Add a Cloud Profile (in-app)

How to connect AWS or Azure from inside the Escher app — without touching a CLI.

What's a profile?

A profile is one connection between Escher and a cloud account, subscription, or project. You can have many profiles — one per AWS account, one per Azure subscription — and Escher reasons across all of them at once.

Each profile carries:

A name (chosen by you, e.g. prod-aws, analytics-gcp)
A status (active / paused / failed-auth)
A scope (which regions / locations Escher reads from)
A last-refreshed timestamp

Add a profile

Open Settings → Profiles in the app
Trigger the add-profile action
Pick a provider: AWS or Azure
Follow the provider-specific flow below

INFO

The exact menu path to Settings → Profiles and the add-profile control may differ across builds. The functional flow described below — discover existing CLI profiles, enable, test access — is what's stable.

AWS

Escher reads from your existing AWS CLI configuration (~/.aws/credentials and ~/.aws/config). The in-app flow does not ask you to paste an access key — it lists profiles you've already configured locally and lets you enable them one by one.

Click Discover Profiles — Escher scans your local ~/.aws/credentials
Your existing profiles appear with status Discovered
Click Enable on the profile you want
Click Test Access — Escher attempts the read calls it needs
If access is sufficient, status becomes ✓ Connected. If not, Escher tells you which permissions are missing.
Click Done

TIP

If you don't see your AWS profiles listed, they may not exist locally yet. Run aws configure --profile your-profile-name from a terminal first, then click Discover Profiles again.

For the read-only IAM policy Escher needs, see Connect AWS. If you're new to AWS, see AWS setup for first-time founders.

Azure

Escher reads from your active az CLI session.

From a terminal, run az login (if you haven't already today)
In Escher, click Add Profile → Azure
Escher lists every subscription your CLI session can see
Tick the subscriptions you want to enable
Click Test Access — confirms the Reader role on each
Click Done

If a subscription shows ⚠ "Insufficient role," ask whoever administers your tenant to assign the Reader role on that subscription. Security Reader unlocks deeper IAM and storage analysis.

GCP

GCP support is on the roadmap. There is no GCP scanner shipped today — see Connect GCP.

After the profile is connected

Run an estate scan from the app — Escher reads the resources from each connected profile and builds the map. First scan typically takes 3–8 minutes per account.

What's next

AWS setup for first-time founders — if you're not familiar with AWS yet
Switching profiles
Scans — scheduled and one-off

Add a Cloud Profile (in-app) ​

What's a profile? ​

Add a profile ​

AWS ​

Azure ​

GCP ​

After the profile is connected ​

What's next ​