Cloud Providers

Connect SeaGit to your cloud accounts, GitHub repositories, container registries, and other services with secure credential management.

What are Providers?

Providers connect SeaGit to your cloud accounts, GitHub repositories, container registries, and other services. They store credentials securely and grant SeaGit least-privilege access to provision infrastructure and deploy applications on your behalf.

Think of providers as secure bridges between SeaGit and external services. You configure them once, and SeaGit uses them automatically when creating resources.

Supported Provider Types

Cloud Providers

🟠 AWS (Amazon Web Services)

Use Case: Deploy Kubernetes clusters (EKS), networks (VPC), load balancers, and applications

Required Credentials:

Access Key ID
Secret Access Key
Region (default: us-east-1)

Permissions Needed:

ec2:* - VPC, Subnets, Security Groups, ENI, Launch Templates
eks:* - EKS Cluster Management, Access Entries, Addons
iam:* - Service Roles, Instance Profiles, Policies
autoscaling:* - Auto Scaling Groups, Launch Configurations
kms:* - Encryption Keys for EKS Secrets
ssm:* - Parameter Store for Node Group Configuration
sqs:* - Queue Management for Node Termination Handler
events:* - EventBridge Rules for Spot Interruptions
logs:* - CloudWatch Logs for EKS Control Plane
ecr:* - Container Image Registry (Pull/Push Images)
elasticloadbalancing:* - ALB/NLB for Ingress
route53:* - DNS Management
acm:* - TLS Certificates

Permission Breakdown:

Cluster Creation: eks:*, iam:*, kms:*, logs:*
Node Groups: ec2:*, autoscaling:*, ssm:*, iam:CreateInstanceProfile
VPC CNI Plugin: ec2:DescribeNetworkInterfaces, ec2:CreateNetworkInterface, ec2:AttachNetworkInterface
Spot Instances: events:*, sqs:*, autoscaling:*
Container Images: ecr:GetAuthorizationToken, ecr:BatchGetImage, ecr:GetDownloadUrlForLayer
Load Balancers: elasticloadbalancing:*, ec2:DescribeSecurityGroups

Best Practice: Create an IAM user specifically for SeaGit with only required permissions, not root account credentials. Consider using AWS EKS IAM best practices.

🔵 Google Cloud Platform

Use Case: Deploy GKE clusters (coming soon)

Required Credentials:

Service Account JSON
Project ID

Permissions Needed:

Compute Admin
Kubernetes Engine Admin

🔷 Microsoft Azure

Use Case: Deploy AKS clusters (coming soon)

Required Credentials:

Tenant ID
Client ID
Client Secret

Permissions Needed: Contributor role

🟦 Digital Ocean

Use Case: Deploy DOKS clusters (coming soon)

Required Credentials:

API Token

Source Control Providers

⚫ GitHub

Use Case:

Fetch source code for builds
List repositories
Create webhooks
Deploy from GitHub

Authentication Methods:

Personal Access Token - Simple, user-specific
GitHub App (recommended) - Organization-wide, better security

Required Scopes:

repo - Full repository access
read:user - Read user profile
webhook - Create webhooks

Container Registries

🐳 Docker Registry

Use Case: Push built images, pull private images

Supported Types:

Docker Hub
AWS ECR
Google Container Registry (GCR)
Azure Container Registry (ACR)
GitHub Container Registry (GHCR)
Harbor
JFrog Artifactory

Required Credentials:

Registry URL (e.g., docker.io, ghcr.io)
Username
Password/Token

Helm Repositories

⎈ Helm Charts

Use Case: Deploy applications from Helm charts

Supported Types:

HTTPS Repositories (https://charts.example.com)
OCI Registries (oci://public.ecr.aws/xxx)
GitHub/GitLab (raw chart files)

Authentication: Username + Password (optional for private repos)

DNS Providers

🟠 Cloudflare

Use Case: Automatic DNS record management

Required Credentials:

Email
API Token (not Global API Key)

Permissions: Zone.DNS (Edit)

🔷 PowerDNS

Use Case: Self-hosted DNS management

Required Credentials:

Server URL
Server ID
API Key

Communication Providers

💬 Slack

Use Case: Deployment notifications, alerts

Authentication: OAuth (one-click)

Required Scopes: chat:write, channels:read

Adding a Provider

Step 1: Navigate to Providers

Go to Account Settings → Providers
Or use the quick link: `/account/providers`

Step 2: Select Provider Type

Click + Add Provider and choose:

Cloud provider (AWS, GCP, Azure)
GitHub
Docker Registry
Helm Repository
DNS Provider
Slack

Step 3: Enter Credentials

Example: Adding AWS Provider

{
  "name": "My AWS Account - Production",
  "type": "aws",
  "credentials": {
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
    "region": "us-east-1"
  }
}

Step 4: Test Connection

SeaGit will validate credentials by:

Making a test API call
Checking permissions
Verifying access

Step 5: Use Provider

Once added, the provider appears in:

Network creation → Select AWS provider
Cluster creation → Select network (which uses AWS provider)
Domain management → Select Route53 provider

AWS IAM Policy Example

Create an IAM policy with these permissions for SeaGit to manage EKS clusters, node groups, and container images:

Click to open policy in a modal for easy copying

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EKSClusterManagement",
      "Effect": "Allow",
      "Action": [
        "eks:*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "EC2NetworkingAndCompute",
      "Effect": "Allow",
      "Action": [
        "ec2:AllocateAddress",
        "ec2:AssociateRouteTable",
        "ec2:AttachInternetGateway",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateInternetGateway",
        "ec2:CreateNatGateway",
        "ec2:CreateRoute",
        "ec2:CreateRouteTable",
        "ec2:CreateSecurityGroup",
        "ec2:CreateSubnet",
        "ec2:CreateTags",
        "ec2:CreateVpc",
        "ec2:CreateLaunchTemplate",
        "ec2:CreateNetworkInterface",
        "ec2:AttachNetworkInterface",
        "ec2:DeleteInternetGateway",
        "ec2:DeleteNatGateway",
        "ec2:DeleteNetworkInterface",
        "ec2:DeleteRoute",
        "ec2:DeleteRouteTable",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteSubnet",
        "ec2:DeleteTags",
        "ec2:DeleteVpc",
        "ec2:DeleteLaunchTemplate",
        "ec2:Describe*",
        "ec2:DetachInternetGateway",
        "ec2:DisassociateAddress",
        "ec2:DisassociateRouteTable",
        "ec2:ModifySubnetAttribute",
        "ec2:ModifyVpcAttribute",
        "ec2:ReleaseAddress",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:RunInstances",
        "ec2:TerminateInstances"
      ],
      "Resource": "*"
    },
    {
      "Sid": "IAMRoleManagement",
      "Effect": "Allow",
      "Action": [
        "iam:CreateRole",
        "iam:DeleteRole",
        "iam:GetRole",
        "iam:ListAttachedRolePolicies",
        "iam:ListRolePolicies",
        "iam:AttachRolePolicy",
        "iam:DetachRolePolicy",
        "iam:PutRolePolicy",
        "iam:DeleteRolePolicy",
        "iam:CreateInstanceProfile",
        "iam:DeleteInstanceProfile",
        "iam:GetInstanceProfile",
        "iam:AddRoleToInstanceProfile",
        "iam:RemoveRoleFromInstanceProfile",
        "iam:PassRole",
        "iam:TagRole",
        "iam:UntagRole",
        "iam:CreateOpenIDConnectProvider",
        "iam:DeleteOpenIDConnectProvider",
        "iam:GetOpenIDConnectProvider",
        "iam:TagOpenIDConnectProvider"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AutoScalingManagement",
      "Effect": "Allow",
      "Action": [
        "autoscaling:*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "KMSKeyManagement",
      "Effect": "Allow",
      "Action": [
        "kms:CreateKey",
        "kms:CreateAlias",
        "kms:DeleteAlias",
        "kms:DescribeKey",
        "kms:GetKeyPolicy",
        "kms:GetKeyRotationStatus",
        "kms:ListAliases",
        "kms:ListResourceTags",
        "kms:PutKeyPolicy",
        "kms:ScheduleKeyDeletion",
        "kms:TagResource",
        "kms:UntagResource"
      ],
      "Resource": "*"
    },
    {
      "Sid": "SSMParameterStore",
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameter",
        "ssm:GetParameters",
        "ssm:PutParameter",
        "ssm:DeleteParameter",
        "ssm:AddTagsToResource",
        "ssm:RemoveTagsFromResource",
        "ssm:DescribeParameters",
        "ssm:GetParametersByPath"
      ],
      "Resource": "*"
    },
    {
      "Sid": "SQSQueueManagement",
      "Effect": "Allow",
      "Action": [
        "sqs:CreateQueue",
        "sqs:DeleteQueue",
        "sqs:GetQueueAttributes",
        "sqs:SetQueueAttributes",
        "sqs:TagQueue",
        "sqs:UntagQueue",
        "sqs:ListQueues"
      ],
      "Resource": "*"
    },
    {
      "Sid": "EventBridgeRules",
      "Effect": "Allow",
      "Action": [
        "events:PutRule",
        "events:DeleteRule",
        "events:DescribeRule",
        "events:PutTargets",
        "events:RemoveTargets",
        "events:TagResource",
        "events:UntagResource"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CloudWatchLogs",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:DeleteLogGroup",
        "logs:DescribeLogGroups",
        "logs:PutRetentionPolicy",
        "logs:TagResource",
        "logs:UntagResource"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ECRContainerRegistry",
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:PutImage",
        "ecr:InitiateLayerUpload",
        "ecr:UploadLayerPart",
        "ecr:CompleteLayerUpload",
        "ecr:CreateRepository",
        "ecr:DeleteRepository",
        "ecr:DescribeRepositories",
        "ecr:ListImages"
      ],
      "Resource": "*"
    },
    {
      "Sid": "LoadBalancerManagement",
      "Effect": "Allow",
      "Action": [
        "elasticloadbalancing:*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Route53DNSManagement",
      "Effect": "Allow",
      "Action": [
        "route53:*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ACMCertificateManagement",
      "Effect": "Allow",
      "Action": [
        "acm:*"
      ],
      "Resource": "*"
    }
  ]
}

⚠️ Production Recommendation:

For production environments, consider tightening resource constraints using specific ARNs and condition keys. The above policy uses Resource: "*" for simplicity.

Minimum required IAM managed policies alternative: AmazonEKSClusterPolicy, AmazonEKSVPCResourceController, AmazonEC2ContainerRegistryReadOnly

Creating the IAM User

# 1. Create IAM policy
aws iam create-policy \
  --policy-name SeaGitEKSFullAccess \
  --policy-document file://seagit-eks-policy.json

# 2. Create IAM user
aws iam create-user --user-name seagit-eks

# 3. Attach policy to user
aws iam attach-user-policy \
  --user-name seagit-eks \
  --policy-arn arn:aws:iam::ACCOUNT_ID:policy/SeaGitEKSFullAccess

# 4. Create access key
aws iam create-access-key --user-name seagit-eks

Best Practices

Security

✅ DO:

Use IAM roles with least privilege
Rotate credentials regularly (90 days)
Use separate providers for dev/prod
Enable MFA on cloud accounts
Use read-only providers for monitoring

❌ DON'T:

Share credentials across teams
Use root account credentials
Grant *:* permissions
Store credentials in application code

Organization

Naming Convention: {Provider}-{Environment}-{Purpose}
- Example: AWS-Production-EKS
- Example: GitHub-Staging-Source
One Provider Per Account: Don't mix dev and prod in same provider
Use Multiple Regions: Create region-specific providers if needed

Cost Management

Tag providers with cost centers
Review unused providers monthly
Delete old providers after migration

Troubleshooting

"Invalid Credentials" Error

Symptoms: Provider fails validation with 401/403 error

Causes:

Incorrect Access Key or Secret Key
Credentials expired or rotated
Insufficient IAM permissions
Wrong region specified

Solution:

# Test AWS credentials locally
aws sts get-caller-identity --profile your-profile

# Verify permissions
aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::123456789012:user/seagit \
  --action-names ec2:DescribeVpcs eks:DescribeCluster

# Check expiration
aws iam get-access-key-last-used --access-key-id AKIAIOSFODNN7EXAMPLE

"Insufficient Permissions" Error

Symptoms: Provider validates but operations fail

Cause: Missing IAM policies

Solution: Attach required policies to IAM user

GitHub "Repository Not Found" Error

Symptoms: Cannot see repositories in application setup

Causes:

Token missing repo scope
Private repository without access
Token expired

Solution:

Go to GitHub → Settings → Developer Settings → Personal Access Tokens
Regenerate token with repo and read:user scopes
Update provider in SeaGit

API Reference

List Providers

GET /providers?accid={accountId}&type={type}&output={output}

Query Parameters:

type: Filter by type (aws, gcp, github, docker, etc.)
output: Response format (list for simplified, full for detailed)

Create Provider

POST /providers?accid={accountId}&orgid={orgId}
Content-Type: application/json

{
  "name": "My AWS Provider",
  "type": "aws",
  "credentials": {
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
    "region": "us-east-1"
  }
}

Delete Provider

DELETE /providers/{providerId}?accid={accountId}

Note: Cannot delete providers still in use by networks or clusters.

Previous: Overview Next: Networks