Skip to main content

Why Monk Needs Credentials

Monk follows a Bring Your Own Infrastructure (BYOI) model - everything runs on your cloud accounts and services. Monk needs credentials to provision and manage resources on your behalf. What Monk does with credentials:
  • Provisions cloud infrastructure (VMs, networking, storage)
  • Configures managed services (databases, caches, CDNs)
  • Deploys your applications
  • Monitors and manages resources
Security guarantee:
  • Credentials stored locally and encrypted
  • Never sent to Monk servers
  • Only used for actions you approve
  • You can delete anytime
→ See Security for details on credential protection

When Monk Asks for Credentials

Monk requests credentials automatically when needed: 
deploy to AWS
Monk detects you want to use AWS and requests credentials if not already configured. You’ll see a credential form appear in your IDE where you can securely enter the required information.

Cloud Provider Credentials

AWS Credentials

What you need:
  • AWS Access Key ID
  • AWS Secret Access Key
  • Optional: Default region (e.g., us-east-1)
How to get them:
  1. Log into AWS Console
  2. Navigate to IAMUsers
  3. Click your username (or create new user for Monk)
  4. Go to Security credentials tab
  5. Click Create access key
  6. Choose “Third-party service” as use case
  7. Copy Access Key ID and Secret Access Key
Required permissions: Attach these AWS managed policies to the user:
  • AmazonEC2FullAccess - For VM provisioning
  • AmazonVPCFullAccess - For networking
  • IAMReadOnlyAccess - For checking permissions
Or create a custom policy with: EC2, VPC, S3 (for cluster management). Minimum scope (summary):
  • EC2 instances, images, and instance types
  • VPCs, subnets, routing, internet gateways
  • Security groups, network interfaces, elastic IPs
  • EBS volumes and snapshots
  • Load balancers and target groups (ELBv2)
  • ACM certificates (for HTTPS)
  • DLM policies for backups (if you use automated backups)
  • STS GetCallerIdentity
  • iam:PassRole for the DLM service role
Minimum IAM policy (JSON): 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "MonkEC2Instances",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeInstanceTypes",
        "ec2:RunInstances",
        "ec2:TerminateInstances",
        "ec2:StopInstances",
        "ec2:ModifyInstanceAttribute"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2Images",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeImages"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2RegionsAndZones",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeRegions",
        "ec2:DescribeAvailabilityZones"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2VPC",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcs",
        "ec2:CreateVpc",
        "ec2:CreateDefaultVpc",
        "ec2:ModifyVpcAttribute"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2Subnets",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeSubnets",
        "ec2:CreateSubnet",
        "ec2:CreateDefaultSubnet",
        "ec2:ModifySubnetAttribute"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2InternetGateways",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInternetGateways",
        "ec2:CreateInternetGateway",
        "ec2:AttachInternetGateway"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2RouteTables",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeRouteTables",
        "ec2:CreateRouteTable",
        "ec2:CreateRoute"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2SecurityGroups",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSecurityGroupRules",
        "ec2:CreateSecurityGroup",
        "ec2:DeleteSecurityGroup",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupIngress"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2NetworkInterfaces",
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteNetworkInterface"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2ElasticIPs",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeAddresses",
        "ec2:AllocateAddress",
        "ec2:AssociateAddress",
        "ec2:ReleaseAddress"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2Volumes",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVolumes",
        "ec2:DescribeVolumesModifications",
        "ec2:CreateVolume",
        "ec2:DeleteVolume",
        "ec2:AttachVolume",
        "ec2:DetachVolume",
        "ec2:ModifyVolume"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2Snapshots",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeSnapshots",
        "ec2:DeleteSnapshot"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkEC2Tags",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateTags"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkELBv2",
      "Effect": "Allow",
      "Action": [
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:CreateLoadBalancer",
        "elasticloadbalancing:DeleteLoadBalancer",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:CreateListener",
        "elasticloadbalancing:DeleteListener",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:CreateTargetGroup",
        "elasticloadbalancing:DeleteTargetGroup",
        "elasticloadbalancing:RegisterTargets",
        "elasticloadbalancing:DeregisterTargets",
        "elasticloadbalancing:DescribeTargetHealth",
        "elasticloadbalancing:AddTags"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkACM",
      "Effect": "Allow",
      "Action": [
        "acm:ListCertificates",
        "acm:ListTagsForCertificate",
        "acm:GetCertificate",
        "acm:ImportCertificate",
        "acm:DeleteCertificate",
        "acm:DescribeCertificate"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkDLM",
      "Effect": "Allow",
      "Action": [
        "dlm:GetLifecyclePolicies",
        "dlm:GetLifecyclePolicy",
        "dlm:CreateLifecyclePolicy",
        "dlm:UpdateLifecyclePolicy",
        "dlm:DeleteLifecyclePolicy"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkSTS",
      "Effect": "Allow",
      "Action": [
        "sts:GetCallerIdentity"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MonkIAMPassRole",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::*:role/service-role/AWSDataLifecycleManagerDefaultRole"
    }
  ]
}
Backup note:
  • DLM backups require the AWSDataLifecycleManagerDefaultRole.
Credential setup (IAM user with access keys): 
# 1. Create the IAM user
aws iam create-user --user-name monk-user

# 2. Create the policy
aws iam create-policy \
  --policy-name MonkClusterPolicy \
  --policy-document file://monk-policy.json

# 3. Attach the policy (replace ACCOUNT_ID)
aws iam attach-user-policy \
  --user-name monk-user \
  --policy-arn arn:aws:iam::ACCOUNT_ID:policy/MonkClusterPolicy

# 4. Create access keys
aws iam create-access-key --user-name monk-user

# 5. Add to Monk
monk cluster provider add -p AWS -k "ACCESS_KEY_ID" -s "SECRET_ACCESS_KEY"
Credential setup (AWS Console):
  • IAM → Policies → Create policy → JSON → paste policy above → Name MonkClusterPolicy
  • IAM → Users → Create user monk-user with programmatic access
  • Attach existing policy MonkClusterPolicy
  • Create access key and copy Access key ID / Secret access key
  • Add to Monk with monk cluster provider add -p AWS -k "ACCESS_KEY_ID" -s "SECRET_ACCESS_KEY"
Providing to Monk: When deploying to AWS, Monk will request credentials. Enter them in the secure form that appears. 
deploy to AWS in us-east-1

Google Cloud Platform (GCP) Credentials

What you need:
  • Service Account JSON key file
  • Optional: Project ID (auto-extracted from key)
  • Optional: Default region (e.g., us-central1)
How to get them:
  1. Log into GCP Console
  2. Navigate to IAM & AdminService Accounts
  3. Click Create Service Account
  4. Name it (e.g., “monk-deployment”)
  5. Grant roles:
    • Compute Admin - For VM management
    • Service Account User - For service operations
  6. Click Done
  7. Click the service account name
  8. Go to Keys tab → Add KeyCreate new key
  9. Choose JSON format
  10. Download the JSON file
Providing to Monk: When prompted, select the downloaded JSON file. Monk will extract all necessary information automatically. Minimum permissions (summary):
  • Compute Engine instances, images, and instance groups
  • Disks, snapshots, and resource policies (for backups)
  • VPC networks, subnets, firewalls, and external IPs
  • Load balancing: health checks, forwarding rules, backend services, proxies, URL maps
  • Operations and locations/regions metadata
Predefined roles (simpler, broader than custom role):
  • roles/compute.admin (Compute Admin)
  • roles/iam.serviceAccountUser (Service Account User)
Minimum permissions (custom role recommended): 
# Disks (EBS equivalent)
compute.disks.get
compute.disks.create
compute.disks.delete
compute.disks.resize
compute.disks.update
compute.disks.createSnapshot
compute.disks.addResourcePolicies
compute.disks.removeResourcePolicies

# Resource Policies (for backups)
compute.resourcePolicies.delete
compute.resourcePolicies.get
compute.resourcePolicies.create

# Snapshots
compute.snapshots.list
compute.snapshots.delete
compute.snapshots.get

# Health Checks (global)
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.update

# Health Checks (regional)
compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.update

# Instance Groups
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.update
compute.instanceGroups.list
compute.instanceGroups.addInstances
compute.instanceGroups.removeInstances
compute.instanceGroupManagers.update

# Global Addresses
compute.globalAddresses.create
compute.globalAddresses.delete
compute.globalAddresses.get

# Target TCP Proxies (global)
compute.targetTcpProxies.create
compute.targetTcpProxies.delete
compute.targetTcpProxies.get
compute.targetTcpProxies.update

# Target TCP Proxies (regional)
compute.regionTargetTcpProxies.create
compute.regionTargetTcpProxies.delete
compute.regionTargetTcpProxies.get

# Target HTTP Proxies (global)
compute.targetHttpProxies.create
compute.targetHttpProxies.delete
compute.targetHttpProxies.get
compute.targetHttpProxies.setUrlMap

# Target HTTP Proxies (regional)
compute.regionTargetHttpProxies.create
compute.regionTargetHttpProxies.delete
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.setUrlMap

# Target HTTPS Proxies (global)
compute.targetHttpsProxies.create
compute.targetHttpsProxies.delete
compute.targetHttpsProxies.get
compute.targetHttpsProxies.setSslCertificates

# Target HTTPS Proxies (regional)
compute.regionTargetHttpsProxies.create
compute.regionTargetHttpsProxies.delete
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.setSslCertificates

# Addresses (regional)
compute.addresses.list
compute.addresses.create
compute.addresses.delete
compute.addresses.get

# Backend Services (global)
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.update
compute.backendServices.use

# Backend Services (regional)
compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.get
compute.regionBackendServices.update

# SSL Certificates (global)
compute.sslCertificates.create
compute.sslCertificates.delete
compute.sslCertificates.get

# SSL Certificates (regional)
compute.regionSslCertificates.create
compute.regionSslCertificates.delete
compute.regionSslCertificates.get

# URL Maps (global)
compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.urlMaps.update

# URL Maps (regional)
compute.regionUrlMaps.create
compute.regionUrlMaps.delete
compute.regionUrlMaps.get
compute.regionUrlMaps.update

# Forwarding Rules (global)
compute.globalForwardingRules.create
compute.globalForwardingRules.delete
compute.globalForwardingRules.get

# Forwarding Rules (regional)
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get

# Zones
compute.zones.list

# Target Instances
compute.targetInstances.create
compute.targetInstances.delete
compute.targetInstances.get

# Firewalls
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update

# Operations
compute.zoneOperations.get
compute.regionOperations.get
compute.globalOperations.get

# Images
compute.images.getFromFamily

# Instances
compute.instances.use
compute.instances.get
compute.instances.list
compute.instances.create
compute.instances.delete
compute.instances.stop
compute.instances.setTags
compute.instances.deleteAccessConfig
compute.instances.addAccessConfig
compute.instances.detachDisk
compute.instances.attachDisk
compute.instances.aggregatedList

# Networks
compute.networks.useExternalIp

# Subnetworks
compute.subnetworks.useExternalIp
compute.subnetworks.get
compute.subnetworks.create

# Routers (for NAT in proxy-only subnets)
compute.routers.get
compute.routers.create

# Machine Types
compute.machineTypes.get

# Network Endpoint Groups (regional)
compute.regionNetworkEndpointGroups.get
compute.regionNetworkEndpointGroups.create
compute.regionNetworkEndpointGroups.delete
compute.regionNetworkEndpointGroups.attachNetworkEndpoints

# Regions
compute.regions.get
Credential setup (service account): 
# Create service account
gcloud iam service-accounts create monk-cluster \
  --display-name "Monk Cluster"

# Create a custom role (use the permission list above)
gcloud iam roles create MonkClusterRole \
  --project PROJECT_ID \
  --file monk-gcp-role.yaml

# Bind role to the service account
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member "serviceAccount:monk-cluster@PROJECT_ID.iam.gserviceaccount.com" \
  --role "projects/PROJECT_ID/roles/MonkClusterRole"

# Create key
gcloud iam service-accounts keys create monk-gcp-key.json \
  --iam-account "monk-cluster@PROJECT_ID.iam.gserviceaccount.com"

# Add to Monk
monk cluster provider add -p GCP -k "$(cat monk-gcp-key.json)"
Credential setup (GCP Console):
  • IAM & Admin → Service Accounts → Create service account monk-cluster
  • IAM & Admin → Roles → Create role MonkClusterRole with permissions list above
  • IAM & Admin → IAM → grant MonkClusterRole to the service account
  • IAM & Admin → Service Accounts → your account → Keys → Add key → JSON → download
  • Add to Monk with monk cluster provider add -p GCP -k "$(cat monk-gcp-key.json)"

Microsoft Azure Credentials

What you need:
  • Client ID (Application ID)
  • Client Secret
  • Tenant ID
  • Subscription ID
  • Resource Group name
How to get them:
  1. Log into Azure Portal
  2. Navigate to Azure Active DirectoryApp registrations
  3. Click New registration
  4. Name it (e.g., “Monk Deployment”)
  5. Click Register
  6. Copy the Application (client) ID and Directory (tenant) ID
  7. Go to Certificates & secretsNew client secret
  8. Create and copy the secret value
  9. Navigate to Subscriptions, copy your Subscription ID
  10. Create or select a Resource Group for Monk to use
Required permissions:
  • Assign Contributor role on the subscription or resource group
Providing to Monk: You can provide Azure credentials via:
  • JSON file containing all fields
  • Individual fields in the credential form
Minimum role (summary):
  • Compute: VMs, disks, snapshots, availability sets
  • Networking: VNet/subnets, NICs, public IPs, NSGs
  • Load balancing: load balancers and application gateways
  • Resource groups and subscription metadata
  • Marketplace agreements (for some images)
Minimum custom role (JSON): 
{
  "$schema": "https://schema.management.azure.com/schemas/2018-01-01/roleDefinition.json",
  "Name": "Monk Cluster Role",
  "IsCustom": true,
  "Description": "Custom role for Monk container orchestration platform",
  "Actions": [
    "Microsoft.Network/publicIPAddresses/read",
    "Microsoft.Network/publicIPAddresses/write",
    "Microsoft.Network/publicIPAddresses/delete",
    "Microsoft.Network/publicIPAddresses/join/action",
    "Microsoft.Compute/disks/read",
    "Microsoft.Compute/disks/write",
    "Microsoft.Compute/disks/delete",
    "Microsoft.Compute/snapshots/read",
    "Microsoft.Compute/snapshots/write",
    "Microsoft.Compute/snapshots/delete",
    "Microsoft.Network/networkWatchers/read",
    "Microsoft.Network/networkWatchers/delete",
    "Microsoft.Network/virtualNetworks/read",
    "Microsoft.Network/virtualNetworks/write",
    "Microsoft.Network/virtualNetworks/delete",
    "Microsoft.Network/virtualNetworks/subnets/read",
    "Microsoft.Network/virtualNetworks/subnets/write",
    "Microsoft.Network/virtualNetworks/subnets/delete",
    "Microsoft.Network/virtualNetworks/subnets/join/action",
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Compute/virtualMachines/write",
    "Microsoft.Compute/virtualMachines/delete",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/powerOff/action",
    "Microsoft.Network/networkInterfaces/read",
    "Microsoft.Network/networkInterfaces/write",
    "Microsoft.Network/networkInterfaces/join/action",
    "Microsoft.Network/networkInterfaces/delete",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Resources/subscriptions/resourceGroups/write",
    "Microsoft.Resources/subscriptions/resourceGroups/delete",
    "Microsoft.Network/networkSecurityGroups/read",
    "Microsoft.Network/networkSecurityGroups/write",
    "Microsoft.Network/networkSecurityGroups/delete",
    "Microsoft.Network/networkSecurityGroups/join/action",
    "Microsoft.Network/loadBalancers/read",
    "Microsoft.Network/loadBalancers/write",
    "Microsoft.Network/loadBalancers/delete",
    "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
    "Microsoft.Compute/availabilitySets/read",
    "Microsoft.Compute/availabilitySets/write",
    "Microsoft.Compute/availabilitySets/delete",
    "Microsoft.Network/applicationGateways/read",
    "Microsoft.Network/applicationGateways/write",
    "Microsoft.Network/applicationGateways/delete",
    "Microsoft.Compute/skus/read",
    "Microsoft.Compute/locations/usages/read",
    "Microsoft.Resources/subscriptions/locations/read",
    "Microsoft.Authorization/permissions/read",
    "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read",
    "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/YOUR_SUBSCRIPTION_ID"
  ]
}
Credential setup (service principal + SDK auth file): 
# Replace YOUR_SUBSCRIPTION_ID in monk-role.json first
az role definition create --role-definition monk-role.json

# Create service principal with the custom role
az ad sp create-for-rbac \
  --name "monk-cluster-sp" \
  --role "Monk Cluster Role" \
  --scopes "/subscriptions/YOUR_SUBSCRIPTION_ID" \
  --sdk-auth > azurekey.json

# Add to Monk
monk cluster provider add -p azure -f /absolute/path/to/azurekey.json
Credential setup (Azure Portal):
  • Azure Portal → Subscriptions → copy Subscription ID
  • Azure AD → App registrations → New registration → create app
  • Azure AD → App registrations → your app → Certificates & secrets → New client secret → copy Value
  • Azure AD → App registrations → your app → Overview → copy Application (client) ID and Directory (tenant) ID
  • Subscriptions → Access control (IAM) → Add role assignment → Custom role Monk Cluster Role
  • Assign access to: User, group, or service principal → select your app → save
  • Create SDK auth file (CLI): az ad sp create-for-rbac --name "monk-cluster-sp" --role "Monk Cluster Role" --scopes "/subscriptions/YOUR_SUBSCRIPTION_ID" --sdk-auth > azurekey.json
  • Add to Monk: monk cluster provider add -p azure -f /absolute/path/to/azurekey.json

DigitalOcean Credentials

What you need:
  • Personal Access Token (API token)
  • Optional: Default region (e.g., nyc1)
How to get them:
  1. Log into DigitalOcean
  2. Click API in left sidebar
  3. Go to Tokens/Keys tab
  4. Click Generate New Token
  5. Name it (e.g., “Monk Deployment”)
  6. Check both Read and Write scopes
  7. Click Generate Token
  8. Copy the token immediately (shown only once)
Providing to Monk: Enter the token when Monk requests DigitalOcean credentials. 
deploy to DigitalOcean

Service Provider Credentials

MongoDB Atlas

What you need:
  • Organization Name
  • Service Account Client ID (Public Key)
  • Service Account Client Secret (Private Key)
How to get them:
  1. Log into MongoDB Atlas
  2. Click organization name (top left) → Organization Settings
  3. Go to Access ManagerAPI Keys tab
  4. Click Create API Key
  5. Description: “Monk Deployment”
  6. Set Organization Permissions:
    • Organization Project Creator
    • Project Cluster Manager
    • Project User Admin
  7. Click Next
  8. Copy the Public Key (Client ID) and Private Key (Client Secret)
  9. Save them securely - private key shown only once
  10. Note your Organization Name or ID from Organization Settings
Required access scope: Monk needs these permissions to:
  • Create projects in your organization
  • Provision and manage clusters
  • Create database users for your applications
This is the minimal scope required. Monk cannot access existing projects or data. Providing to Monk: 
use MongoDB Atlas for my database
Monk will request Atlas credentials via secure form. → See MongoDB Atlas Integration for full details

Redis Cloud

What you need:
  • Account Key
  • User Key
  • Database Password (Monk can generate this)
How to get them:
  1. Log into Redis Cloud console
  2. Navigate to Account SettingsAPI Keys
  3. Find your Account Key and User Key
  4. Copy both values
  5. Choose a strong database password (or let Monk generate one)
Providing to Monk: 
use Redis Cloud instead of self-hosted Redis

Netlify

What you need:
  • Nothing! Netlify uses OAuth.
How it works:
  1. Tell Monk to deploy to Netlify:
deploy frontend to Netlify
  1. Click Connect Netlify when prompted
  2. Browser opens to Netlify authorization page
  3. Click Authorize to grant Monk access
  4. Automatically redirects back to IDE
  5. Credentials stored securely
No manual token needed - OAuth handles everything.

Auth0

What you need:
  • Domain (Management API URL)
  • Management Client ID
  • Management Client Secret
How to get them:
  1. Log into Auth0 Dashboard
  2. Go to ApplicationsApplications
  3. Click Create Application
  4. Name: “Monk Management”
  5. Type: Machine to Machine
  6. Select Auth0 Management API
  7. Grant all permissions for Applications, Users, and Resource Servers
  8. Click Authorize
  9. Copy Domain, Client ID, and Client Secret
Format domain correctly:
  • Use: your-tenant.auth0.com
  • Not: https://your-tenant.auth0.com/
Providing to Monk: 
use Auth0 for authentication

Vercel

What you need:
  • Personal Access Token
  • Optional: Team ID (for team deployments)
How to get them:
  1. Log into Vercel
  2. Go to SettingsTokens
  3. Click Create Token
  4. Name: “Monk Deployment”
  5. Scope: Choose Full Account or minimal (deploy, project read)
  6. Expiration: Set based on your security policy
  7. Click Create and copy the token
For team deployments:
  • Go to team settings to find Team ID
Providing to Monk: 
deploy frontend to Vercel

GitHub (for CI/CD)

What you need:
  • Fine-Grained Personal Access Token
How to get it:
  1. Log into GitHub
  2. Go to SettingsDeveloper settings
  3. Click Personal access tokensFine-grained tokens
  4. Click Generate new token
  5. Name: “Monk CI/CD”
  6. Expiration: Choose based on security needs
  7. Repository access: Select repositories Monk should access
  8. Permissions (on selected repositories):
    • Actions: Read and write
    • Secrets: Read and write
    • Environments: Read and write
    • Contents: Read
    • Metadata: Read
  9. Click Generate token and copy it
Providing to Monk: 
set up CI/CD with GitHub Actions

Slack (for Watcher Alerts)

What you need:
  • Incoming Webhook URL
How to get it:
  1. Go to your Slack workspace settings
  2. Navigate to AppsAdd apps
  3. Search for “Incoming Webhooks” and add it
  4. Click Add to Slack
  5. Choose a channel for alerts (e.g., #monk-alerts)
  6. Click Add Incoming WebHooks integration
  7. Copy the Webhook URL (starts with https://hooks.slack.com/...)
Providing to Monk: 
set up watcher
Monk will request the Slack webhook URL during Watcher setup. → See Watcher Setup for complete guide

Managing Your Credentials

Check Configured Credentials

what credentials do I have configured?
Monk lists all configured providers and shows which ones are ready.

Update Existing Credentials

update my AWS credentials
Monk opens the credential form with current values (sensitive fields hidden). Update and save.

Remove Credentials

delete my Azure credentials
Monk removes credentials from secure storage. You can re-add them anytime.

Security Best Practices

1. Use Service Accounts

For production deployments:
  • AWS: Create dedicated IAM user (not your personal account)
  • GCP: Use service account (not user credentials)
  • Azure: Use service principal (not personal account)
  • MongoDB Atlas: Create org-level API key (not personal)
Why: Service accounts can be rotated without affecting your personal access.

2. Minimal Permissions

Grant only what Monk needs:
  • Don’t use admin/root credentials
  • Follow principle of least privilege
  • Review permissions lists above for each provider
Why: Limits blast radius if credentials are compromised.

3. Rotate Regularly

Recommended schedule:
  • Every 90 days for production credentials
  • Immediately if potentially exposed
  • When team members leave
update [provider] credentials

4. Enable MFA

Enable multi-factor authentication on all provider accounts:
  • AWS: Enable MFA on IAM user (even for programmatic access)
  • GCP: MFA on account that manages service accounts
  • Azure: MFA on Azure AD account
  • MongoDB Atlas: MFA on your Atlas account

5. Monitor Usage

Check provider audit logs periodically:
  • AWS CloudTrail
  • GCP Audit Logs
  • Azure Activity Log
  • MongoDB Atlas Access Tracking
Look for unexpected API calls or resource changes.

6. Team Access

For teams:
  • Use organization features to share access
  • Don’t share personal credentials
  • Each team member should have appropriate role
  • Use service accounts for shared infrastructure

Troubleshooting

Monk says credentials are invalid

Check:
  1. Verify credentials in provider console
  2. Ensure permissions/roles are granted correctly
  3. Look for typos or extra spaces
  4. For API keys - check they haven’t expired
  5. For service accounts - verify they’re enabled
Try updating: 
update my [provider] credentials
Monk will re-prompt for credentials.

Which credentials do I need?

Monk tells you based on what you’re deploying:
  • Cloud provider credentials: Needed when creating clusters (AWS, GCP, Azure, DigitalOcean)
  • Service providers: Needed when using specific integrations (MongoDB Atlas, Netlify, etc.)
  • Application secrets: Custom secrets your application needs (API keys, tokens)
Don’t pre-configure everything - Monk will ask for what’s needed when needed.

Can I use multiple cloud accounts?

Currently, Monk supports one set of credentials per provider at a time: To use different accounts:
  • Update credentials before creating clusters
  • Each cluster remembers which account created it
Coming soon: Organization features will support multiple credential sets per provider.

Credentials not being accepted

Common issues: AWS:
  • Access keys disabled in IAM console
  • Missing required permissions
  • Region mismatch (if specifying default region)
GCP:
  • Service account disabled
  • JSON key file malformed
  • Missing required roles
Azure:
  • Client secret expired
  • Wrong tenant ID
  • Missing Contributor role
DigitalOcean:
  • Token revoked
  • Insufficient scopes (need Read + Write)
MongoDB Atlas:
  • API key disabled or deleted
  • Wrong organization name/ID
  • Insufficient permissions on API key
Ask Monk for help: 
why are my [provider] credentials not working?