| name | cloud-provisioning |
| description | Onboard and provision compute credentials for AWS, Azure, and GCP. Use this skill whenever the user needs to set up cloud credentials, create IAM users or service accounts, configure service principals, or provision compute access on any major cloud platform. Walks through step-by-step onboarding with least-privilege policies and stores credentials via the secret-vault skill.
|
| user-invokable | true |
| args | [{"name":"cloud","description":"Which cloud provider to onboard (aws, azure, gcp, or \"all\")","required":true}] |
Cloud Provisioning
Interactive onboarding for AWS, Azure, and GCP compute credentials.
Installation
Dependencies:
pip3 install boto3
pip3 install azure-identity azure-mgmt-authorization
pip3 install google-cloud-iam google-auth
Or install all at once:
pip3 install boto3 azure-identity azure-mgmt-authorization google-cloud-iam google-auth
Register the skill (OpenClaw):
ln -sf ~/repos/claude-skills/skills/cloud-provisioning skills/cloud-provisioning
Claude Code:
Add to CLAUDE.md: read ~/repos/claude-skills/skills/cloud-provisioning/SKILL.md
This skill stores credentials via the secret-vault skill — install that first. Each cloud
walkthrough creates the minimum-viable credential with least-privilege scope, warns
at the exact moment when a one-time secret is shown, and hands off to secret-vault
for storage.
Supported Clouds
Read the relevant reference file based on what the user needs:
- AWS:
references/aws-onboarding.md — IAM user with programmatic access
- Azure:
references/azure-onboarding.md — App Registration + Service Principal
- GCP:
references/gcp-onboarding.md — Service Account with JSON key
If the user says "all three" or "set up everything", run them in sequence:
AWS → Azure → GCP.
Onboarding Design Principles
- Least privilege — no
AdministratorAccess, Owner, or Editor roles.
Each cloud gets a scoped policy/role limited to compute operations.
- One-time secret warning — every cloud has a moment where the secret is shown
exactly once. The onboarding marks this with a ⚠️ warning.
- Credential storage — after capturing the credential, immediately store it
via
secret-vault: python3 secret-vault/scripts/vault.py set <key> <value>
- Verification — each onboarding ends with a verification command that proves
the credential works.
Post-Onboarding
After onboarding, the user has:
- Credentials stored in secret-vault with keys like
aws.access_key_id, azure.client_id, etc.
- A verification script:
scripts/verify-credentials.sh that tests all configured clouds
- A reference card (printed at the end) showing env var names and vault keys
Gotchas
- The per-cloud onboarding references (references/aws-onboarding.md etc.) must exist — read them before starting
- IAM/RBAC propagation can take up to 60 seconds — verification commands may fail immediately after creation
- One-time secrets (AWS secret key, Azure client secret, GCP JSON key) are shown ONCE — if missed, you must recreate
Schemas
schemas/aws-compute-policy.json — IAM policy for EC2/ECS/Lambda
schemas/azure-custom-role.json — Azure custom role for compute operations
schemas/gcp-compute-role.yaml — GCP IAM role binding
Scripts
- macOS / Linux:
bash scripts/verify-credentials.sh
- Windows:
pwsh scripts/verify-credentials.ps1
Both scripts test all three clouds in sequence.