Link Your Cloud Account

LightPane discovers your cloud resources using read-only access. It never modifies, creates, or deletes anything in your environment.

You link a cloud account once. After that, every access key and pane you create can discover resources in that account.

What you need:

• A LightPane account (create one free)
• Admin access to the AWS account, GCP project, or Azure subscription you want to link

AWSGCPAzure

Deploy the CloudFormation template

LightPane connects to your AWS account using a cross-account IAM role. You deploy a CloudFormation template that creates this role with read-only permissions.

What the template creates

• An IAM role named LightPaneReader
• The AWS managed SecurityAudit policy attached to the role (read-only access to configuration and metadata across AWS services)
• A trust policy that allows the LightPane AWS account to assume the role
• An External ID condition that prevents confused deputy attacks

The SecurityAudit policy is maintained by AWS. It grants read-only access to service configurations — it cannot start, stop, create, or delete any resources.

Steps

1. Log in to app.lightpane.cloud
2. Go to Cloud Accounts
3. Click Link AWS Account
4. LightPane generates a unique External ID for your account — this is displayed on screen
5. Click Launch CloudFormation — this opens the AWS Console with the template pre-loaded
6. Review the template in the AWS Console and click Create stack
7. Wait for the stack to reach CREATE_COMPLETE (about 30 seconds)
8. Copy the Role ARN from the CloudFormation Outputs tab
9. Paste the Role ARN back into LightPane and click Verify

LightPane calls sts:AssumeRole to verify the connection. If it succeeds, the account is linked.

What is the External ID?

The External ID prevents a class of attack called the "confused deputy problem." It ensures that only your LightPane account can assume the role — even though the Role ARN is not secret.

LightPane generates the External ID for you. You do not need to create one. The CloudFormation template includes it automatically.

Trust policy (for reference)

The CloudFormation template creates this trust policy on the IAM role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::LIGHTPANE_ACCOUNT_ID:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "YOUR_EXTERNAL_ID"
                }
            }
        }
    ]
}

Revoking access

Delete the CloudFormation stack in your AWS account. This removes the IAM role and immediately revokes all access. LightPane cannot reconnect until you deploy a new stack.

Configure Workload Identity Federation

LightPane connects to your GCP project using Workload Identity Federation (WIF). This is the Google-recommended approach for cross-project access. No service account keys are downloaded or stored.

What WIF creates

• A Workload Identity Pool that trusts the LightPane identity provider
• A Workload Identity Pool Provider configured for the LightPane AWS account
• A service account with read-only IAM roles, bound to the pool
• A credential configuration file that LightPane uses to authenticate

IAM roles granted

LightPane requests these predefined roles on the service account:

Role	Purpose
roles/compute.viewer	Read Compute Engine instances, disks, networks
roles/storage.objectViewer	List Cloud Storage buckets and objects
roles/cloudfunctions.viewer	Read Cloud Functions
roles/cloudsql.viewer	Read Cloud SQL instances
roles/container.viewer	Read GKE clusters
roles/iam.securityReviewer	Read IAM policies and service accounts

These are all read-only. The service account cannot modify, create, or delete any resources.

Steps

1. Log in to app.lightpane.cloud
2. Go to Cloud Accounts
3. Click Link GCP Project
4. Enter your GCP project ID
5. Follow the on-screen instructions to run the provided gcloud commands in your terminal (or Cloud Shell)
6. Upload or paste the generated credential configuration JSON
7. Click Verify

LightPane uses the credential configuration to authenticate and list resources in your project. If it succeeds, the account is linked.

Revoking access

Delete the Workload Identity Pool in your GCP project, or remove the IAM role bindings from the service account. Either action immediately revokes access.

Create a Service Principal

LightPane connects to your Azure subscription using a Service Principal with the built-in Reader role.

What the Service Principal provides

• Read-only access to all resources in the subscription
• No ability to modify, create, or delete resources
• An application registration in Azure AD that you control

Steps

1. Log in to app.lightpane.cloud
2. Go to Cloud Accounts
3. Click Link Azure Subscription
4. Follow the on-screen instructions to create the Service Principal using the Azure CLI or Azure Portal
5. Enter the Tenant ID, Client ID, and Client Secret
6. Click Verify

LightPane authenticates using the Service Principal credentials and lists resources in your subscription. If it succeeds, the account is linked.

Revoking access

Delete the application registration in Azure AD, or remove the Reader role assignment from the Service Principal. Either action immediately revokes access.

---

Multiple accounts

You can link multiple cloud accounts across any combination of providers. Each account appears separately in your Cloud Accounts list and can be selected independently when creating access keys.

What happens after linking

Once linked, the account is available for discovery. Create an access key to start querying resources or embedding panes.