AuthFI Connect

AuthFI AuthFI Connect lets you manage who can access AWS, GCP, Azure, and OCI from a single control plane. Map AuthFI roles and groups to cloud IAM roles — users get temporary credentials or console signin with zero cloud passwords.

How It Works

  1. Connect cloud accounts — Add your AWS account ID, GCP project, Azure subscription, or OCI tenancy
  2. Map roles — AuthFI role “cloud-admin” → AWS arn:aws:iam::123:role/Admin
  3. Users get access — Based on their roles/groups, they can get credentials or open the cloud console
User logs in → AuthFI checks roles → Finds cloud mapping → Issues OIDC token → Exchanges for cloud credentials

Supported Providers

ProviderToken ExchangeConsole SigninMethod
AWSSTS AssumeRoleWithWebIdentityFederation signin URLOIDC
GCPSTS token exchangeWorkforce IdentityOIDC
AzureJWT-bearer on-behalf-ofPortal federationOIDC
OCIToken exchangeIdentity federationOIDC

API Endpoints

User-Facing (Auth API)

MethodEndpointDescription
GET/v1/{tenant}/cloud/accessList cloud accounts user can access
POST/v1/{tenant}/cloud/user-credentialsGet temporary cloud credentials
POST/v1/{tenant}/cloud/console-signinGet console redirect URL

Admin (Management API)

MethodEndpointDescription
GET/POST/manage/v1/{tenant}/cloud/accountsManage cloud accounts
GET/POST/manage/v1/{tenant}/cloud/mappingsManage role mappings
GET/manage/v1/{tenant}/cloud/logsCloud access audit log

Policy Conditions

Role mappings support conditions:

{
  "require_mfa": true,
  "allowed_ips": ["10.0.0.0/8"],
  "time_window": {
    "start": "09:00",
    "end": "18:00",
    "tz": "UTC"
  }
}

Plan Availability

FeatureScaleEnterprise
Cloud accounts4Unlimited
Console signinYesYes
MFA conditionsYesYes
Access audit logYesYes

Next Steps