Profiles
Profiles are ObserverContexts — the identity, scope, and permission set under which Escher observes your cloud estate.
What a profile is
A profile is not a credential. It is Escher's representation of a cloud CLI configuration entry:
Profile: prod-admin
Provider: AWS
Account: 123456789012
Region: us-east-1 (default)
Source: ~/.aws/credentials [prod-admin]
Permissions: ec2:Describe*, s3:List*, iam:Get*, ...
Status: ActiveEscher discovers profiles from:
~/.aws/credentialsand~/.aws/config(AWS)az account listoutput (Azure)
Profile lifecycle
Discovered → Enabled → Active (scanning) → Disabled
↓
Error (auth failure, insufficient permissions)| Action | Description |
|---|---|
| Discover | Scan local CLI config for new profiles |
| Enable | Allow the profile to participate in estate scans |
| Test Access | Validate credentials and check permissions |
| Disable | Exclude from scans without deleting |
| Annotate | Attach a local note (e.g. "prod read-only", "audit account") |
| View Diagnostics | See specific API errors preventing full scan coverage |
Multiple profiles, same account
You can enable multiple profiles for the same cloud account. This is useful for:
- Validating least-privilege access (compare what
audit-readonlysees vsprod-admin) - Covering different permission scopes (e.g. one profile for EC2/S3, another for IAM)
The EstateView merges observations across profiles and annotates which profile provided each resource.
Profile status meanings
| Status | Description |
|---|---|
OK | Full scan completed, all domains accessible |
PARTIAL | Some service domains failed (insufficient permissions for those APIs) |
ERROR | Authentication failed — credentials expired or invalid |
DISCONNECTED | Profile was previously active but credentials can no longer be validated |
Next steps
- AWS Connection — Set up an AWS profile
- Azure Connection — Set up an Azure profile
- Multi-Cloud — Use AWS and Azure profiles together