensure file size is reasonable (1-3 KB)
Instance Not Found
- Confirm instance exists in Compute Engine
- Verify instance is in the correct zone
- Check instance name spelling
- Ensure instance is not deleted
Permission Denied Error
- Verify service account has Compute Instance Admin role
- Check project has Compute Engine API enabled
- Confirm service account is in correct project
- Wait 1-2 minutes for IAM changes
API Not Enabled
- Go to APIs & Services โ Library
- Search "Compute Engine"
- Click Enable if not already enabled
Azure Setup Guide#
Prerequisites#
- Microsoft Azure account with active subscription
- Administrator access to Azure AD
- Existing Virtual Machines in your subscription
- Azure CLI installed (optional but helpful)
Step 1: Get Subscription and Tenant Information#
Navigate to Azure Portal
- Go to https://portal.azure.com
Find Subscription ID
- Click on Subscriptions (or search for it)
- Copy your Subscription ID (GUID format)
Find Tenant ID
- Click on Azure Active Directory
- Click Properties
- Copy Tenant ID (also called Directory ID)
Step 2: Create Service Principal#
Go to Azure Active Directory
- Click Azure Active Directory in portal
- Click App registrations
- Click New registration
Register Application
- Name:
nife-vm-management(or your choice) - Supported account types: "Accounts in this organizational directory"
- Click Register
- Name:
Copy Application Credentials
- Copy Application (client) ID
- Copy Directory (tenant) ID
- Save these values
Step 3: Create Client Secret#
Go to Certificates & secrets
- In your app registration, click Certificates & secrets
- Click New client secret
Create Secret
- Description:
nife-vm-management - Expires: Select appropriate duration (24 months recommended)
- Click Add
- Description:
Copy Secret
- Immediately copy the secret Value (not ID)
- Important: You won't see this value again
- Save it securely
Step 4: Assign Permissions#
Go to Subscriptions
- Click Subscriptions
- Select your subscription
Access Control (IAM)
- Click Access Control (IAM)
- Click Add โ Add role assignment
Assign Role
- Role: Search and select "Virtual Machine Contributor"
- Click Next
Assign to Service Principal
- Click Members โ Select members
- Search for your service principal name (
nife-vm-management) - Click to select it
- Click Select
- Click Review + assign
Step 5: Get Resource Group and VM Details#
Navigate to Resource Groups
- Click Resource Groups
- Note your Resource Group Name
Get VM Details
- Click into your resource group
- Find your VM
- Copy the VM name (if needed for reference)
Verify Permissions
- Service principal now has VM management permissions
- Can start, stop, restart VMs
Azure IAM Role Reference#
For VM Management, assign:
- Virtual Machine Contributor: Full VM management
- Virtual Machine Operator: Start/stop/restart only
- Virtual Machine User: Read-only access
Azure Security Best Practices#
- Rotate Secrets: Create new secrets every 90 days
- Limit Scope: Assign permissions at resource group level
- Monitor Access: Use Azure Activity Log
- Use Managed Identities: When available instead of secrets
- Enable MFA: For Azure AD accounts
- Review Permissions: Regularly audit role assignments
Troubleshooting Azure Setup#
Client Secret Error
- Verify secret value (not ID) is used
- Check secret hasn't expired
- Create new secret if needed
- Ensure secret is copied completely
Subscription Not Found
- Verify subscription ID is correct
- Confirm account has access to subscription
- Check subscription isn't disabled
- Try signing out and back in
Permissions Denied
- Verify service principal has Virtual Machine Contributor role
- Check role assignment scope
- Confirm subscription is selected correctly
- Wait 1-2 minutes for IAM changes to propagate
Resource Group Not Found
- Verify resource group name spelling
- Confirm resource group in correct subscription
- Check it's not deleted
- Ensure permissions to access it
General Cloud Provider Security Tips#
For All Providers#
Store Credentials Securely
- Use password managers or vaults
- Never store in code or version control
- Use environment variables for local development
- Enable encryption at rest
Audit Access
- Review credential usage logs
- Monitor API calls
- Check for unusual activity
- Set up alerts for critical operations
Rotate Credentials
- AWS: Rotate access keys every 90 days
- GCP: Rotate service account keys every 90 days
- Azure: Rotate client secrets every 90 days
Principle of Least Privilege
- Grant only necessary permissions
- Use custom policies when possible
- Regularly audit and remove unused permissions
- Separate credentials by environment (dev/prod)
Enable Multi-Factor Authentication (MFA)
- Protect cloud provider console access
- Use authenticator apps (not SMS when possible)
- Require MFA for sensitive operations
Next Steps#
- Creating VM Instances - Create instances with your configured providers
- Managing VM Instances - Manage your created instances
- Monitoring VM Performance - Monitor instance metrics