Cloud Accounts
Connect your AWS, GCP, or Azure accounts to enable resource discovery and scheduling.
Supported Providers
Amazon Web Services (AWS)
| Auth Method | ID | Description |
|---|---|---|
| Static Access Keys | static_keys | IAM access key ID and secret access key |
| Assume Role | assume_role | Cross-account IAM role assumption via STS |
| Temporary Credentials | temporary_credentials | Short-lived STS credentials |
Google Cloud Platform (GCP)
| Auth Method | ID | Description |
|---|---|---|
| Service Account | service_account | JSON key file for a GCP service account |
| OAuth 2.0 | oauth | Three-step OAuth flow with encrypted token exchange |
Microsoft Azure (Azure)
| Auth Method | ID | Description |
|---|---|---|
| Service Principal | service_principal | App registration with client ID, secret, and tenant ID |
| Workload Identity Federation | workload_identity_federation | Federated OIDC identity — no secrets stored |
Permission Levels
| Level | Discovery | Scheduling | Execution |
|---|---|---|---|
read_only | Yes | Yes | No |
read_write | Yes | Yes | Yes |
Execution Requires read_write
read_only permission can discover resources and have schedules attached, but the executor will skip actions for those resources. Set read_write to enable actual start/stop operations.Connected & last-synced visibility
Each cloud account card shows the date it was first connected and the most recent successful sync — broken down per provider service. Useful for spotting accounts where a credential rotation or a permissions drop has silently halted discovery.
Billing upgrade flow
If you connected an account in read_only mode without billing access, you can upgrade in three clicks without re-running setup. ZopNight detects the gap and surfaces a banner on the Dashboard with a per-account Fix button.
- Provider-specific guide — the upgrade drawer renders the exact IAM/role JSON for AWS or Azure based on your existing auth method.
- AWS one-click CloudFormation — for accounts using
assume_role, ZopNight generates a CloudFormation template that addsce:GetCostAndUsageandce:GetCostAndUsageWithResourcesto your existing role. No manual policy editing. - Async verify — the verify step polls the backend until a terminal state is reached, with a real-time spinner during the check.
- GCP excluded — billing is configured at the billing-account level, not the project, so the upgrade flow doesn't apply.
/cloud-accounts/{accountID}/billing/verifyTrigger a verify-only billing sync. Returns 202 with a verifyID; poll /verify/{verifyID} until terminal.
/cloud-accounts/{accountID}/billing/verify/{verifyID}Poll the status of a verify operation. Terminal states: success, failed (with reason).
Status badges
cloudaccount:update; 404 across orgs.Create Cloud Account
/cloud-accountsConnect a new cloud account.
AWS Example (Static Keys)
curl -X POST https://zopnight.com/api/cloud-accounts \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"provider": "aws",
"cloudAccountID": "123456789012",
"name": "Production AWS",
"authMethod": "static_keys",
"permissionLevel": "read_write",
"credentials": {
"accessKeyID": "AKIAIOSFODNN7EXAMPLE",
"secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE"
}
}'AWS Example (Assume Role)
curl -X POST https://zopnight.com/api/cloud-accounts \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"provider": "aws",
"cloudAccountID": "123456789012",
"name": "Production AWS",
"authMethod": "assume_role",
"permissionLevel": "read_write",
"credentials": {
"roleArn": "arn:aws:iam::123456789012:role/ZopNightRole",
"externalId": "zopnight-external-id"
}
}'GCP Example (Service Account)
curl -X POST https://zopnight.com/api/cloud-accounts \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"provider": "gcp",
"cloudAccountID": "my-gcp-project-id",
"name": "Production GCP",
"authMethod": "service_account",
"permissionLevel": "read_write",
"credentials": {
"serviceAccountJSON": "{...service account key JSON...}"
}
}'Azure Example (Service Principal)
curl -X POST https://zopnight.com/api/cloud-accounts \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"provider": "azure",
"cloudAccountID": "subscription-id",
"name": "Production Azure",
"authMethod": "service_principal",
"permissionLevel": "read_write",
"credentials": {
"clientID": "app-client-id",
"clientSecret": "app-client-secret",
"tenantID": "azure-tenant-id"
}
}'{
"data": {
"id": "ca_abc123",
"provider": "aws",
"cloudAccountID": "123456789012",
"name": "Production AWS",
"authMethod": "static_keys",
"permissionLevel": "read_write",
"status": "active",
"createdAt": "2025-01-15T10:30:00Z",
"updatedAt": "2025-01-15T10:30:00Z"
}
}List Cloud Accounts
/cloud-accountsList all connected cloud accounts.
Get Cloud Account
/cloud-accounts/{accountID}Get a specific cloud account by ID.
Update Cloud Account
/cloud-accounts/{accountID}Update cloud account name, permission level, or credentials.
curl -X PUT https://zopnight.com/api/cloud-accounts/ca_abc123 \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"name": "Renamed AWS Account",
"permissionLevel": "read_write"
}'Delete Cloud Account
/cloud-accounts/{accountID}Disconnect a cloud account. Associated resources will be soft-deleted.
GCP OAuth Flow
For GCP accounts, ZopNight supports a three-step OAuth flow as an alternative to service account keys. Tokens are encrypted with AES-256-GCM and are never exposed in plaintext.
Get OAuth URL
/connect/gcp/oauth-urlReturns a Google OAuth consent URL. Redirect the user to this URL.
Exchange Code
/connect/gcp/oauth-exchangeExchange the authorization code for an encrypted token reference.
Finalize
/connect/gcp/oauth-finalizeFinalize the connection by selecting a GCP project and setting permissions.
Cluster Access for Deployment Spaces
Once a cloud account is connected, you can register specific Kubernetes clusters (EKS, GKE, AKS) so ZopNight can mint short-lived kubeconfigs for them. Registering a cluster is the prerequisite for promoting it to a Deployment Space — the unit ZopNight provisions and deploys against.
/cloud-accounts/{accountID}/clustersList clusters discovered in this cloud account, with their registration status.
{
"data": [
{
"name": "prod-eks",
"region": "us-east-1",
"type": "aws-eks",
"registered": true,
"registeredAt": "2026-04-15T08:00:00Z"
},
{
"name": "staging-eks",
"region": "us-east-1",
"type": "aws-eks",
"registered": false
}
]
}/cloud-accounts/{accountID}/clusters/{region}/{clusterName}/accessRegister a cluster for kubeconfig access.
curl -X PUT "https://zopnight.com/api/cloud-accounts/ca_abc123/clusters/us-east-1/prod-eks/access" \
-H "Authorization: Bearer <token>"/cloud-accounts/{accountID}/clusters/{region}/{clusterName}/accessDeregister a cluster. Existing deployment spaces that target it will fail to deploy until re-registered.
What registration does
Azure Workload Identity Federation
For secretless Azure authentication, ZopNight exposes OIDC discovery endpoints that Azure can use to validate tokens via Workload Identity Federation.
/.well-known/openid-configurationOIDC discovery document for Azure WIF setup.
/.well-known/jwks.jsonJSON Web Key Set containing the RSA public key for token validation.
No Secrets Required
See Cloud Support Matrix for the complete list of discoverable and executable resource types per provider.