Cloud Accounts

Connect your AWS, GCP, or Azure accounts to enable resource discovery and scheduling.

Supported Providers

Amazon Web Services (AWS)

Auth Method	ID	Description
Static Access Keys	`static_keys`	IAM access key ID and secret access key
Assume Role	`assume_role`	Cross-account IAM role assumption via STS
Temporary Credentials	`temporary_credentials`	Short-lived STS credentials

Google Cloud Platform (GCP)

Auth Method	ID	Description
Service Account	`service_account`	JSON key file for a GCP service account
OAuth 2.0	`oauth`	Three-step OAuth flow with encrypted token exchange

Microsoft Azure (Azure)

Auth Method	ID	Description
Service Principal	`service_principal`	App registration with client ID, secret, and tenant ID
Workload Identity Federation	`workload_identity_federation`	Federated OIDC identity — no secrets stored

Permission Levels

Level	Discovery	Scheduling	Execution
`read_only`	Yes	Yes	No
`read_write`	Yes	Yes	Yes

Execution Requires read_write

Cloud accounts with read_only permission can discover resources and have schedules attached, but the executor will skip actions for those resources. Set read_write to enable actual start/stop operations.

Create Cloud Account

POST

/cloud-accounts

Connect a new cloud account.

AWS Example (Static Keys)

curl -X POST https://zopnight.com/api/cloud-accounts \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "aws",
    "cloudAccountID": "123456789012",
    "name": "Production AWS",
    "authMethod": "static_keys",
    "permissionLevel": "read_write",
    "credentials": {
      "accessKeyID": "AKIAIOSFODNN7EXAMPLE",
      "secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLE"
    }
  }'

AWS Example (Assume Role)

curl -X POST https://zopnight.com/api/cloud-accounts \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "aws",
    "cloudAccountID": "123456789012",
    "name": "Production AWS",
    "authMethod": "assume_role",
    "permissionLevel": "read_write",
    "credentials": {
      "roleArn": "arn:aws:iam::123456789012:role/ZopNightRole",
      "externalId": "zopnight-external-id"
    }
  }'

GCP Example (Service Account)

curl -X POST https://zopnight.com/api/cloud-accounts \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "gcp",
    "cloudAccountID": "my-gcp-project-id",
    "name": "Production GCP",
    "authMethod": "service_account",
    "permissionLevel": "read_write",
    "credentials": {
      "serviceAccountJSON": "{...service account key JSON...}"
    }
  }'

Azure Example (Service Principal)

curl -X POST https://zopnight.com/api/cloud-accounts \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "azure",
    "cloudAccountID": "subscription-id",
    "name": "Production Azure",
    "authMethod": "service_principal",
    "permissionLevel": "read_write",
    "credentials": {
      "clientID": "app-client-id",
      "clientSecret": "app-client-secret",
      "tenantID": "azure-tenant-id"
    }
  }'

Responsejson

{
  "data": {
    "id": "ca_abc123",
    "provider": "aws",
    "cloudAccountID": "123456789012",
    "name": "Production AWS",
    "authMethod": "static_keys",
    "permissionLevel": "read_write",
    "status": "active",
    "createdAt": "2025-01-15T10:30:00Z",
    "updatedAt": "2025-01-15T10:30:00Z"
  }
}

List Cloud Accounts

GET

/cloud-accounts

List all connected cloud accounts.

Get Cloud Account

GET

/cloud-accounts/{accountID}

Get a specific cloud account by ID.

Update Cloud Account

PUT

/cloud-accounts/{accountID}

Update cloud account name, permission level, or credentials.

curl -X PUT https://zopnight.com/api/cloud-accounts/ca_abc123 \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Renamed AWS Account",
    "permissionLevel": "read_write"
  }'

Delete Cloud Account

DELETE

/cloud-accounts/{accountID}

Disconnect a cloud account. Associated resources will be soft-deleted.

GCP OAuth Flow

For GCP accounts, ZopNight supports a three-step OAuth flow as an alternative to service account keys. Tokens are encrypted with AES-256-GCM and are never exposed in plaintext.

Get OAuth URL

GET

/connect/gcp/oauth-url

Returns a Google OAuth consent URL. Redirect the user to this URL.

Exchange Code

POST

/connect/gcp/oauth-exchange

Exchange the authorization code for an encrypted token reference.

Finalize

POST

/connect/gcp/oauth-finalize

Finalize the connection by selecting a GCP project and setting permissions.

Azure Workload Identity Federation

For secretless Azure authentication, ZopNight exposes OIDC discovery endpoints that Azure can use to validate tokens via Workload Identity Federation.

GET

/.well-known/openid-configuration

OIDC discovery document for Azure WIF setup.

GET

/.well-known/jwks.json

JSON Web Key Set containing the RSA public key for token validation.

No Secrets Required

With Workload Identity Federation, no client secrets are stored in ZopNight. Azure validates identity using the OIDC endpoint, eliminating secret rotation concerns.

See Cloud Support Matrix for the complete list of discoverable and executable resource types per provider.