Skip to content

Draft feature docs: AWS cloud account disconnect flow #391

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mintlify wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Draft feature docs: AWS cloud account disconnect flow #391

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 22 additions & 5 deletions cloud-accounts/connecting-a-cloud-account.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,13 +51,30 @@ Before Porter can create a cluster, you need to grant it access to your cloud ac

## Revoking Access

To revoke Porter's access:
Disconnecting an AWS cloud account is a two-step process: Porter tears down the IAM roles and policies it created in your account, then you delete the customer-owned `porter-access-manager` role that trusts Porter.

1. First, delete any clusters through the Porter dashboard
2. Navigate to **CloudFormation Stacks** in your AWS console
3. Select the stack named `PorterRole` and click **Delete**
<Steps>
<Step title="Delete dependent resources">
Before you can disconnect, delete any clusters, object storage, and environment groups that are still using this cloud account. The dashboard lists any remaining dependents and blocks the **Delete** button until they're gone.
</Step>
<Step title="Disconnect from the Porter dashboard">
Navigate to **Cloud accounts**, open the AWS account you want to remove, and scroll to the **Danger zone**. Click **Delete**, type the account name to confirm, then click **Disconnect**.

Porter synchronously removes the IAM roles and policies it provisioned in your AWS account (including `porter-manager`, `porter-infra-manager`, and related Porter-managed roles and policies). When the deletion finishes, the cloud account is gone from Porter and Porter can no longer assume any role in your AWS account.
</Step>
<Step title="Delete the porter-access-manager role">
The `porter-access-manager` IAM role is owned by you — it was created by the CloudFormation stack and is not removed by Porter. After disconnecting, delete it yourself to fully revoke the trust relationship:

This removes the IAM role and prevents Porter from accessing your account.
1. Open the **AWS IAM console** (the dashboard provides a direct link in the success dialog).
2. Find the role named `porter-access-manager` (ARN: `arn:aws:iam::<your-account-id>:role/porter-access-manager`).
3. Follow the AWS instructions for [deleting an IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html).
4. Optionally, delete the CloudFormation stack that created it (typically named `PorterRole`) from the **CloudFormation** console.
</Step>
</Steps>

<Info>
Disconnecting runs synchronously, so the dashboard reports success or failure immediately. If the call fails partway through, it's safe to retry — teardown is idempotent.
</Info>
</Tab>

<Tab title="GCP">
Expand Down