--- title: "Getting Started with Cloud Connection" slug: "fortanix-key-insight-getting-started-with-cloud-connection" updated: 2026-05-26T10:26:53Z published: 2026-05-26T10:43:02Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Getting Started with Cloud Connection ## 1.0 Introduction This article helps you get started with the Fortanix Key Insight cloud connection. It also describes: - How to sign up and log in to Fortanix Armor. - How to access the Fortanix Key Insight solution. - How to configure the Amazon Web Services (AWS) connection. - How to configure the Azure cloud connection. - How to configure the Google Cloud Platform (GCP) connection. ## 2.0 Terminology Reference - *For AWS connection concepts and supported features, refer to*[*AWS Connection Concepts*](https://support.fortanix.com/docs/fortanix-key-insight-aws-connection-concepts)*.* - *For Azure connection concepts and supported features, refer to*[*Azure Connection Concepts*](https://support.fortanix.com/docs/fortanix-key-insight-azure-connection-concepts)*.* - *For GCP connection concepts and supported features, refer to*[*GCP Connection Concepts*](https://support.fortanix.com/docs/gcp-connection-concepts)*.* ## 3.0 Log In and Create an Account Fortanix Key Insight is a solution on the Fortanix Armor platform. Therefore, you need to create an account on the Fortanix Armor platform if you do not already have one. ### 3.1 Sign Up and Log In to Fortanix Armor Platform - New Users If you are accessing Fortanix Key Insight for the first time, you need to sign up for Fortanix Armor to access Key Insight. For subsequent access, you can log in to Fortanix Armor directly. *For more information on how to sign up, log in, and create an account for Fortanix Key Insight, refer to*[*Getting Started with Fortanix Armor*](/v1/docs/fortanix-armor-getting-started)*.* ### 3.2 Log In to Fortanix Armor Platform - Existing Users You can directly log in to the Fortanix Armor platform to access Key Insight if you have already signed up and have an account. *For more information on how to log in and create an account on Fortanix Armor, refer to*[*Getting Started with Fortanix Armor*](/v1/docs/fortanix-armor-getting-started)*.* ## 4.0 Access Fortanix Key Insight After creating and selecting your Fortanix Armor account, you are redirected to the **Available Solutions** page in Fortanix Armor. From this page, you can access Fortanix Key Insight. Perform the following steps: 1. Ensure the appropriate region (**European Union** or **North America**) is selected from the **Region** drop down. The selected region determines where your data is processed and stored. It also ensures that connections, scans, and UI elements are displayed based on the selected region.*For more information on configuring regions, refer to*[*Fortanix Armor Solutions*](https://support.fortanix.com/docs/fortanix-armor-solutions#22-key-insight)*.* 2. Click **GO TO KEY INSIGHT** to access Fortanix Key Insight and begin onboarding cloud connections. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_Region Selector.png) **Figure 1: Access Fortanix Key Insight solution** ## 5.0 Configure an AWS Connection After accessing the Fortanix Key Insight solution from Fortanix Armor, you can configure and onboard an AWS connection to scan your cryptographic materials (Keys, Services, and Certificates). ### 5.1 Prerequisites The following are the prerequisites before configuring an AWS connection on Fortanix Key Insight: #### 5.1.1 Set Up an AWS Role in an AWS Organization Before onboarding an AWS connection, perform the steps described in [*AWS Connection Scanning Configuration*](/v1/docs/fortanix-key-insight-aws-configuration-for-scanning) to set up your AWS Role in the AWS organization before onboarding an AWS connection. #### 5.1.2 IP Whitelisting Requirements in AWS To enable secure and reliable communication between Fortanix Key Insight and your AWS cloud environment, certain network connections may need to be allowed. If your AWS accounts enforce inbound restrictions, the following Internet Protocol (IP) addresses must be whitelisted in your firewall to allow Fortanix Key Insight to initiate scanning connections into your AWS resources: - `149.14.69.36/32` - `149.14.123.28/32` - `184.104.204.100/32` IP whitelisting is not mandatory. It is required only if there are network restrictions on your AWS accounts for inbound traffic. ### 5.2 AWS Authentication Methods AWS supports the following authentication mechanisms to control how users and applications obtain credentials for accessing AWS services: - **Secret based authentication**: An authentication method in which an application stores long-lived AWS access keys (Access Key ID and Secret Access Key) and uses them directly to sign AWS API requests. - **Federated authentication**: An authentication method where users or applications access AWS resources using existing credentials from an external identity provider (IdP), such as PingOne or Microsoft Entra ID. This eliminates the need to store long-lived secrets. AWS commonly uses the following OAuth flows in federated authentication scenarios: - **Authorization code flow**: Used when a user is involved. The user authenticates with the IdP, the application receives an authorization code, and the code is exchanged for tokens (ID, access, and/or refresh tokens). - **Client credentials flow**: Used for machine-to-machine communication. The application authenticates directly with the IdP using its client ID and secret to obtain tokens, with no user interaction required. - **API gateway**(Optional): In AWS, an API gateway (such as Kong Gateway) validates tokens, signs AWS requests when required, and proxies them to AWS services, providing centralized authentication and authorization. ### 5.3 Select Cloud Provider Perform the following steps to select the AWS cloud provider: 1. On the **Select Cloud Provider** step, select **Cloud Connections** type and the **Amazon Web Services** cloud provider. 2. Click **NEXT**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1774874574478.png) **Figure 2: Select the AWS cloud provider** > [!NOTE] > NOTE > > You can also add an AWS connection by clicking **ADD CLOUD CONNECTION** in the top-right corner of the **CLOUD** tab on the **Connections** page. ### 5.4 Set Up Authentication AWS supports the secret-based and federated authentication methods to control how users and applications obtain credentials to access AWS services. *For more information on the definitions of the AWS authentication methods, refer to*[*Section 5.2: AWS Authentication Methods*](/v1/docs/fortanix-key-insight-getting-started-with-cloud-connection#52-aws-authentication-methods)*.* #### 5.4.1 Secret-based Authentication Perform the following steps to add a secret-based AWS authentication: 1. On the **Set Up Authentication** step, select the **Secret based** authentication. 2. **AWS access key:**Enter an AWS access key. 3. **AWS secret access key:**Enter an AWS secret access key. *For more information on how to fetch the secret-based authentication credentials, refer to*[*AWS Connection Scanning Configuration*](https://support.fortanix.com/hc/en-us/articles/25759186591252-Fortanix-Key-Insight-AWS-Configuration-for-Scanning)*.* 4. Click **NEXT**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Step 2.1.png) **Figure 3: Select AWS secret-based authentication** #### 5.4.2 Federated Authentication - Authorization Code Flow Fortanix Key Insight supports configuring AWS connections using the **Authorization code flow** with **PingOne** and **Microsoft Entra ID** as the identity providers. *For more information on how to configure the IdPs and obtain the credentials (****Client ID, Well-known URL,****and****Scopes****), refer to the following:* - [*AWS Configuration For PingOne as OpenID Connect Identity Provider*](/v1/docs/fortanix-key-insight-aws-configuration-for-pingone-as-open-id-connect-identity-provider) - [*AWS Configuration For Microsoft Entra ID as OpenID Connect Identity Provider*](/v1/docs/fortanix-key-insight-aws-configuration-for-microsoft-entra-id-as-open-id-connect-identity-provider) > [!NOTE] > NOTE > > - Fortanix Key Insight recommends creating a dedicated user account in the respective IdP for AWS federated authentication. This account is used to authenticate with the IdP or authorization server and to grant the necessary authorization consent during the connection setup. > - The dedicated user account must remain active, and any modifications to the account will require re-authorization to update and refresh the authentication configuration. Perform the following steps to add an IdP configuration using the Authorized Code flow: 1. On the**Set Up Authentication**step, select **Federated authentication**. 2. In the **Select Configuration** section, click **ADD CONFIGURATION** to add a new Identity Provider (IdP) configuration. 3. In the **Add New Configuration** dialog box, the **Authorization code flow** option is selected by default. 1. **Name of configuration**:****Enter a name for the configuration. 2. **Well-known URL**:****Enter the Well-known URL of your IdP. 3. **Client ID**:****Enter the Client ID of your IdP. 4. **Scope**: Add the required Scope(s). The default scopes are available to select. You can also add custom scopes if they are already configured. > [!NOTE] > NOTE > > Ensure to include the `offline_access` scope when configuring a Microsoft Entra ID IdP. 5. Click **AUTHORIZE.** A new browser window opens for authorization, depending on the IdP. After you complete the required steps, the new IdP is added to the**Select configuration** list. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1774874613387.png) **Figure 4: Add a Configuration using Authorization Code Flow** 4. After adding and selecting the IdP, enter the Amazon Resource Name (ARN)****in the **Role ARN** field. *For more information on how to fetch the ARN, refer to*[*AWS Connection Scanning Configuration*](https://support.fortanix.com/hc/en-us/articles/25759186591252-Fortanix-Key-Insight-AWS-Configuration-for-Scanning)*.* > [!NOTE] > NOTE > > The **Role ARN** field is visible only if you have added and selected an IdP configured with the **Authorization code flow**. 5. Click **NEXT**. > [!NOTE] > NOTE > > You can also add an IdP using the **Authorization code flow** by clicking **ADD CONFIGURATION** in the top-right corner of the **Authentication** page. > > *For more information on managing the Federated Authentication IdP configurations, refer to*[*Federated Authentication Identity Provider Configurations*](https://support.fortanix.com/docs/federated-authentication-identity-provider-configurations)*.* #### 5.4.3 Federated Authentication - Client Credentials Flow Fortanix Key Insight supports configuring AWS connections using the **Client Credentials flow** with **Kong** as the API Gateway and **Okta** and **Auth0** as supported IdPs. *For more information on configuring the IdPs and obtaining the required credentials, refer to the following:* - [*Set Up Kong API Gateway for AWS*](https://support.fortanix.com/docs/set-up-kong-api-gateway)*(****API Gateway URL****)* - [*Okta Configuration for Client Credentials Authentication*](https://support.fortanix.com/docs/okta-configuration-for-client-credentials-authentication)*(****Client ID, Client Secret, Well-known URL****, and****Scopes****)* - [*Auth0 Configuration for Client Credentials Authentication*](https://support.fortanix.com/docs/auth0-configuration-for-client-credentials-authentication)*(****Client ID, Client Secret, Well-known URL****, and****Scopes****)* > [!NOTE] > NOTE > > - A dedicated application registration in each identity provider is required to securely validate tokens. > - If the IdP configuration is updated (for example, Client ID, Client Secret, Issuer URL, or scopes), re-authorization is required to maintain a valid onboarding configuration. Perform the following steps to add an IdP configuration using the **Client credentials flow**: 1. On the**Set Up Authentication**step, select **Federated authentication**. 2. In the **Select Configuration** section, click **ADD CONFIGURATION**to add a new IdP configuration. 3. In the **Add New Configuration**dialog box: ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1774874642625.png) **Figure 5: Add a configuration using Client Credentials flow** 1. **Client credentials flow**: Select this option to authenticate to GCP services using client credentials. 2. **Name**: Enter a name for the configuration. 3. **Client ID**: Enter the Client ID of your IdP. 4. **Client Secret**: Enter the Client Secret of your IdP. 5. **Well-known URL**: Enter the Well-known URL of your IdP. 6. **Scope(s)** (optional): Add custom scopes if required. 7. **Add API Gateway URL (Required for AWS connections):**Select this check box to enter the API gateway URL. This is the public URL of the API Gateway deployed in your environment (for example, Kong Gateway). You can obtain this URL from your API Gateway deployment or from the administrator managing the gateway. Example: `https://kong.westus2.cloudapp.azure.com:8443/auth0`. 8. Click **AUTHORIZE** to complete the authorization. 4. After adding and selecting an IdP, click **NEXT**. > [!NOTE] > NOTE > > - When adding or editing the configuration, an **Authorization Failed** error message may appear if authorization cannot be completed due to incorrect credentials, invalid scope, or other configuration issues. > - You can also add an IdP using the **Client credentials flow** by clicking **ADD CONFIGURATION** in the top-right corner of the **Authentication** page. *For more information on managing the Federated Authentication IdP configurations, refer to*[*Federated Authentication Identity Provider Configurations*](https://support.fortanix.com/docs/federated-authentication-identity-provider-configurations)*.* ### 5.5 Set Up Cloud Connections Perform the following steps on the **Set Up Cloud Connections** step: 1. **AWS cloud connection name:**Enter a name of your AWS connection. For example, **AWS connection1**. 2. On the **Select scope** section: - **Organization:**Select this option if you want to onboard an AWS organization. This allows you to onboard all the AWS accounts in the AWS organization. - **Account:**Select this option****if you want to onboard a single AWS account. 3. Click **NEXT.** ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI AWS Step 3.png) **Figure 6: Configure AWS cloud account in Fortanix Key Insight** ### 5.6 Select AWS Accounts Perform the following steps to select AWS accounts: 1. On the **Select AWS Accounts** step: - If you selected **Organization** scope in the previous step, choose **Select All** to onboard all AWS accounts in the AWS organization or manually select the accounts you want to onboard. - If you selected **Account**scope, select the single AWS account to scan and onboard that account. 2. Click **NEXT**. > [!NOTE] > NOTE > > Fortanix Key Insight scans only the AWS metadata and does not access any AWS key material. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI AWS Step 4(1).png) **Figure 7: Select AWS accounts** ### 5.7 Select Key Insight Policy The **System Defined Policy** is selected by default on the **Key Insight Policy**step. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations. Click **NEXT** to proceed. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI AWS Step 5.png) **Figure 8: Select Key Insight policy** Additionally, - Click **ADD POLICY** to add a new user-defined policy to the policy center. - Click ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(135).png) to copy and modify a system-defined policy, converting it into a user-defined policy. *For more information on Fortanix Key Insight policies and features, refer to*[*Cryptographic Policy Management*](https://support.fortanix.com/docs/cryptographic-policy-management)*.* > [!NOTE] > NOTE > > If you change or update the policy instead of the **System Defined Policy**, you must **Rescan** the AWS connection to apply the new policy. ### 5.8 Select External Key Source On the **Select External Key Source** step, you can integrate Fortanix Key Insight with an external key source such as Fortanix DSM to enable key correlation and improve key management. Perform the following steps: 1. Select any of the following options: - **Yes, connect now**: This option allows you to add an external key source for your AWS cloud connection and correlate keys using the **ADD EXTERNAL KEY SOURCE** feature. *For more information, refer to*[*Getting Started with External Key Source Connection*](/docs/fortanix-key-insight-getting-started-with-external-key-source-connection)*.*After adding the Fortanix DSM connection, select it from the list. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI AWS Step 6.1.png) **Figure 9: Add external key source** - **No, I’ll connect later**: This option allows you to onboard the AWS connection without adding an external key source. You can add it later if needed. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI AWS Step 6.2.png) **Figure 10: Onboard AWS connection without an external key source** 2. Click **FINISH** to complete the AWS connection onboarding. > [!NOTE] > NOTE > > After onboarding the AWS connection: > > - View the AWS connection user interface (UI) (**Overview, Assessment, Keys**, and so on). You can also**switch the region** at any time using the region switcher drop down located on the top navigation bar. When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region. > > *For more information about the AWS connection UI, refer to*[*AWS Connection - User Interface Components*](/v1/docs/fortanix-key-insight-user-interface-components-aws)*.* > - Users with the **Account Administrator** and **Group Administrator** roles can manage (edit, delete, rescan) the connection from the **Connections** page on the **CLOUD** tab. > - Deleting the AWS connection cannot be undone. > - A group with the same name will be created on the Fortanix IAM **Groups** page. *For more information on Groups, refer to*[*Fortanix Armor Identity and Access Management (IAM)*](/v1/docs/fortanix-fortanix-armor-identity-and-access-management-iam)*.* ## 6.0 Configure an Azure Connection After accessing the Fortanix Key Insight solution from Fortanix Armor, if you want to onboard Azure subscriptions, then you need to configure the Azure cloud connection to scan your keys and services. ### 6.1 Prerequisites The following are the prerequisites before configuring an Azure cloud connection on Fortanix Key Insight: #### 6.1.1 Set Up Azure Permissions Before onboarding the Azure cloud, - *Follow the steps described in*[*Azure Connection Scanning Configuration Using Custom Roles*](/v1/docs/fortanix-key-insight-azure-configuration-for-scanning-using-custom-roles)*to set up your Azure permissions using custom roles.* - *Follow the steps described in*[*Azure Connection Scanning Configuration Using Built-In Roles*](/v1/docs/fortanix-key-insight-azure-configuration-for-scanning-using-built-in-roles)*to set up your Azure permissions using built-in roles.* #### 6.1.2 IP Whitelisting Requirements in Azure To enable secure and reliable communication between Fortanix Key Insight and your Azure cloud environment, certain network connections may need to be allowed. If your Azure subscriptions enforce inbound restrictions, the following Internet Protocol (IP) addresses must be whitelisted in your firewall to allow Fortanix Key Insight to initiate scanning connections into your Azure resources: - `149.14.69.36/32` - `149.14.123.28/32` - `184.104.204.100/32` IP whitelisting is not mandatory. It is required only if there are network restrictions on your Azure accounts for inbound traffic. ### 6.2 Azure Authentication Methods Azure supports the following authentication mechanisms to control how users and applications obtain credentials for accessing Azure services. - **Secret-based authentication**: An authentication method in which an application stores long-lived Azure credentials (Client ID, Client Secret, and Tenant ID) and uses them directly to sign Azure API requests. - **Federated authentication**: An authentication method where users or applications access Azure resources using existing credentials from an external identity provider (IdP), such as PingOne or Microsoft Entra ID. This eliminates the need to store long-lived secrets. Azure commonly uses the following OAuth flow in federated authentication scenarios: - **Authorization code flow**: Used when a user is involved. The user authenticates with the IdP, the application receives an authorization code, and the code is exchanged for tokens (ID, access, and/or refresh tokens). ### 6.3 Select Cloud Provider Perform the following steps to select the Azure cloud provider: 1. On the **Select Cloud Provider** step, select **Cloud Connections** type and the **Azure** cloud provider. 2. Click **NEXT**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI Azure Step 1.png) **Figure 11: Select Azure cloud provider** > [!NOTE] > NOTE > > You can also add an Azure connection by clicking **ADD CLOUD CONNECTION** in the top-right corner of the **CLOUD** tab on the **Connections** page. ### 6.4 Set Up Authentication Azure supports the secret based and federated authentication methods to control how users and applications obtain credentials to access Azure services. *For more information on the definitions of the Azure authentication methods, refer to*[*Section 6.2: Azure Authentication Methods*](/v1/docs/fortanix-key-insight-getting-started-with-cloud-connection#62-azure-authentication-methods)*.* #### 6.4.1 Secret-based Authentication Perform the following steps to add a secret-based Azure authentication: 1. On the **Set Up Authentication**step, select the **Secret based** authentication. *For detailed steps on obtaining the secret-based authentication credentials, refer to*[*Azure Connection Scanning Configuration Using Custom Roles*](https://support.fortanix.com/docs/fortanix-key-insight-azure-configuration-for-scanning-using-custom-roles)*.* 1. **Client ID**: Enter the Client ID of your IdP. 2. **Client secret**: Enter the Client secret of your IdP. 3. **Tenant ID**: Enter the Tenant ID of your IdP. 2. Click **NEXT**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1776687804227.png) **Figure 12: Select Azure secret-based authentication** #### 6.4.2 Federated Authentication - Authorization Code Flow Fortanix Key Insight supports configuring Azure connections using the **Authorization code flow** with **PingOne** and **Microsoft Entra ID** as the identity providers (IdPs). *For more information on how to configure the IdPs and obtain the credentials (****Client ID, Well-known URL,****and****Scopes****), refer to the following:* - [*Azure Configuration For Microsoft Entra ID as OpenID Connect Identity Provider*](/v1/docs/fortanix-key-insight-azure-configuration-for-microsoft-entra-id-as-open-id-connect-identity-provider) - [*Azure Configuration For PingOne as OpenID Connect Identity Provider*](/v1/docs/fortanix-key-insight-azure-configuration-for-pingone-as-open-id-connect-identity-provider) > [!NOTE] > NOTE > > - Fortanix Key Insight recommends creating a dedicated user account in the respective IdP for Azure federated authentication. This account is used to authenticate with the IdP or authorization server and to grant the necessary authorization consent during the connection setup. > - The dedicated user account must remain active, and any modifications to the account will require re-authorization to update and refresh the authentication configuration. Perform the following steps to add an IdP configuration using the Authorized Code flow: 1. On the **Set Up Authentication**step, select **Federated authentication**. 2. **Azure application client ID:**Enter the Azure application ID. 3. **Tenant ID**: Enter the Azure Tenant ID. 4. In the **Select configuration** section, click **ADD CONFIGURATION** to add a new IdP configuration. 5. In the **Add New Configuration** dialog box, the **Authorization code flow** option is selected by default. 1. **Name of configuration**: Enter a name for the configuration. 2. **Client ID**: Enter the Client ID of your IdP. 3. **Well-known URL**: Enter the Well-known URL of your IdP. 4. **Scope**: Add the required scope(s). The default scopes are available to select. You can also add custom scopes if they are already configured. > [!NOTE] > NOTE > > Ensure to include the `offline_access` scope when configuring a Microsoft Entra ID IdP. 5. Click **AUTHORIZE** to add a new IdP. A new browser window opens for authorization, depending on the IdP. After you complete the required steps, the new IdP is added to the******Select configuration** list. 1. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI Azure Step 2.1.png) **Figure 13: Add an Azure IdP** 6. After adding and selecting the IdP configuration, click **NEXT**. > [!NOTE] > NOTE > > - You can also add an IdP using the **Authorization code flow** by clicking **ADD CONFIGURATION** in the top-right corner of the **Authentication** page.*For more information on managing the Federated Authentication IdP configurations, refer to*[*Federated Authentication Identity Provider Configurations*](https://support.fortanix.com/docs/federated-authentication-identity-provider-configurations)*.* > - Currently, Azure **does not support** configuring Federated authentication using the **Client credentials flow**. ### 6.5 Set Up Cloud Connections Perform the following steps on the **Set Up Cloud Connections** step: 1. **Azure cloud connection name:**Enter the name of your Azure connection**.** For example, **Azure Cloud**. 2. On the **Select scope** section: - **Management Groups:**Select this option to onboard all the Azure subscriptions. - **Subscription:**Select this option****if you want to onboard a single subscription. 3. Based on the selected scope, *For detailed steps on obtaining these IDs, refer to*[*Azure Connection Scanning Configuration Using Custom Roles*](https://support.fortanix.com/docs/fortanix-key-insight-azure-configuration-for-scanning-using-custom-roles)*.* 1. **Management group ID:**Enter the Management group ID. or 2. **Subscription ID:**Enter the subscription ID. 4. Click **NEXT**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI Azure Step 3.png) **Figure 14: Configure Azure cloud subscription in Fortanix Key Insight** ### 6.6 Select Azure Subscriptions Perform the following steps to select the Azure subscriptions: 1. On the **Select Azure Subscriptions** step: - If you selected the **Management Groups**scope in the previous step, choose **Select All Subscriptions** to onboard all subscriptions in the management group, or manually select the subscriptions you want to onboard. - If you selected **Subscription**scope, select the single Azure subscription to scan and onboard that subscription. 2. Click **NEXT.** > [!NOTE] > NOTE > > Fortanix Key Insight scans only the Azure metadata and does not access any Azure key material. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI Azure Step 4.png) **Figure 15: Select Azure subscriptions** ### 6.7 Select Key Insight Policy The **System Defined Policy** is selected by default on the **Key Insight Policy** step. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations. Click **NEXT** to proceed. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI Azure Step 5.png) **Figure 16: Azure Key Insight policy** Additionally, - Click **ADD POLICY** to add a new user-defined policy to the policy center. - Click ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(135).png) to copy and modify a system-defined policy, converting it into a user-defined policy. *For more information on Fortanix Key Insight policies and features, refer to*[*Cryptographic Policy Management*](https://support.fortanix.com/docs/cryptographic-policy-management)*.* > [!NOTE] > NOTE > > If you change or update the policy instead of the **System Defined Policy**, you must **Rescan** the Azure connection to apply the new policy. ### 6.8 Select External Key Source On the **Select External Key Source** step, you can integrate Fortanix Key Insight with an external key source such as Fortanix DSM to enable key correlation and improve key management. 1. Select any of the following options: - **Yes, connect now**: This option allows you to add the external key source for your Azure cloud connection to correlate keys using the **ADD EXTERNAL KEY SOURCE** feature. *For more information, refer to*[*Getting Started with External Key Source Connection*](/docs/fortanix-key-insight-getting-started-with-external-key-source-connection)*.*After adding the Fortanix DSM connection, select it from the list. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI Azure Step 6.1.png) **Figure 17: Add external key source** - **No, I’ll connect later**: This option allows you to onboard the Azure connection without adding an external key source. You can add it later if needed. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI Azure Step 6.2.png) **Figure 18: Onboard AWS connection without an external key source** 2. Click **FINISH** to complete the Azure connection onboarding. > [!NOTE] > NOTE > > After onboarding the Azure connection: > > - View the Azure connection UI (**Overview**, **Assessment**, **Keys**, and so on). You can also**switch the region** using the region switcher drop down located on the top navigation bar. When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region. > > *For more information about the Azure connection UI, refer to*[*Azure Connection - User Interface Components*](/v1/docs/fortanix-key-insight-user-interface-components-azure)*.* > - Users with the **Account Administrator** and **Group Administrator** roles can manage (edit, delete, rescan) the connection from the **Connections** page on the **CLOUD** tab. > - Deleting the Azure connection cannot be undone. > - A group with the same name will be created on the Fortanix IAM **Groups** page. *For more information, refer to*[*Fortanix Armor Identity and Access Management (IAM)*](/v1/docs/fortanix-fortanix-armor-identity-and-access-management-iam)*.* ## 7.0 Configure a GCP Connection After accessing the Fortanix Key Insight solution from Fortanix Armor, you can configure and onboard a GCP connection to scan your cryptographic elements (keys and services). ### 7.1 Prerequisites The following are the prerequisites before configuring a GCP connection on Fortanix Key Insight: #### 7.1.1 Set Up a GCP Role in the GCP Organization Before onboarding a GCP connection, perform the steps described in [*GCP Connection Scanning Configuration*](https://support.fortanix.com/docs/gcp-connection-scanning-configuration)to set up the required GCP role in your GCP organization. #### 7.1.2 IP Whitelisting Requirements in GCP To enable secure and reliable communication between Fortanix Key Insight and your GCP cloud environment, certain network connections may need to be allowed. If your GCP projects enforce inbound restrictions, the following Internet Protocol (IP) addresses must be whitelisted in your firewall to allow Fortanix Key Insight to initiate scanning connections into your GCP resources: - `149.14.69.36/32` - `149.14.123.28/32` - `184.104.204.100/32` IP whitelisting is not mandatory. It is required only if there are network restrictions on your GCP projects for inbound traffic. ### 7.2 GCP Authentication Methods GCP supports the following authentication mechanisms to control how users and applications obtain credentials for accessing GCP services: - **Secret-based authentication**: This method uses a Google Cloud service account to securely authenticate Fortanix Key Insight with your GCP environment. You must provide the service account email and a private key to securely access GCP resources for scanning. - **Federated authentication**: An authentication method where users or workloads access GCP resources using existing credentials from an external identity provider (IdP), such as Ping Identity and PingFederate. This eliminates the need to store long-lived service account keys by using Workload Identity Federation and short-lived credentials. GCP commonly uses the following OAuth flows in federated authentication scenarios: - **Client credentials flow**: Used for machine-to-machine communication. The application authenticates directly with the IdP using its client ID and secret to obtain tokens, with no user interaction required. ### 7.3 Select Cloud Provider Perform the following steps to select the GCP cloud provider: 1. On the **Select Cloud Provider**step, select **Cloud Connections** type and the **Google Cloud Platform**cloud provider. 2. Click **NEXT.** ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI GCP.png) **Figure 19: Select the GCP cloud provider** > [!NOTE] > NOTE > > You can also add a GCP connection by clicking **ADD CLOUD CONNECTION** in the top-right corner of the **CLOUD** tab on the **Connections** page. ### 7.4 Set Up Authentication GCP supports the secret-based and federated authentication methods to control how users and applications obtain credentials to access GCP services. *For more information on the definitions of the GCP authentication methods, refer to*[*Section 7.2: GCP Authentication Methods*](/v1/docs/fortanix-key-insight-getting-started-with-cloud-connection#72-gcp-authentication-methods)*.* #### 7.4.1 Secret-Based Authentication Perform the following steps to add a secret-based GCP authentication: 1. On the **Set Up Authentication** step, the **Secret based** authentication option is selected by default. *For more information on how to fetch these credentials, refer to*[*GCP Connection Scanning Configuration*](https://support.fortanix.com/docs/gcp-connection-scanning-configuration#33-create-and-save-a-private-key-for-the-service-account)*.* 1. **Service Account Email:**Enter your service account email address. 2. **Private Key:**Enter the private key associated with the service account. 2. Click **NEXT**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1776687868367.png) **Figure 20: Configure authentication in GCP** #### 7.4.2 Federated Authentication - Client Credentials Flow Fortanix Key Insight supports configuring GCP connections using the **Client credentials flow** with **Kong** as the API Gateway and **Ping Identity** and **PingFederate** as supported IdPs. *For information on configuring the IdP and obtaining the required credentials, refer to the following:* - [*Set Up Kong API Gateway for GCP*](https://support.fortanix.com/docs/set-up-kong-api-gateway-for-gcp)*(****API Gateway URL****)* - [*GCP Configuration Using Ping Identity as an OpenID Connect Identity Provider*](https://support.fortanix.com/docs/fortanix-key-insight-gcp-configuration-using-ping-identity-as-an-openid-connect-idp)*(****Client ID****,****Client Secret****,****Well-known URL****, and****GCP Audience****)* - [*GCP Configuration Using PingFederate as an OpenID Connect Identity Provider*](https://support.fortanix.com/docs/fortanix-key-insight-gcp-configuration-using-pingfederate-as-an-openid-connect-idp)*(****Client ID****,****Client Secret****,****Well-known URL****, and****GCP Audience****)* Perform the following steps to add an IdP configuration using the Client credentials flow: 1. On the **Set Up Authentication** step, select **Federated authentication**. 2. **Service account email:**Enter the service account email address.*****For more information on how to obtain this value, refer to*[*GCP Connection Scanning Configuration*](https://support.fortanix.com/docs/gcp-connection-scanning-configuration#33-create-and-save-a-private-key-for-the-service-account)*.* 3. **GCP Audience:**Enter the GCP Audience value. This value must match the **Default Audience** configured in your GCP environment. 4. In the **Select Configuration** section, click **ADD CONFIGURATION** to add a new IdP configuration. 5. In the **Add New Authentication Configuration** dialog box: ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI GCP Step 2.2.png) **Figure 21: Add a configuration using Client Credentials flow** 1. **Client credentials flow**: Select this option to authenticate to GCP services using client credentials. 2. **Name**: Enter a name for the configuration. 3. **Client ID**: Enter the Client ID of your IdP. 4. **Client Secret**: Enter the Client Secret of your IdP. 5. **Well-known URL**: Enter the Well-known URL of your IdP. 6. **Scope**(optional): Add custom scopes if required. 7. **Add API Gateway URL (Required for AWS connections)**(optional):****Select this check box to enter the API gateway URL. This is the public URL of the API Gateway (for example, Kong Gateway) deployed in your environment. You can obtain this value from your API Gateway deployment or from the administrator managing the gateway. Example: `https://ki-kong.westus2.cloudapp.azure.com:8443/ping` 8. Click **AUTHORIZE**to complete the authorization. 6. After adding and selecting the IdP configuration, click **NEXT**. > [!NOTE] > NOTE > > - When adding or editing the configuration, an **Authorization Failed** error message may appear if authorization cannot be completed due to incorrect credentials, invalid scope, or other configuration issues. > - You can also add an IdP using the **Client credentials flow** by clicking **ADD CONFIGURATION** in the top-right corner of the **Authentication** page. *For more information on managing the Federated Authentication IdP configurations, refer to*[*Federated Authentication Identity Provider Configurations*](https://support.fortanix.com/docs/federated-authentication-identity-provider-configurations)*.* > - Currently, GCP **does not support** configuring Federated authentication using the **Authorization code flow**. ### 7.5 Set Up Cloud Connections Perform the following steps on the **Set Up Cloud Connections** step: 1. Enter a GCP connection name. For example, **GCP connection**. 2. On the **Select scope** section: - **Organization:**Select this option if you want to onboard all GCP projects. 1. **Organization ID:**Enter your Organization ID**.** *For more information on how to obtain the Organization ID, refer to*[*GCP Connection Scanning Configuration*](https://support.fortanix.com/docs/gcp-connection-scanning-configuration#44-obtain-the-gcp-organization-id). ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI GCP Step 3.png) **Figure 22: Set up GCP connection** - **Project:**Select this option if you want to onboard a single GCP project. 3. Click **NEXT.** ### 7.6 Select GCP Projects Perform the following steps to select your GCP project(s): 1. On the **Select GCP Project** step: - If you selected **Organization** scope in the previous step, choose **Select All Projects in Your Organization** to onboard all projects in the organization, or manually select the projects you want to onboard. - If you selected **Project** scope, enter the **Project ID**. *For more information on how to fetch the Project ID, refer to*[*GCP Connection Scanning Configuration*](https://support.fortanix.com/docs/gcp-connection-scanning-configuration#33-create-and-save-a-private-key-for-the-service-account)*.* 2. Click **NEXT**. > [!NOTE] > NOTE > > Fortanix Key Insight scans only the GCP metadata and does not access any GCP key material. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI GCP Step 4.png) **Figure 23: Select GCP projects** ### 7.7 Select Key Insight Policy The **System Defined Policy** is selected by default on the **Key Insight Policy** step. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations. Click **NEXT** to proceed. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI GCP Step 5.png) **Figure 24: GCP Key Insight policy** Additionally, - Click **ADD POLICY** to add a new user-defined policy to the policy center. - Click ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(135).png) to copy and modify a system-defined policy, converting it into a user-defined policy. *For more information on Fortanix Key Insight policies and features, refer to*[*Cryptographic Policy Management*](https://support.fortanix.com/docs/cryptographic-policy-management)*.* > [!NOTE] > NOTE > > If you change or update the policy instead of the **System Defined Policy**, you must **Rescan** the GCP connection to apply the new policy. ### 7.8 Select External Key Source On the **Select External Key Source** step, you can integrate Fortanix Key Insight with an external key source such as Fortanix DSM to enable key correlation and improve key management. 1. Select any of the following options: - **Yes, connect now**: This option allows you to add the external key source for your GCP cloud connection to correlate keys using the **ADD EXTERNAL KEY SOURCE** feature. *For more information, refer to*[*Getting Started with External Key Source Connection*](/docs/fortanix-key-insight-getting-started-with-external-key-source-connection)*.*After adding the Fortanix DSM connection, select it from the list. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI GCP Step 6.1.png) **Figure 25: Add external key source** - **No, I’ll connect later**: This option allows you to onboard the GCP connection without adding an external key source. You can add it later if needed. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI GCP Step 6.2.png) **Figure 26: Onboard AWS connection without an external key source** 2. Click **FINISH** to complete the GCP connection onboarding. > [!NOTE] > NOTE > > After onboarding the GCP connection: > > - View the GCP connection UI (**Overview, Assessment, Keys**, and so on). You can also**switch the region** at any time using the region switcher drop down located on the top navigation bar. When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region. > > *For more information about the GCP connection UI, refer to*[*GCP Connection User Interface Components*](https://support.fortanix.com/docs/gcp-connection-user-interface-components)*.* > - Users with the **Account Administrator** and **Group Administrator** roles can manage (edit, delete, rescan) the connection from the **Connections** page on the **CLOUD** tab. > - Deleting the GCP connection cannot be undone. > - A group with the same name will be created on the Fortanix IAM **Groups** page. *For more information, refer to*[*Fortanix Armor Identity and Access Management (IAM).*](/v1/docs/fortanix-fortanix-armor-identity-and-access-management-iam) ## 8.0 Troubleshooting *For information about common issues and troubleshooting steps when configuring Fortanix Key Insight in cloud environments, refer to*[*Cloud Connection Troubleshooting*](https://support.fortanix.com/docs/fortanix-key-insight-cloud-connection-troubleshooting)*.* Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era. Fortanix Armor is a comprehensive cybersecurity solution that protects data and applications across on-premises, hybrid, and multi-cloud environments. It integrates Fortanix solutions into a single unified product, securing data throughout its lifecycle. Built on the **Confidential Computing** **Platform**, it ensures real-time encryption of data at rest, in transit, and during processing. Additionally, it includes platform services such as Identity and Access Management (IAM), Key Management Service (KMS), and Audit and Monitoring to simplify security management. ## Related - [AWS Connection Scanning Configuration](/fortanix-key-insight-aws-configuration-for-scanning.md) - [AWS Connection Concepts](/fortanix-key-insight-aws-connection-concepts.md) - [Azure Connection Scanning Configuration Using Built-In Roles](/fortanix-key-insight-azure-configuration-for-scanning-using-built-in-roles.md) - [Fortanix DSM for Secrets Injection in OpenShift](/using-fortanix-data-security-manager-for-secrets-injection-in-kubernetes.md) - [Azure Connection Concepts](/fortanix-key-insight-azure-connection-concepts.md)