Cloud Credentials
Admin Only
This page is only visible to organization administrators.
EntryGuard requires cloud provider credentials to manage IP rules on your behalf. Credentials are encrypted at rest using AES-256-GCM and are never exposed in API responses.
Adding a Credential
Navigate to Credentials under the Admin section in the sidebar.
- Click Add Credential.
- Fill in the form:
- Name — A descriptive name (e.g., "AWS Production")
- Provider — Select your cloud provider: AWS, GCP, AZURE, or APISIX
- Type — The credential type (e.g., ACCESS_KEY for AWS)
- Enter the provider-specific fields:
- AWS: Access Key ID and Secret Access Key
- APISIX: Endpoint URL and Admin API Key
- Click Create.
The credential appears in the credentials table. Verification happens automatically in the background.
Credentials Table
| Column | Description |
|---|---|
| Name | Credential display name |
| Provider | AWS, GCP, AZURE, or APISIX |
| Type | Credential type (e.g., ACCESS_KEY) |
| Status | Verification status badge |
| Created | When the credential was added |
| Actions | Delete button |
Status Indicators
- Valid (green) — Credential verified and working
- Invalid (red) — Verification failed; check your credentials
- Unverified (gray) — Verification in progress or not yet checked
Automatic Verification
After creating a credential, EntryGuard automatically verifies it in the background:
- AWS: Calls
sts:GetCallerIdentityto confirm the credentials are valid - Verification usually completes within a few seconds
- Refresh the page to see the updated status
Deleting a Credential
Click the delete button (trash icon) on the credential row.
warning
Deleting a credential also deletes all cloud resources associated with it. Make sure no active sessions depend on those resources.
Security
- All credential data is encrypted with AES-256-GCM before storage
- Secret keys are never returned in any response or shown in the UI after creation
- All API communication uses HTTPS/TLS
Best Practices
- Dedicated IAM users — Create a separate IAM user specifically for EntryGuard
- Minimum permissions — Apply only the required IAM policy
- Rotate credentials — Periodically rotate access keys and update in EntryGuard
- Separate environments — Use different credentials for production and staging
Troubleshooting
Credential Shows "Invalid"
- Verify the Access Key ID and Secret Access Key are correct
- Check that the IAM user is active and not disabled in AWS
- Ensure the IAM user has at least the
sts:GetCallerIdentitypermission - Confirm the AWS account is in good standing
Credential Shows "Unverified"
- Wait a few seconds and refresh the page — verification is asynchronous
- If it stays unverified, try deleting and re-creating the credential
Next Steps
API Reference: For programmatic access, see Create Credential.