docs(cloud): document configuring the GCP and AWS cloud providers#54
Merged
sourcehawk merged 4 commits intoMay 30, 2026
Merged
Conversation
New public docs page covering the read-only GCP/AWS cloud-context MCP: what it gives the agent, the pinned-identity model, per-provider setup (GCP serviceAccountTokenCreator impersonation, AWS assume-role profile), the full cloud: profile block, scope and command allowlists, and visible degrade. Registered the section in both docs/site/lib/sections.ts and frontend/components/DocsView.tsx, placed next to Connections. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add a "Cloud sources" section and the cloud: block to the profiles page (anatomy YAML plus a prose reference pointing at the cloud-providers page), and a "Cloud (read-only)" subsection to connections explaining that cloud identities are profile-configured, read-only, and validated by the identity probe. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Operators forking the default see the cloud: block shape (a gcp and an aws source) with every field explained. Kept commented so it does not activate a cloud source on the runnable default. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Enhance the read-only cloud section's note to say identities are pinned in the profile's cloud: block (not entered here), point at the Cloud providers docs for the impersonation / assume-role setup, and name the operator's own re-auth commands. No edit affordance added. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Towards #44
Documents how to configure the read-only cloud-context MCP providers (GCP and AWS) for operators, with no Go logic changes. Adds a dedicated docs page covering the identity model (operator-ambient base auth plus harness-pinned impersonation/assume-role), the
cloud:profile block, the scope and command allowlists, and the visible-degrade behaviour, then threads pointers to it from the connections and profiles docs, the default profile, and the connections panel.Changes
docs/content/cloud-providers.md: what the cloud MCP gives the agent (read-only reachability, IAM, GKE/EKS config, logs, audit), the pinned-identity model, per-provider setup (GCProles/iam.serviceAccountTokenCreatorimpersonation viaCLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT; AWS assume-role profile viaAWS_PROFILE), the full commentedcloud:block with every field, the scope allowlist, the command-allowlist override plus hardcoded deny floor, and visible degrade.docs/site/lib/sections.tsandfrontend/components/DocsView.tsx, placed next to Connections.docs/content/connections.mdwith a "Cloud (read-only)" subsection anddocs/content/profiles.mdwith a "Cloud sources" section plus thecloud:block in the anatomy YAML.cloud:example (a gcp and an aws source) tointernal/profile/profiles/default/profile.yamlso forks see the shape without activating a source.frontend/components/ConnectionsPanel.tsx) to point operators at the profilecloud:block and the Cloud providers docs for the SA/assume-role config, with no edit affordance added.Testing
cd frontend && npm run typecheckclean;npm test -- --rungreen (29 files, 195 tests, including the existing ConnectionsPanel cloud-pill specs).make buildsucceeds: the docs sync (frontend/scripts/sync-docs.mjs, run viaprebuild) mirrorscloud-providers.mdintofrontend/public/docs/, the docs site SSG generates thecloud-providers/route, and both Go binaries build with the embedded bundle.make docsbuilds the standalone GitHub Pages docs site clean.🤖 Generated with Claude Code