Cloud Platforms
Connect WNCYBER to AWS, Azure, and Google Cloud to discover and govern cloud workload identities, IAM roles, and service accounts.
WNCYBER connects natively to all major cloud platforms for workload identity discovery, IAM governance, and dynamic credential issuance.
Amazon Web Services (AWS)
Create a Read-Only IAM Role
- In the AWS console, navigate to IAM → Roles → Create role
- Select Another AWS account and enter the WNCYBER AWS account ID (provided in your tenant settings)
- Attach the
ReadOnlyAccessmanaged policy - Name the role
WNCYBERConnectorand create it - Copy the Role ARN
Connect in WNCYBER
- Navigate to Settings → Identity Sources → Add Source → AWS
- Enter the Role ARN and your AWS Account ID
- Select the regions to scan
- Enable the connection
WNCYBER assumes the role using cross-account access — no long-lived AWS credentials are stored.
What Gets Discovered
- IAM users with console and programmatic access
- IAM roles and their trust relationships
- EC2 instance profiles
- Lambda execution roles
- ECS task roles
- AWS Secrets Manager secrets (metadata, not values)
Microsoft Azure
Create a Service Principal
az ad sp create-for-rbac \
--name "WNCYBERConnector" \
--role Reader \
--scopes /subscriptions/{subscription-id}Note the appId, password, and tenant from the output.
Connect in WNCYBER
- Navigate to Settings → Identity Sources → Add Source → Azure
- Enter your Tenant ID, Client ID (appId), and Client Secret (password)
- Enter the subscription ID(s) to scan
- Enable the connection
What Gets Discovered
- Azure AD users and groups (via Microsoft Graph — see the Entra ID guide)
- Managed identities (system-assigned and user-assigned)
- Service principals
- Key Vault secrets and certificates (metadata)
- App service identity configurations
Google Cloud Platform (GCP)
Create a Service Account
- Navigate to IAM & Admin → Service Accounts → Create Service Account
- Name it
wncyber-connector - Grant it the Security Reviewer role at the project or organisation level
- Create and download a JSON key file
Store the key file as a secret — do not commit it to source control.
Connect in WNCYBER
- Navigate to Settings → Identity Sources → Add Source → Google Cloud
- Upload the service account JSON key file
- Enter the project ID(s) to scan
- Enable the connection
What Gets Discovered
- Service accounts and their key pairs
- IAM role bindings
- Workload Identity Pool configurations
- Secret Manager secrets (metadata)
Kubernetes
WNCYBER connects to Kubernetes clusters to discover service accounts and secrets.
Install the WNCYBER Operator
kubectl apply -f https://releases.wncyber.com/operator/latest/install.yamlConfigure the Operator
Create a WNCYBERConfig custom resource in your cluster:
apiVersion: wncyber.io/v1
kind: WNCYBERConfig
metadata:
name: cluster-config
spec:
tenantId: your-wncyber-tenant-id
apiKey: # reference a Kubernetes secret
discovery:
serviceAccounts: true
secrets: true
namespaces:
- default
- production
- stagingThe operator connects to your WNCYBER tenant and syncs discovery results continuously.