Configure

Starter+Enterprise

Configure is the control panel for the entire Cloud Operations module. Here you connect cloud accounts across any provider, deploy the required access credentials, tune query performance settings, and manage the notification channels used by alerts from Age Reports, Security Posture, Cost Analytics, and Monitoring.

Multi-Cloud

Cloud Operations is cloud-agnostic. You can connect accounts from AWS, Azure, and Google Cloud using the same interface. The examples below use AWS — the steps for Azure and GCP follow the same pattern with provider-specific credential types.

---

Connecting an Cloud Account

Step 1 — Deploy the Calabi IAM role

Before adding an account in Calabi, you must deploy an IAM role in the target cloud account that Calabi can assume. The role must be read-only and must trust the Calabi service account principal.

Copy and deploy the CloudFormation template below, or create the role manually using the IAM policy JSON in the next section.

aws cloudformation deploy \
  --template-file calabi-cloud-ops-role.yaml \
  --stack-name calabi-cloud-ops \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameter-overrides \
      CalabiFunctionAccountId=657560415140 \
      ExternalId=<your-external-id>

Replace <your-external-id> with the External ID shown on the Add Account dialog in Calabi (it is unique per tenant).

Step 2 — Add the account in Calabi

1. Navigate to Cloud Operations > Configure.
2. Click Add Cloud Account.
3. Fill in the form:

Field	Description	Example
Account name	A friendly label for this account	production
Cloud Account ID	The 12-digit cloud account number	123456789012
IAM Role ARN	ARN of the role deployed in step 1	arn:aws:iam::123456789012:role/CalabiCloudOpsRole
External ID	The external ID shown in the Calabi dialog	calabi-ext-a7f3b29c
Primary region	Default region for queries	us-east-1
Additional regions	Extra regions to include in inventory	eu-west-1, ap-southeast-1

4. Click Test Connection. Calabi will attempt to call sts:GetCallerIdentity using the supplied role ARN. If the test succeeds, a green checkmark appears.
5. Click Save.

The account will appear in the Connected Accounts list. Initial resource inventory may take 2–5 minutes to populate.

---

Cloud Organizations — Multi-Account Setup

If you manage multiple cloud accounts through Cloud Organizations, you can connect all member accounts through a single delegated IAM role in the management account.

Setup steps for Organizations

1. Deploy the Calabi IAM role in the management account with organizations:List* and sts:AssumeRole permissions.
2. Deploy the Calabi IAM role in each member account, trusting the management account role as the principal.
3. In Calabi Configure, add the management account and enable Discover member accounts via Cloud Organizations.
4. Calabi will enumerate all member accounts via organizations:ListAccounts and attempt to assume the role in each one automatically.
5. Member accounts that grant access appear as separate entries in the Connected Accounts list.

---

IAM Role

Trust policy

The trust policy grants Calabi's service account (running in your EKS cluster) permission to assume the role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::657560415140:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<your-external-id>"
        }
      }
    }
  ]
}

IAM policy

The Calabi Cloud Operations role requires read-only access to the cloud services listed below. No write, delete, or modify permissions are required or should be granted.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CalabiCloudOpsReadOnly",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "cloudtrail:Describe*",
        "cloudtrail:Get*",
        "cloudtrail:List*",
        "cloudtrail:LookupEvents",
        "ce:GetCostAndUsage",
        "ce:GetCostForecast",
        "ce:GetRightsizingRecommendation",
        "ce:GetSavingsPlansCoverage",
        "ce:GetReservationCoverage",
        "ce:GetAnomalies",
        "ec2:Describe*",
        "ec2:Get*",
        "ecs:Describe*",
        "ecs:List*",
        "eks:Describe*",
        "eks:List*",
        "elasticloadbalancing:Describe*",
        "iam:GenerateCredentialReport",
        "iam:Get*",
        "iam:List*",
        "kms:Describe*",
        "kms:Get*",
        "kms:List*",
        "lambda:Get*",
        "lambda:List*",
        "logs:Describe*",
        "logs:Get*",
        "logs:List*",
        "organizations:Describe*",
        "organizations:List*",
        "rds:Describe*",
        "rds:List*",
        "s3:GetBucketAcl",
        "s3:GetBucketEncryption",
        "s3:GetBucketLocation",
        "s3:GetBucketLogging",
        "s3:GetBucketPolicy",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetBucketVersioning",
        "s3:GetBucketWebsite",
        "s3:GetEncryptionConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "secretsmanager:Describe*",
        "secretsmanager:Get*",
        "secretsmanager:List*",
        "sns:Get*",
        "sns:List*",
        "sqs:Get*",
        "sqs:List*",
        "sts:GetCallerIdentity",
        "support:Describe*",
        "tag:Get*"
      ],
      "Resource": "*"
    }
  ]
}

Principle of least privilege

Do not attach AdministratorAccess or any policy with write permissions to the Calabi Cloud Operations role. Calabi only ever reads resource metadata — it does not modify, create, or delete resources in your account.

---

Query Connection Settings

These settings control how Calabi Cloud Query executes SQL against your cloud inventory.

Setting	Default	Description
Query timeout	60 seconds	Maximum time a single query is allowed to run before it is cancelled
Max rows	10,000	Maximum number of rows returned in the query editor
Cache TTL	5 minutes	How long query results are cached before a re-run is triggered
Parallel connections	10	Number of parallel AWS API calls during a query

To change query settings:

1. Navigate to Cloud Operations > Configure > Query Settings.
2. Adjust the values.
3. Click Save. Changes take effect for the next query run.

To bypass the result cache for a specific query, append -- nocache as a comment at the end of your SQL.

---

Notification Settings

Notification channels configured here are used by:

• Age Reports — alert when an aging tier exceeds a count or size threshold
• Security Posture — alert on new Critical or High findings
• Cost Analytics — alert on spend anomalies
• Monitoring — alert when a Calabi Monitoring alert rule fires

Adding a Slack channel

1. Go to Configure > Notification Channels.
2. Click Add Channel > Slack.
3. Enter the Incoming Webhook URL (from your Slack workspace settings).
4. Set a default Slack channel (e.g., #cloud-ops-alerts).
5. Click Test to send a verification message.
6. Click Save.

Adding a PagerDuty integration

1. Go to Configure > Notification Channels.
2. Click Add Channel > PagerDuty.
3. Enter the PagerDuty Integration Key (Events API v2).
4. Map Calabi severity levels to PagerDuty severity levels:
   • Critical → critical
   • High → error
   • Medium → warning
   • Low → info
5. Click Save.

Adding an email destination

1. Go to Configure > Notification Channels.
2. Click Add Channel > Email.
3. Enter one or more recipient addresses (comma-separated).
4. Set a subject prefix (e.g., [Calabi Cloud Ops]).
5. Click Save.

Alert routing rules

Routing rules direct alerts from specific sub-modules or severity levels to specific channels.

Example rule	Effect
severity = critical → PagerDuty	All Critical alerts page on-call
module = security-posture AND severity = high → Slack #security	High security findings go to the security channel
module = cost-analytics → Email ops@company.com	Cost anomalies go to the ops team email

To create a routing rule:

1. Go to Configure > Alert Routing.
2. Click Add Rule.
3. Set the filter conditions and target channel.
4. Use drag-and-drop to reorder rules — the first matching rule wins.
5. Click Save.

---

Removing a Connected Account

1. Go to Configure > Connected Accounts.
2. Click the three-dot menu next to the account you want to remove.
3. Click Remove.
4. Confirm the removal in the dialog.

Removing an account stops all further queries and scans against it. Historical scan results and saved queries referencing that account are preserved in read-only form.

---

Related Pages

• Query Resources — Run SQL against the connected accounts
• Compliance — Schedule compliance scans against connected accounts
• Monitoring — Configure alert channels for platform monitoring
• Cloud Operations Overview — Return to the module overview