Skip to main content
Trident connects to your cloud environment through a read-only IAM role (or provider-equivalent) that you create in your own account. Trident assumes that role on each scan cycle — it never stores long-lived credentials, never installs agents, and never makes changes to your infrastructure. The entire connection model is pull-based and read-only: Trident observes, it does not mutate.
Trident never stores long-lived credentials. It assumes the read-only role on each scan cycle using short-lived tokens, so rotating or revoking the role immediately stops all access.

Connect an AWS account

AWS is the most common first connection. Trident provides a CloudFormation template to create the role in one click, or you can apply the IAM policy JSON manually.
1

Open the Add Account flow

In the Trident dashboard, navigate to Cloud → Add Account → AWS.
2

Copy your External ID

Trident displays a CloudFormation template link and an IAM policy JSON document. Before you leave this page, copy your External ID — you will paste it into the IAM trust policy in the next step. The External ID is unique to your Trident project and prevents confused-deputy attacks.
3

Create the IAM role in your AWS account

In your AWS account, create a new IAM role with the trust policy Trident provides. The trust policy allows Trident’s scanner principal to assume the role, scoped to your External ID. Attach the Trident-provided read-only permission policy — it covers compute, IAM, networking, storage, and secrets services. No write permissions are included.If you prefer one-click setup, launch the Trident-provided CloudFormation template instead — it creates the role and attaches the policy automatically.
4

Paste the role ARN and connect

Back in the Trident dashboard, paste the ARN of the role you just created (format: arn:aws:iam::<account-id>:role/<role-name>) and click Connect.
5

Wait for the first scan

Trident validates the role and runs its first scan. The initial scan typically completes in under five minutes. Once it finishes, your assets appear in Cloud → Assets and your security graph is live.

Connect Azure, GCP, or Kubernetes

Each provider follows the same pattern — you create a read-only credential in your environment and hand Trident a reference to it.
Navigate to Cloud → Add Account → Azure. Trident walks you through creating an Azure service principal with a Reader role assignment scoped to your subscription or management group. You provide the tenant ID, client ID, and client secret. Trident encrypts the credential at rest using AES-256-GCM and uses it only during scan cycles.

What permissions Trident requests

Trident requests the minimum read-only permissions required to build the security graph. The scope covers:
SurfaceExamples
ComputeList/describe EC2 instances, Lambda functions, EKS clusters, pods
IAMList roles, policies, users, groups, and effective permission simulation
NetworkingVPCs, subnets, security groups, load balancers, DNS
StorageS3 bucket metadata, ACLs, and policies (not object contents)
SecretsSecrets Manager / KMS key metadata (not secret values)
DatabasesRDS, DynamoDB, Cloud SQL instance metadata
Trident never requests write permissions, never reads secret values, and never accesses object contents in storage buckets.

Ingest output from existing scanners

If you already run Prowler, Trivy, Kubescape, Falco, CloudQuery, Steampipe, TruffleHog, or similar tools, you can push their JSON output directly into Trident’s security graph. This enriches your attack path analysis with data from tools you already trust. Send a POST request to the scanner ingest endpoint using your project’s API key for Basic auth: 
POST /api/public/trident/scanner-ingest
Authorization: Basic <base64(publicKey:secretKey)>
Content-Type: application/json

{
  "scanner": "trivy",
  "accountExternalId": "my-cluster-prod",
  "provider": "KUBERNETES",
  "raw": { ...trivy JSON output... }
}
The complete set of supported scanner values is:
ValueTool
falcoFalco / falcosidekick runtime alerts
trivyTrivy container and repository scans
kubescapeKubescape Kubernetes posture
cloudqueryCloudQuery asset and edge inventory
steampipeSteampipe cloud inventory
threatmapperThreatMapper cloud and container topology
pmapperPMapper effective-permission graph
neuvectorNeuVector deep runtime security
stackroxStackRox / RHACS Kubernetes posture
ciemGeneric CIEM output
gcp_ciemGCP-native CIEM output
azure_ciemAzure-native CIEM output
terraformTerraform plan static analysis
checkovCheckov IaC scanning
tetragonTetragon eBPF runtime events
trufflehogTruffleHog secret detection
osvOSV vulnerability feed
cloudsplainingCloudsplaining IAM analysis
dspm_contentDSPM content-tier data classification
mcpSafetyMCP tool-call safety scanner
The endpoint returns a scanId and a 202 Accepted status — findings appear in your inbox once Trident processes the job.

Removing an account

To disconnect a cloud account, go to Cloud → Settings → Disconnect Account and confirm. Trident stops scanning that account immediately. You should also delete the IAM role (or service principal/service account) from your cloud environment to fully revoke access.