> ## Documentation Index
> Fetch the complete documentation index at: https://docs.monk.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect Your Cloud

> Give Monk access to your cloud accounts

Monk follows a bring-your-own-infrastructure model. Everything runs on your cloud accounts — Monk provisions and manages resources on your behalf, but you own the infrastructure and control the credentials.

Credentials are encrypted at rest on your machine and on your Monk cluster using your cloud provider's KMS — so your infrastructure can manage itself autonomously. They are never sent to Monk servers and never exposed to the LLM. See [Security](/features/security) for the full details.

## Pick Your Cloud

Monk asks for credentials automatically when you deploy, but you can also set them up ahead of time. Pick your cloud to get started:

<CardGroup cols={2}>
  <Card title="AWS" icon="cloud" href="/getting-started/credentials-aws">
    IAM access key and secret key
  </Card>

  <Card title="Google Cloud" icon="cloud" href="/getting-started/credentials-gcp">
    Service account JSON key
  </Card>

  <Card title="Microsoft Azure" icon="cloud" href="/getting-started/credentials-azure">
    Service principal with client secret
  </Card>

  <Card title="DigitalOcean" icon="cloud" href="/getting-started/credentials-digitalocean">
    Personal access token
  </Card>

  <Card title="Hetzner" icon="cloud" href="/getting-started/credentials-hetzner">
    API token
  </Card>
</CardGroup>

## Service Providers

Monk also integrates with service providers for databases, hosting, authentication, CI/CD, and monitoring. Credentials for these are requested automatically the first time you use them.

| Service           | What you need                   | How it works                                                                             |
| ----------------- | ------------------------------- | ---------------------------------------------------------------------------------------- |
| **Netlify**       | Nothing                         | OAuth — Monk opens a browser for authorization                                           |
| **Vercel**        | Personal access token           | [Settings → Tokens](https://vercel.com/account/tokens)                                   |
| **MongoDB Atlas** | Org name + API key pair         | [Access Manager → API Keys](https://cloud.mongodb.com)                                   |
| **Redis Cloud**   | Account key + user key          | Account Settings → API Keys                                                              |
| **Auth0**         | Domain + M2M client credentials | Applications → Create M2M app                                                            |
| **Cloudflare**    | API token                       | [My Profile → API Tokens](https://dash.cloudflare.com/profile/api-tokens)                |
| **GitHub**        | Fine-grained PAT                | [Developer Settings → Fine-grained tokens](https://github.com/settings/tokens?type=beta) |
| **Slack**         | Nothing                         | OAuth — Monk opens a browser for authorization ([details](/features/slack))              |

You do not need to configure these in advance. When you ask Monk to use a service — for example, `deploy frontend to Netlify with Monk` — it will request the credentials it needs at that point.

## Managing Credentials

You can check, update, or remove credentials at any time through your agent or Monk directly:

```
ask Monk what credentials I have configured
```

```
ask Monk to update my AWS credentials
```

```
ask Monk to delete my Azure credentials
```

## Security Best Practices

**Use service accounts, not personal credentials.** Create a dedicated IAM user (AWS), service account (GCP), or service principal (Azure) for Monk. Service accounts can be rotated without affecting your personal access.

**Grant minimal permissions.** Each cloud guide above lists the exact permissions Monk needs. Do not use admin or root credentials.

**Rotate regularly.** Every 90 days for production credentials, immediately if potentially exposed, and whenever team members leave.

**Enable MFA** on all provider accounts that manage the service accounts Monk uses.

<Card title="First deployment" icon="rocket" href="/getting-started/first-deployment" color="#3B82F6">
  Credentials ready? Deploy your first app
</Card>
