--- title: Before You Begin url: /docs/insights/discovery/get-started/begin/ --- ## Before you begin First, let's run through a few prerequisites and quick steps to ensure you ready to create your first Account Discovery scan. - Ensure you’re an admin of your Pulumi organization. - Verify you have permissions to create credentials in the provider account you want to scan. - You're using Pulumi's **Team**, **Enterprise**, or **Business Critical** edition. If you're new to Pulumi you can click here to [start a free trial](https://app.pulumi.com/signup?create-organization). ## Create an ESC environment Pulumi Insights Account Discovery requires read-only access to your cloud accounts. This access is granted by [creating an ESC environment](/docs/esc/get-started/) that generates valid credentials for the corresponding Pulumi provider when accessed. > **Note:** Account Discovery leverages Pulumi ESC to securely manage the credentials required to discover and read infrastructure resources, aligning with enterprise best practices for managing application secrets. To create an environment, [sign into the Pulumi cloud](https://app.pulumi.com/signin) console and navigate to **Pulumi ESC** and select **Environments** in the left-hand menu. Next, click **Create Environment** and enter a name for the project and environment, such as `insights-discovery-project` and `insights-environment` and then click **Create**. Leave the default environment definition for now, and you will return to finish configuring ESC after you create the required credentials. ## Create and configure cloud credentials To configure Pulumi Insights with AWS, you will use [OpenID Connect (OIDC)](/docs/administration/access-identity/oidc-issuers/) for authentication. Follow these steps: Log in to the [AWS Management Console](https://console.aws.amazon.com/iam/). Go to the **Roles** section and create a new role. Select the **Web identity** trusted entity type and choose `api.pulumi.com/oidc` as your identity provider. Select the name of your Pulumi organization under **Audience**. Filter to the `ReadOnlyAccess` policy name. Click **Create**. This will set up a trust relationship to allow Pulumi Cloud to assume the role using the following trust policy: ```json { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "sts:AssumeRoleWithWebIdentity", "Principal": { "Federated": "arn:aws:iam:::oidc-provider/api.pulumi.com/oidc" }, "Condition": { "StringEquals": { "api.pulumi.com/oidc:aud": "aws:" } } } ] } ``` For a more detailed step-by-step guide, including screenshots see the [Configuring OpenID Connect for AWS](/docs/esc/guides/configuring-oidc/aws/) Pulumi documentation. Next, go back to Pulumi ESC and configure your cloud credentials using the role ARN and trust relationship you just created: ```yaml values: aws: login: fn::open::aws-login: oidc: duration: 1h roleArn: arn:aws:iam:::role/insights-discovery-1 sessionName: esc-${context.pulumi.user.login} environmentVariables: AWS_ACCESS_KEY_ID: ${aws.login.accessKeyId} AWS_SECRET_ACCESS_KEY: ${aws.login.secretAccessKey} AWS_SESSION_TOKEN: ${aws.login.sessionToken} ``` To configure Pulumi Insights with Azure, you can use either OpenID Connect (OIDC) or client secret authentication. **We recommend using OIDC** for passwordless authentication, as it is more secure and eliminates the need to store and manage long-lived credentials. **Option 1: OIDC authentication (recommended)** Create a Microsoft Entra application and configure federated credentials Assign the appropriate role to your service principal (e.g., Reader role for read-only access) Configure your ESC environment with OIDC settings Example ESC configuration for OIDC: ```yaml values: azure: login: fn::open::azure-login: clientId: tenantId: subscriptionId: oidc: true environmentVariables: ARM_USE_OIDC: 'true' ARM_CLIENT_ID: ${azure.login.clientId} ARM_TENANT_ID: ${azure.login.tenantId} ARM_OIDC_TOKEN: ${azure.login.oidc.token} ARM_SUBSCRIPTION_ID: ${azure.login.subscriptionId} ``` **Option 2: Client secret authentication** Alternatively, you can use a Service Principal with a client secret. This requires generating a client secret in Azure and storing it securely in ESC. **Note:** For complete step-by-step instructions on configuring Azure credentials for Pulumi Insights, including detailed setup for both OIDC and client secret authentication, see the [Azure configuration guide](/docs/insights/discovery/accounts/#azure). To configure Pulumi Insights with OCI, you will use [OpenID Connect (OIDC)](/docs/administration/access-identity/oidc-issuers/) for authentication. Set up API Key authentication by providing the following credentials: **OCI_TENANCY_OCID**: OCID of the tenancy. To get the value, see [Where to Get the Tenancy’s OCID and User’s OCID](https://docs.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm#five). **OCI_USER_OCID**: The OCID of the user calling the API. See [Where to Get the Tenancy’s OCID and User’s OCID](https://docs.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm#five). **OCI_PRIVATE_KEY_PASSWORD**: (Optional) Passphrase used for the key, if it’s encrypted. **OCI_FINGERPRINT**: Fingerprint for the key pair being used. See [How to Get the Key’s Fingerprint](https://docs.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm#four). **OCI_REGION**: The OCI region where your resources are located. See [Regions and Availability Domains](https://docs.oracle.com/iaas/Content/General/Concepts/regions.htm). **OCI_PRIVATE_KEY_PATH**: The private key is required to be listed as an ESC file. To create a private key and integrate it with ESC, see [How to Generate an API Signing Key](https://docs.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm#two) and [how to upload the public key](https://docs.oracle.com/iaas/Content/API/Concepts/apisigningkey.htm#three) Next, go back to Pulumi ESC and configure your cloud credentials and trust relationship you just created: ```yaml values: environmentVariables: OCI_FINGERPRINT: "25:ad:34:****************:cd:05:05:08:02:a7" OCI_REGION: "us-phoenix-1" OCI_TENANCY_OCID: "ocid1.tenancy.oc1..tenancyidnumbers" OCI_USER_OCID: "user_ocid" files: OCI_PRIVATE_KEY_PATH: "" ``` By default, the Kubernetes scanner uses **kubeconfig** for authentication. You can provide the contents of the kubeconfig file using a file-based environment variable. The authenticated user must have **`get`** and **`list`** permissions at the cluster scope to discover all resources. An example ESC configuration would look like: ```yaml values: files: KUBECONFIG: # Provide the kubeconfig contents here ``` This configuration projects the kubeconfig file contents to a temporary file that the ESC scanner uses for authentication. **Warning:** The scanner agent does not have access to external binaries (e.g., `aws`, `gcloud`), so kubeconfig files relying on [client-go credential plugins](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) are not supported. We recommend creating a service account with the necessary cluster-scoped permissions (**`get`** and **`list`**) and using its token for authentication. For a detailed guide on configuring ESC credentials for Insights with Kubernetes see the [following documentation](/docs/insights/accounts/#kubernetes-k8s). Next, you'll create a Pulumi Insights account used for scanning provider resources. --- [← Previous step](/docs/insights/discovery/get-started/) [Next: Create an Insights Account →](/docs/insights/discovery/get-started/create-accounts/)