# Prowler App
**Prowler App** is a web application that simplifies running Prowler. This tutorial will guide you through setting up and using it.
## Accessing Prowler App and API Documentation
After [installing](../installation/prowler-app.md) **Prowler App**, access it at [http://localhost:3000](http://localhost:3000). To view the auto-generated **Prowler API** documentation, navigate to [http://localhost:8080/api/v1/docs](http://localhost:8080/api/v1/docs). This documentation provides details on available endpoints, parameters, and responses.
???+ note
If you are a [Prowler Cloud](https://cloud.prowler.com/sign-in) user, you can access API docs at [https://api.prowler.com/api/v1/docs](https://api.prowler.com/api/v1/docs)
## **Step 1: Sign Up**
### **Sign Up with Email**
To get started, sign up using your email and password:
### **Sign Up with Social Login**
If Social Login is enabled, you can sign up using your preferred provider (e.g., Google, GitHub).
???+ note "How Social Login Works"
If your email is already registered, you will be logged in, and your social account will be linked.
If your email is not registered, a new account will be created using your social account email.
???+ note "Enable Social Login"
See [how to configure Social Login for Prowler](prowler-app-social-login.md) to enable this feature in your own deployments.
## **Step 2: Log In**
Once registered, log in with your email and password to access Prowler App.
Upon logging in, the Overview page will display. At this stage, no data is present: add a provider to begin scanning your cloud environment.
## **Step 3: Add a Provider**
To perform security scans, link a cloud provider account. Prowler supports the following providers and more:
- **AWS**
- **Azure**
- **Google Cloud Platform (GCP)**
- **Kubernetes**
- **M365**
- **GitHub**
Steps to add a provider:
1. Navigate to `Settings > Cloud Providers`.
2. Click `Add Account` to set up a new provider and provide your credentials.
## **Step 4: Configure the Provider**
Select the cloud provider you want to scan.
Once chosen, enter the Provider UID for authentication:
- **AWS**: Enter your AWS Account ID.
- **GCP**: Enter your GCP Project ID.
- **Azure**: Enter your Azure Subscription ID.
- **Kubernetes**: Enter your Kubernetes Cluster context of your kubeconfig file.
- **M365**: Enter your M365 Domain ID.
Optionally, provide a **Provider Alias** for easier identification. Follow the instructions provided to add your credentials:
### **Step 4.1: AWS Credentials**
For AWS, enter your `AWS Account ID` and choose one of the following methods to connect:
#### **Step 4.1.1: IAM Access Keys**
1. Select `Connect via Credentials`.
2. Enter your `Access Key ID`, `Secret Access Key` and optionally a `Session Token`:
#### **Step 4.1.2: IAM Role**
1. Select `Connect assuming IAM Role`.
2. Enter the `Role ARN` and any optional field like the AWS Access Keys to assume the role, the `External ID`, the `Role Session Name` or the `Session Duration`:
???+ note
Check if your AWS Security Token Service (STS) has the EU (Ireland) endpoint active. If not, we will not be able to connect to your AWS account.
If that is the case your STS configuration may look like this:
To solve this issue, please activate the EU (Ireland) STS endpoint.
### **Step 4.2: Azure Credentials**:
For Azure, Prowler App uses a service principal application to authenticate. For more information about the process of creating and adding permissions to a service principal refer to this [section](../tutorials/azure/authentication.md). When you finish creating and adding the [Entra](./azure/create-prowler-service-principal.md#assigning-proper-permissions) and [Subscription](./azure/subscriptions.md) scope permissions to the service principal, enter the `Tenant ID`, `Client ID` and `Client Secret` of the service principal application.
---
### **Step 4.3: GCP Credentials**
For Google Cloud, first enter your `GCP Project ID` and then select the authentication method you want to use:
- **Service Account Authentication** (**Recommended**)
- **Application Default Credentials**
**Service Account Authentication** is the recommended authentication method for automated systems and machine-to-machine interactions, like Prowler. For detailed information about this, refer to the [Google Cloud documentation](https://cloud.google.com/iam/docs/service-account-overview).
#### **Step 4.3.1: Service Account Authentication**
First of all, in the same project that you selected in the previous step, you need to create a service account and then generate a key in JSON format for it. For more information about this, you can follow the next Google Cloud documentation tutorials:
- [Create a service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts)
- [Generate a key for a service account](https://cloud.google.com/iam/docs/creating-managing-service-account-keys)
#### **Step 4.3.2: Application Default Credentials**
1. Run the following command in your terminal to authenticate with GCP:
```bash
gcloud auth application-default login
```
2. Once authenticated, get the `Client ID`, `Client Secret` and `Refresh Token` from `~/.config/gcloud/application_default_credentials`.
3. Paste the `Client ID`, `Client Secret` and `Refresh Token` into Prowler App.
### **Step 4.4: Kubernetes Credentials**:
For Kubernetes, Prowler App uses a `kubeconfig` file to authenticate, paste the contents of your `kubeconfig` file into the `Kubeconfig content` field.
By default, the `kubeconfig` file is located at `~/.kube/config`.
If you are adding an **EKS**, **GKE**, **AKS** or external cluster, follow these additional steps to ensure proper authentication:
**Make sure your cluster allow traffic from the Prowler Cloud IP address `52.48.254.174/32`**
1. Apply the necessary Kubernetes resources to your EKS, GKE, AKS or external cluster (you can find the files in the [`kubernetes` directory of the Prowler repository](https://github.com/prowler-cloud/prowler/tree/master/kubernetes)):
```console
kubectl apply -f kubernetes/prowler-sa.yaml
kubectl apply -f kubernetes/prowler-role.yaml
kubectl apply -f kubernetes/prowler-rolebinding.yaml
```
2. Generate a long-lived token for authentication:
```console
kubectl create token prowler-sa -n prowler-ns --duration=0
```
- **Security Note:** The `--duration=0` option generates a non-expiring token, which may pose a security risk if not managed properly. Users should decide on an appropriate expiration time based on their security policies. If a limited-time token is preferred, set `--duration=