One login for
AWS, GCP, Azure, and OCI.
Your team shouldn't need 4 logins, 4 MFA tokens, and 4 admin consoles. AuthFI gives every user one identity that works across all clouds — with permissions you control from a single dashboard.
The multi-cloud IAM problem
Every cloud has its own identity system. Your team juggles 4 directories, 4 MFA setups, 4 admin consoles. Onboarding takes hours. Offboarding is a security risk. Audits take weeks.
How federation works
No cloud passwords. No cloud IAM users. AuthFI acts as a trusted Identity Provider. Each cloud trusts AuthFI's OIDC tokens and issues temporary credentials. Five steps, zero static keys.
User authenticates with AuthFI
Email + password, SSO, magic link, passkey — any method you've configured.
✓ MFA verified (TOTP)
✓ Session established
Roles: [admin, cloud-admin] Groups: [engineering]
AuthFI issues an OIDC token
Standard JWT with user identity, roles, groups, and MFA status. Signed by AuthFI's JWKS.
{
"sub": "user_abc123",
"email": "alice@acme.com",
"roles": ["admin", "cloud-admin"],
"groups": ["engineering"],
"mfa_verified": true,
"iss": "https://acme.authfi.app"
}
Cloud trusts AuthFI as Identity Provider
You configure each cloud to trust AuthFI's OIDC issuer. One-time setup per cloud account.
GCP Workforce Identity Pool → provider: authfi
Azure Federated Credential → issuer: acme.authfi.app
OCI Identity Provider → OIDC: acme.authfi.app
// Each cloud validates AuthFI's JWT signature via JWKS endpoint
Temporary credentials issued
Cloud exchanges AuthFI token for time-limited cloud credentials. No static keys.
GCP STS token exchange → federated access_token (1h)
Azure JWT-bearer OBO flow → Azure access_token (1h)
OCI OIDC token exchange → OCI session token (1h)
User lands in cloud console
Already logged in, scoped to their role. No cloud password. No cloud MFA. Just AuthFI.
Role mapping
Map AuthFI roles and groups to cloud IAM roles. One mapping controls access across all four clouds. Change a role in AuthFI, access updates everywhere.
| AuthFI Role |  AWS IAM Role |  GCP Role |  Azure Role |  OCI Role |
|---|---|---|---|---|
| doctor | HealthcareViewer | Healthcare Dataset Viewer | FHIR Data Reader | — |
| admin | PowerUserAccess | roles/editor | Contributor | ComputeAdmin |
| finance | BillingViewAccess | roles/billing.viewer | Billing Reader | BillingViewer |
| developer | S3ReadOnly | roles/viewer | Reader | ObjectViewer |
| devops | AdministratorAccess | roles/owner | Owner | Administrator |
role: doctor
mappings:
- provider: aws role: arn:aws:iam::123:role/HealthcareViewer
- provider: gcp role: roles/healthcare.datasetViewer
- provider: azure role: FHIR Data Reader
group: engineering
mappings:
- provider: aws role: arn:aws:iam::123:role/DevReadOnly
- provider: gcp role: roles/viewer
Console SSO — one click to any cloud
Users click "Open Console" and land inside the cloud provider's dashboard — already logged in, scoped to their role. No cloud password. No cloud MFA prompt. Just AuthFI.
✓ Click "Copy Creds" → temp credentials copied to clipboard for CLI/SDK.
Workload identity — no static keys
Your applications get cloud credentials on behalf of users — without storing any static keys. The SDK handles the token exchange. Credentials are temporary and scoped.
SDK — your app gets cloud creds
const creds = await authfi.cloud("gcp", {
account: "analytics-prod",
token: req.user.token
});
// Returns temporary access_token
creds.access_token // ya29.xxx (1h)
creds.expires_in // 3600
API — direct credential exchange
Authorization: Bearer <user-jwt>
{ "account_id": "aws-prod-uuid" }
→ Response:
{
"credentials": {
"access_key_id": "ASIA...",
"secret_access_key": "...",
"session_token": "..."
},
"expires_in": 3600
}
creds = authfi.cloud("aws", account="production", token=user.token)
s3 = boto3.client("s3",
aws_access_key_id=creds["access_key_id"],
aws_secret_access_key=creds["secret_access_key"],
aws_session_token=creds["session_token"]
)
s3.upload_file("report.pdf", "acme-reports", "q1/report.pdf")
# Credentials expire in 1 hour. No static keys anywhere.
Policy conditions
Control when and how cloud access is granted. Attach conditions to any role mapping — MFA, IP, time windows, max session duration.
MFA required
Force MFA verification before issuing cloud credentials. Critical for admin and production roles.
// User must have mfa_verified in their JWT
IP restrictions
Restrict cloud access to trusted networks. Office IPs, VPN ranges, or specific CIDR blocks.
// Access denied from untrusted IPs
Time windows
Limit access to business hours. No production access at 3 AM on a Saturday.
start: "09:00" end: "18:00"
tz: "America/New_York" days: ["mon"-"fri"]
Max session duration
Limit how long cloud credentials are valid. Short sessions for sensitive environments.
// Credentials auto-expire, must re-authenticate
role: cloud-admin → AWS FullAccess
conditions:
require_mfa: true
allowed_ips: ["10.0.0.0/8"]
time_window: 09:00–18:00 UTC, Mon–Fri
max_session: 3600
// Access denied outside business hours, from untrusted IPs, or without MFA.
Full cloud access audit trail
Every cloud credential issuance and console signin is logged. Who accessed what cloud, with which role, when, for how long, with or without MFA. One report for auditors.
| TIME | USER | PROVIDER | ROLE | TYPE | DURATION | MFA |
|---|---|---|---|---|---|---|
| 10:30:05 | alice@acme.com | AWS | PowerUserAccess | console | 1h | verified |
| 10:32:12 | alice@acme.com | GCP | Editor | credentials | 1h | verified |
| 10:45:00 | bob@acme.com | AWS | S3ReadOnly | credentials | 30m | --- |
| 11:00:33 | charlie@acme.com | Azure | Contributor | console | 1h | verified |
| 11:15:08 | diana@acme.com | OCI | ComputeAdmin | credentials | 1h | verified |
| 11:20:44 | eve@acme.com | GCP | Viewer | console | 2h | --- |
vs. other approaches
| AuthFI | AWS IAM Identity Center |  Azure Entra | Manual IAM | |
|---|---|---|---|---|
| Multi-cloud from one IdP | AWS + GCP + Azure + OCI | AWS only | Azure only | Per-cloud config |
| Onboarding time | 30 seconds | ~10 min | ~10 min | 30+ min x4 clouds |
| Offboarding | Disable user, all clouds locked | AWS only | Azure only | Disable in each cloud |
| Console SSO | One click, all clouds | AWS only | Azure + GCP (limited) | Per-cloud login |
| Temporary credentials | All clouds via API/SDK | AWS STS | Azure tokens | Static keys |
| Role mapping | Central, group + role based | Permission sets | App roles | Per-cloud IAM |
| MFA per mapping | Yes, per cloud + role | Session-level | Conditional Access | Per-cloud config |
| IP restrictions | Per mapping | SCP/policy | Named locations | Per-cloud config |
| Time-based access | Built-in | — | PIM (P2 license) | Manual rotation |
| Unified audit log | All clouds, one log | CloudTrail only | Azure AD logs only | Separate per cloud |
| Workload identity | SDK + API | — | Managed identity | Static keys |
Related features
Available on Pro and above. See pricing →
One platform. Every identity layer.
Free to start.
Free for 5,000 users. Upgrade when you're ready.
Start building free →