ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: remove Prowler App credentials handling duplicates (#9212)

Browse Source
This commit is contained in:
Andoni Alonso
2025-11-12 08:23:25 +01:00
committed by GitHub
parent e246c0cfd7
commit ca4c4c8381
10 changed files with 197 additions and 296 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/developer-guide/kubernetes-details.mdx
View File

@@ -4,7 +4,7 @@ title: 'Kubernetes Provider'
This page details the [Kubernetes](https://kubernetes.io/) provider implementation in Prowler.
By default, Prowler will audit all namespaces in the Kubernetes cluster accessible by the configured context. To configure it, see the [In-Cluster Execution](/user-guide/providers/kubernetes/in-cluster) or [Non In-Cluster Execution](/user-guide/providers/kubernetes/outside-cluster) guides.
By default, Prowler will audit all namespaces in the Kubernetes cluster accessible by the configured context. To configure it, see the [In-Cluster Execution](/user-guide/providers/kubernetes/getting-started-k8s#in-cluster-execution) or [Non In-Cluster Execution](/user-guide/providers/kubernetes/getting-started-k8s#non-in-cluster-execution) guides.
## Kubernetes Provider Classes Architecture

3
docs/docs.json
View File

@@ -195,8 +195,7 @@
{
"group": "Kubernetes",
"pages": [
"user-guide/providers/kubernetes/in-cluster",
"user-guide/providers/kubernetes/outside-cluster",
"user-guide/providers/kubernetes/getting-started-k8s",
"user-guide/providers/kubernetes/misc"
]
},

2
docs/introduction.mdx
View File

@@ -28,7 +28,7 @@ The supported providers right now are:
| [AWS](/user-guide/providers/aws/getting-started-aws) | Official | UI, API, CLI |
| [Azure](/user-guide/providers/azure/getting-started-azure) | Official | UI, API, CLI |
| [Google Cloud](/user-guide/providers/gcp/getting-started-gcp) | Official | UI, API, CLI |
| [Kubernetes](/user-guide/providers/kubernetes/in-cluster) | Official | UI, API, CLI |
| [Kubernetes](/user-guide/providers/kubernetes/getting-started-k8s) | Official | UI, API, CLI |
| [M365](/user-guide/providers/microsoft365/getting-started-m365) | Official | UI, API, CLI |
| [Github](/user-guide/providers/github/getting-started-github) | Official | UI, API, CLI |
| [Oracle Cloud](/user-guide/providers/oci/getting-started-oci) | Official | UI, API, CLI |

3
docs/user-guide/providers/azure/getting-started-azure.mdx
View File

@@ -53,7 +53,8 @@ For detailed instructions on how to create the Service Principal and configure p
### Step 3: Add Credentials to Prowler App
Having completed the [Service Principal setup from the Authentication guide](/user-guide/providers/azure/authentication#service-principal-application-authentication-recommended):
For Azure, Prowler App uses a service principal application to authenticate. For more information about the process of creating and adding permissions to a service principal refer to this [section](/user-guide/providers/azure/authentication). When you finish creating and adding the [Entra](/user-guide/providers/azure/create-prowler-service-principal#assigning-proper-permissions) and [Subscription](/user-guide/providers/azure/subscriptions) scope permissions to the service principal, enter the `Tenant ID`, `Client ID` and `Client Secret` of the service principal application.
1. Go to your App Registration overview and copy the `Client ID` and `Tenant ID`

46
docs/user-guide/providers/gcp/getting-started-gcp.mdx
View File

@@ -32,35 +32,45 @@ title: 'Getting Started With GCP on Prowler'
### Step 3: Set Up GCP Authentication
Choose the preferred authentication mode before proceeding:
For Google Cloud, first enter your `GCP Project ID` and then select the authentication method you want to use:
**User Credentials (Application Default Credentials)**
- **Service Account Authentication** (**Recommended**)
* Authenticates as a service identity
* Stable and auditable
* Recommended for production
- **Application Default Credentials**
* Quick scan as current user
* Uses Google Cloud CLI authentication
* Credentials may time out
* Quick scan as current user
* Uses Google Cloud CLI authentication
* Credentials may time out
**Service Account Authentication** is the recommended authentication method for automated systems and machine-to-machine interactions, like Prowler. For detailed information about this, refer to the [Google Cloud documentation](https://cloud.google.com/iam/docs/service-account-overview).
**Service Account Key File**
<img src="/images/prowler-app/gcp-auth-methods.png" alt="GCP Authentication Methods" width="700" />
* Authenticates as a service identity
* Stable and auditable
* Recommended for production
<Tabs>
<Tab title="Service Account Authentication">
First of all, in the same project that you selected in the previous step, you need to create a service account and then generate a key in JSON format for it. For more information about this, you can follow the next Google Cloud documentation tutorials:
For detailed instructions on how to set up authentication, see [Authentication](/user-guide/providers/gcp/authentication).
- [Create a service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts)
- [Generate a key for a service account](https://cloud.google.com/iam/docs/creating-managing-service-account-keys)
6. Once credentials are configured, return to Prowler App and enter the required values:
<img src="/images/prowler-app/gcp-service-account-creds.png" alt="GCP Service Account Credentials" width="700" />
</Tab>
<Tab title="Application Default Credentials">
1. Run the following command in your terminal to authenticate with GCP:
For "Service Account Key":
```bash
gcloud auth application-default login
```
- `Service Account Key JSON`
2. Once authenticated, get the `Client ID`, `Client Secret` and `Refresh Token` from `~/.config/gcloud/application_default_credentials`.
For "Application Default Credentials":
3. Paste the `Client ID`, `Client Secret` and `Refresh Token` into Prowler App.
- `client_id`
- `client_secret`
- `refresh_token`
<img src="/images/gcp-credentials.png" alt="GCP Credentials" width="700" />
</Tab>
</Tabs>
![Enter the Credentials](/images/providers/enter-credentials-prowler-cloud.png)
7. Click "Next", then "Launch Scan"

131
docs/user-guide/providers/kubernetes/getting-started-k8s.mdx Normal file
View File

@@ -0,0 +1,131 @@
---
title: 'Getting Started with Kubernetes'
---
## Prowler App
### Step 1: Access Prowler Cloud/App
1. Navigate to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app)
2. Go to "Configuration" > "Cloud Providers"
![Cloud Providers Page](/images/prowler-app/cloud-providers-page.png)
3. Click "Add Cloud Provider"
![Add a Cloud Provider](/images/prowler-app/add-cloud-provider.png)
4. Select "Kubernetes"
5. Enter your Kubernetes Cluster context from your kubeconfig file and optionally provide a friendly alias
### Step 2: Configure Kubernetes Authentication
For Kubernetes, Prowler App uses a `kubeconfig` file to authenticate. Paste the contents of your `kubeconfig` file into the `Kubeconfig content` field.
By default, the `kubeconfig` file is located at `~/.kube/config`.
![Kubernetes Credentials](/images/kubernetes-credentials.png)
### Step 3: Additional Setup for EKS, GKE, AKS, or External Clusters
If you are adding an **EKS**, **GKE**, **AKS** or external cluster, follow these additional steps to ensure proper authentication:
**Make sure your cluster allows traffic from the Prowler Cloud IP address `52.48.254.174/32`**
1. Apply the necessary Kubernetes resources to your EKS, GKE, AKS or external cluster (you can find the files in the [`kubernetes` directory of the Prowler repository](https://github.com/prowler-cloud/prowler/tree/master/kubernetes)):
```console
kubectl apply -f kubernetes/prowler-sa.yaml
kubectl apply -f kubernetes/prowler-role.yaml
kubectl apply -f kubernetes/prowler-rolebinding.yaml
```
2. Generate a long-lived token for authentication:
```console
kubectl create token prowler-sa -n prowler-ns --duration=0
```
- **Security Note:** The `--duration=0` option generates a non-expiring token, which may pose a security risk if not managed properly. Users should decide on an appropriate expiration time based on their security policies. If a limited-time token is preferred, set `--duration=<TIME>` (e.g., `--duration=24h`).
- **Important:** If the token expires, Prowler Cloud will no longer be able to authenticate with the cluster. In this case, you will need to generate a new token and **remove and re-add the provider in Prowler Cloud** with the updated `kubeconfig`.
3. Update your `kubeconfig` to use the ServiceAccount token:
```console
kubectl config set-credentials prowler-sa --token=<SA_TOKEN>
kubectl config set-context <CONTEXT_NAME> --user=prowler-sa
```
Replace `<SA_TOKEN>` with the generated token and `<CONTEXT_NAME>` with your KubeConfig Context Name of your EKS, GKE or AKS cluster.
4. Add the modified `kubeconfig` in Prowler Cloud and test the connection.
## Prowler CLI
### Non In-Cluster Execution
For execution outside the cluster environment, specify the location of the [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file using the following argument:
```console
prowler kubernetes --kubeconfig-file /path/to/kubeconfig
```
<Note>
If no `--kubeconfig-file` is provided, Prowler will use the default KubeConfig file location (`~/.kube/config`).
</Note>
<Note>
`prowler` will scan the active Kubernetes context by default. Use the [`--context`](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/kubernetes/context/) flag to specify the context to be scanned.
</Note>
<Note>
By default, `prowler` will scan all namespaces in your active Kubernetes context. Use the [`--namespace`](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/kubernetes/namespace/) flag to specify the namespace(s) to be scanned.
</Note>
### In-Cluster Execution
For in-cluster execution, use the supplied yaml files inside `/kubernetes`:
* [prowler-sa.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/prowler-sa.yaml)
* [job.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/job.yaml)
* [prowler-role.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/prowler-role.yaml)
* [prowler-rolebinding.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/prowler-rolebinding.yaml)
They can be used to run Prowler as a job within a new Prowler namespace:
```console
kubectl apply -f kubernetes/prowler-sa.yaml
kubectl apply -f kubernetes/job.yaml
kubectl apply -f kubernetes/prowler-role.yaml
kubectl apply -f kubernetes/prowler-rolebinding.yaml
kubectl get pods --namespace prowler-ns --> prowler-XXXXX
kubectl logs prowler-XXXXX --namespace prowler-ns
```
<Note>
By default, `prowler` will scan all namespaces in your active Kubernetes context. Use the [`--namespace`](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/kubernetes/namespace/) flag to specify the namespace(s) to be scanned.
</Note>
<Tip>
**Identifying the cluster in reports**
When running in in-cluster mode, the Kubernetes API does not expose the actual cluster name by default.
To uniquely identify the cluster in logs and reports:
- Use the `--cluster-name` flag to manually set the cluster name:
```bash
prowler -p kubernetes --cluster-name production-cluster
```
- Or set the `CLUSTER_NAME` environment variable:
```yaml
env:
- name: CLUSTER_NAME
value: production-cluster
```
</Tip>

45
docs/user-guide/providers/kubernetes/in-cluster.mdx
View File

@@ -1,45 +0,0 @@
---
title: 'In-Cluster Execution'
---
For in-cluster execution, use the supplied yaml files inside `/kubernetes`:
* [prowler-sa.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/prowler-sa.yaml)
* [job.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/job.yaml)
* [prowler-role.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/prowler-role.yaml)
* [prowler-rolebinding.yaml](https://github.com/prowler-cloud/prowler/blob/master/kubernetes/prowler-rolebinding.yaml)
They can be used to run Prowler as a job within a new Prowler namespace:
```console
kubectl apply -f kubernetes/prowler-sa.yaml
kubectl apply -f kubernetes/job.yaml
kubectl apply -f kubernetes/prowler-role.yaml
kubectl apply -f kubernetes/prowler-rolebinding.yaml
kubectl get pods --namespace prowler-ns --> prowler-XXXXX
kubectl logs prowler-XXXXX --namespace prowler-ns
```
<Note>
By default, `prowler` will scan all namespaces in your active Kubernetes context. Use the [`--namespace`](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/kubernetes/namespace/) flag to specify the namespace(s) to be scanned.
</Note>
<Tip>
**Identifying the cluster in reports**
When running in in-cluster mode, the Kubernetes API does not expose the actual cluster name by default.
To uniquely identify the cluster in logs and reports, you can:
- Use the `--cluster-name` flag to manually set the cluster name:
```bash
prowler -p kubernetes --cluster-name production-cluster
```
- Or set the `CLUSTER_NAME` environment variable:
```yaml
env:
- name: CLUSTER_NAME
value: production-cluster
```
</Tip>

22
docs/user-guide/providers/kubernetes/outside-cluster.mdx
View File

@@ -1,22 +0,0 @@
---
title: 'Non In-Cluster Execution'
---
For execution outside the cluster environment, specify the location of the [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file using the following argument:
```console
prowler kubernetes --kubeconfig-file /path/to/kubeconfig
```
<Note>
If no `--kubeconfig-file` is provided, Prowler will use the default KubeConfig file location (`~/.kube/config`).
</Note>
<Note>
`prowler` will scan the active Kubernetes context by default. Use the [`--context`](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/kubernetes/context/) flag to specify the context to be scanned.
</Note>
<Note>
By default, `prowler` will scan all namespaces in your active Kubernetes context. Use the [`--namespace`](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/kubernetes/namespace/) flag to specify the namespace(s) to be scanned.
</Note>

14
docs/user-guide/providers/microsoft365/getting-started-m365.mdx
View File

@@ -50,15 +50,15 @@ Configure authentication for Microsoft 365 by following the [Microsoft 365 Authe
### Step 3: Select Authentication Method and Provide Credentials
Prowler App now separates Microsoft 365 authentication into two app-only options. After adding the Domain ID, choose the method that matches your setup:
Prowler App now separates Microsoft 365 authentication into two app-only options. After adding the Domain ID (primary tenant domain), choose the method that matches your setup:
<img src="/images/providers/m365-auth-selection-form.png" alt="M365 authentication method selection" width="700" />
#### Application Certificate Authentication (Recommended)
1. Copy the Application (client) ID and Tenant ID from the app registration overview page.
2. Paste both values into the Prowler App form.
3. Upload the PFX bundle or paste the Base64-encoded certificate (`M365_CERTIFICATE_CONTENT`), then click **Test Connection**.
1. Enter your **tenant ID**: This is the unique identifier for your Microsoft Entra ID directory.
2. Enter your **application (client) ID**: This is the unique identifier assigned to your app registration in Microsoft Entra ID.
3. Upload your **certificate file content**: This is the Base64 encoded certificate content used to authenticate your application.
<img src="/images/providers/certificate-form.png" alt="M365 certificate authentication form" width="700" />
@@ -66,9 +66,9 @@ Use this method whenever possible to avoid managing client secrets and to unlock
#### Application Client Secret Authentication
1. From the app registration, copy the Application (client) ID and Tenant ID.
2. Paste both values plus the client secret into the Prowler App form.
3. Click **Test Connection** to validate the credentials.
1. Enter your **tenant ID**: This is the unique identifier for your Microsoft Entra ID directory.
2. Enter your **application (client) ID**: This is the unique identifier assigned to your app registration in Microsoft Entra ID.
3. Enter your **client secret**: This is the secret key used to authenticate your application.
<img src="/images/providers/secret-form.png" alt="M365 client secret authentication form" width="700" />

225
docs/user-guide/tutorials/prowler-app.mdx
View File

@@ -77,208 +77,35 @@ Steps to add a provider:
## **Step 4: Configure the Provider**
Select the cloud provider you want to scan.
Select the cloud provider to scan and configure authentication credentials. Each provider has specific requirements and authentication methods.
<img src="/images/select-provider.png" alt="Select a Provider" width="700" />
Once chosen, enter the Provider UID for authentication:
- **AWS**: Enter your AWS Account ID.
- **GCP**: Enter your GCP Project ID.
- **Azure**: Enter your Azure Subscription ID.
- **Kubernetes**: Enter your Kubernetes Cluster context of your kubeconfig file.
- **M365**: Enter your M365 Domain ID.
Optionally, provide a **Provider Alias** for easier identification. Follow the instructions provided to add your credentials:
### **Step 4.1: AWS Credentials**
For AWS, enter your `AWS Account ID` and choose one of the following methods to connect:
#### **Step 4.1.1: IAM Access Keys**
1. Select `Connect via Credentials`.
<img src="/images/connect-aws-credentials.png" alt="AWS Credentials" width="350" />
2. Enter your `Access Key ID`, `Secret Access Key` and optionally a `Session Token`:
<img src="/images/aws-credentials.png" alt="AWS Credentials" width="350" />
#### **Step 4.1.2: IAM Role**
1. Select `Connect assuming IAM Role`.
<img src="/images/connect-aws-role.png" alt="AWS Role" width="350" />
2. Enter the `Role ARN` and any optional field like the AWS Access Keys to assume the role, the `External ID`, the `Role Session Name` or the `Session Duration`:
<img src="/images/aws-role.png" alt="AWS Role" width="700" />
<Note>
Check if your AWS Security Token Service (STS) has the EU (Ireland) endpoint active. If not, we will not be able to connect to your AWS account.
If that is the case your STS configuration may look like this:
<img src="/images/sts-configuration.png" alt="AWS Role" width="800" />
To solve this issue, please activate the EU (Ireland) STS endpoint.
</Note>
### **Step 4.2: Azure Credentials**:
For Azure, Prowler App uses a service principal application to authenticate. For more information about the process of creating and adding permissions to a service principal refer to this [section](/user-guide/providers/azure/authentication). When you finish creating and adding the [Entra](/user-guide/providers/azure/create-prowler-service-principal#assigning-proper-permissions) and [Subscription](/user-guide/providers/azure/subscriptions) scope permissions to the service principal, enter the `Tenant ID`, `Client ID` and `Client Secret` of the service principal application.
<img src="/images/azure-credentials.png" alt="Azure Credentials" width="700" />
---
### **Step 4.3: GCP Credentials**
For Google Cloud, first enter your `GCP Project ID` and then select the authentication method you want to use:
- **Service Account Authentication** (**Recommended**)
- **Application Default Credentials**
**Service Account Authentication** is the recommended authentication method for automated systems and machine-to-machine interactions, like Prowler. For detailed information about this, refer to the [Google Cloud documentation](https://cloud.google.com/iam/docs/service-account-overview).
<img src="/images/prowler-app/gcp-auth-methods.png" alt="GCP Authentication Methods" width="700" />
#### **Step 4.3.1: Service Account Authentication**
First of all, in the same project that you selected in the previous step, you need to create a service account and then generate a key in JSON format for it. For more information about this, you can follow the next Google Cloud documentation tutorials:
- [Create a service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts)
- [Generate a key for a service account](https://cloud.google.com/iam/docs/creating-managing-service-account-keys)
<img src="/images/prowler-app/gcp-service-account-creds.png" alt="GCP Service Account Credentials" width="700" />
#### **Step 4.3.2: Application Default Credentials**
1. Run the following command in your terminal to authenticate with GCP:
```bash
gcloud auth application-default login
```
2. Once authenticated, get the `Client ID`, `Client Secret` and `Refresh Token` from `~/.config/gcloud/application_default_credentials`.
3. Paste the `Client ID`, `Client Secret` and `Refresh Token` into Prowler App.
<img src="/images/gcp-credentials.png" alt="GCP Credentials" width="700" />
### **Step 4.4: Kubernetes Credentials**:
For Kubernetes, Prowler App uses a `kubeconfig` file to authenticate, paste the contents of your `kubeconfig` file into the `Kubeconfig content` field.
By default, the `kubeconfig` file is located at `~/.kube/config`.
<img src="/images/kubernetes-credentials.png" alt="Kubernetes Credentials" width="700" />
If you are adding an **EKS**, **GKE**, **AKS** or external cluster, follow these additional steps to ensure proper authentication:
**Make sure your cluster allow traffic from the Prowler Cloud IP address `52.48.254.174/32`**
1. Apply the necessary Kubernetes resources to your EKS, GKE, AKS or external cluster (you can find the files in the [`kubernetes` directory of the Prowler repository](https://github.com/prowler-cloud/prowler/tree/master/kubernetes)):
```console
kubectl apply -f kubernetes/prowler-sa.yaml
kubectl apply -f kubernetes/prowler-role.yaml
kubectl apply -f kubernetes/prowler-rolebinding.yaml
```
2. Generate a long-lived token for authentication:
```console
kubectl create token prowler-sa -n prowler-ns --duration=0
```
- **Security Note:** The `--duration=0` option generates a non-expiring token, which may pose a security risk if not managed properly. Users should decide on an appropriate expiration time based on their security policies. If a limited-time token is preferred, set `--duration=<TIME>` (e.g., `--duration=24h`).
- **Important:** If the token expires, Prowler Cloud will no longer be able to authenticate with the cluster. In this case, you will need to generate a new token and **remove and re-add the provider in Prowler Cloud** with the updated `kubeconfig`.
3. Update your `kubeconfig` to use the ServiceAccount token:
```console
kubectl config set-credentials prowler-sa --token=<SA_TOKEN>
kubectl config set-context <CONTEXT_NAME> --user=prowler-sa
```
Replace `<SA_TOKEN>` with the generated token and `<CONTEXT_NAME>` with your KubeConfig Context Name of your EKS, GKE or AKS cluster.
4. Now you can add the modified `kubeconfig` in Prowler Cloud. Then test the connection.
### **Step 4.5: M365 Credentials**
Enter your Microsoft Entra domain (primary tenant domain) and select how the provider should authenticate. Prowler App guides you through the process:
<img src="/images/providers/m365-auth-selection-form.png" alt="M365 authentication method selection" width="700" />
- **Application Client Secret Authentication**: Client secret-based authentication.
- **Application Certificate Authentication (Recommended)**: Certificate-based authentication. Recommended by Microsoft.
#### Step 4.5.1: Application Client Secret Authentication
1. **Enter your tenant ID**: This is the unique identifier for your Microsoft Entra ID directory.
2. **Enter your application (client) ID**: This is the unique identifier assigned to your app registration in Microsoft Entra ID.
3. **Enter your client secret**: This is the secret key used to authenticate your application.
<img src="/images/providers/secret-form.png" alt="M365 client secret authentication form" width="700" />
For full setup instructions, certificate generation commands, and required permissions, review the [Microsoft 365 provider requirements](/user-guide/providers/microsoft365/getting-started-m365).
#### Step 4.5.2: Application Certificate Authentication (Recommended)
1. **Enter your tenant ID**: This is the unique identifier for your Microsoft Entra ID directory.
2. **Enter your application (client) ID**: This is the unique identifier assigned to your app registration in Microsoft Entra ID.
3. **Upload your certificate file content**: This is the **Base64** encoded certificate content used to authenticate your application.
<img src="/images/providers/certificate-form.png" alt="M365 certificate authentication form" width="700" />
### **Step 4.6: GitHub Credentials**
For GitHub, you must enter your Provider ID (username or organization name) and choose the authentication method you want to use:
- **Personal Access Token** (Recommended for individual users)
- **OAuth App Token** (For applications requiring user consent)
- **GitHub App** (Recommended for organizations and production use)
<Note>
For full setup instructions and requirements, check the [GitHub provider requirements](/user-guide/providers/github/getting-started-github).
</Note>
<img src="/images/prowler-app/github-auth-methods.png" alt="GitHub Authentication Methods" width="700" />
#### **Step 4.6.1: Personal Access Token**
Personal Access Tokens provide the simplest GitHub authentication method and support individual user authentication or testing scenarios.
- Select `Personal Access Token` and enter your `Personal Access Token`:
<img src="/images/prowler-app/github-pat-credentials.png" alt="GitHub Personal Access Token Credentials" width="700" />
<Note>
For detailed instructions on creating a Personal Access Token and the exact permissions required, check the [GitHub Personal Access Token tutorial](/user-guide/providers/github/getting-started-github#1-personal-access-token-pat).
</Note>
#### **Step 4.6.2: OAuth App Token**
OAuth Apps enable applications to act on behalf of users with explicit consent.
- Select `OAuth App Token` and enter your `OAuth App Token`:
<img src="/images/prowler-app/github-oauth-credentials.png" alt="GitHub OAuth App Credentials" width="700" />
<Note>
To create an OAuth App, go to GitHub Settings → Developer settings → OAuth Apps → New OAuth App. You'll need to exchange an authorization code for an access token using the OAuth flow.
</Note>
#### **Step 4.6.3: GitHub App**
GitHub Apps provide the recommended integration method for accessing multiple repositories or organizations.
- Select `GitHub App` and enter your `GitHub App ID` and `GitHub App Private Key`:
<img src="/images/prowler-app/github-app-credentials.png" alt="GitHub App Credentials" width="700" />
<Note>
To create a GitHub App, go to GitHub Settings → Developer settings → GitHub Apps → New GitHub App. Configure the necessary permissions and generate a private key. Install the app to your account or organization and provide the App ID and private key content.
</Note>
For detailed instructions on configuring credentials for each provider, refer to the provider-specific getting started guides:
<Columns cols={3}>
<Card title="AWS" icon="aws" href="/user-guide/providers/aws/getting-started-aws">
Configure AWS authentication using IAM Access Keys or Assumed Role credentials.
</Card>
<Card title="Azure" icon="microsoft" href="/user-guide/providers/azure/getting-started-azure">
Set up Azure authentication using Service Principal credentials.
</Card>
<Card title="Google Cloud" icon="google" href="/user-guide/providers/gcp/getting-started-gcp">
Configure GCP authentication with Service Account or Application Default Credentials.
</Card>
<Card title="Kubernetes" icon="cloud" href="/user-guide/providers/kubernetes/getting-started-k8s">
Set up Kubernetes authentication using kubeconfig files for cluster access.
</Card>
<Card title="Microsoft 365" icon="microsoft" href="/user-guide/providers/microsoft365/getting-started-m365">
Configure M365 authentication with Application Certificate or Client Secret.
</Card>
<Card title="GitHub" icon="github" href="/user-guide/providers/github/getting-started-github">
Set up GitHub authentication using Personal Access Token, OAuth App, or GitHub App.
</Card>
<Card title="Infrastructure as Code" icon="code" href="/user-guide/providers/iac/getting-started-iac">
Scan IaC public or private repositories for security issues.
</Card>
</Columns>
## **Step 5: Test Connection**
After adding your credentials of your cloud account, click the `Launch` button to verify that Prowler App can successfully connect to your provider: