Create or edit cloud credentials

3 minute read

To create or edit cloud credentials:

  1. If you are editing a cloud credential, make sure that no resources are using it.

    If it is already in use, the following error appears:

    The cloud credential <credential> is in use by <resource>. Editing or deleting it is not allowed

    In this case, you must create a new cloud credential, modify the resource to use the new cloud credential (see Resources - Create or Edit a Resource), and then delete the original one (as described in Cloud Credentials).

  2. Supply (for new credentials) or review and edit (for existing credentials) the following:

    Field or Menu Description


    User-defined name for this credential.


    User-defined description.


    One of the following cloud provider cluster types.

    Kubernetes, as supplied with your Kubernetes account:

    • Kubernetes API Endpoint —Endpoint at which the Kubernetes API is reachable. This must be an IP address or a resolvable DNS name in the form: https://<ip_address>:<port_number>.

    • User Name —(Optional) AccountService user who owns the bearer token.

    • Kubernetes Bearer token — Service account bearer token for a service account that has permissions to create resources in the Kubernetes cluster.

    Azure, available from your Azure portal:

    • Azure API ClientID —Azure Application ID as configured from the Azure App registration page. UUID formatted string.

    • Azure API ClientSecret —Azure Client secret as configured from the Azure App registration page. UUID formatted string.

    • Azure API TenantID —Directory ID from the Azure Active Directory, Default Directory Properties page. UUID formatted string.

    • Azure API SubscriptionID —Visual Studio Professional Subscription ID from the Subscriptions page. UUID formatted string.

    EC2, as supplied with your EC2 account:

    • Credential Provider —Choose Access Key ID/Secret Key or Server IAM Role

      If you select Server IAM Role, you can also select No Key Pair from the Key Pair pulldown menu. But this is not recommended, because you cannot SSH to the instance.
      You must set up the appropriate permissions for the IAM role. For the list of required permissions, see Configuring Amazon EC2 for Agent Cloud Bursting - Setting Up a Server IAM Role.
    • Region —Named set of AWS resources in the same geographical area. A region comprises at least two Availability Zones.

    • (If you selected Access Key ID/Secret Key) AWS Access Key ID —Access key ID, which is the unique identifier that is associated with a secret access key. The access key ID and the secret access key are used together to sign programmatic AWS requests cryptographically.

    • (If you selected Access Key ID/Secret Key) AWS Secret Key —Secret access key, which is used in conjunction with the access key ID to cryptographically sign programmatic AWS requests. Signing a request identifies the sender and prevents request alteration. You can generate secret access keys for your AWS account, individual IAM users, and temporary sessions.

    Google Cloud Platform, as supplied with your GCP account:

    • Service Account File —JSON file generated when the private key is created for the service account in the Google Cloud Platform Console. The service account identified by the key pair in the JSON is used. The service account must have Owner permission allocated.

  3. Click Test Connection to verify the new or updated credential.

    If the test succeeds, the following message appears:

Your credentials successfully connected to AWS.

If the test fails, the following message appears.

Unable to connect to endpoint with specified credentials. Please try again. . For a failed test, modify the credentials to fix the issues, and then click Test Connection again. . Click OK to return to the Cloud page.