Skip to content

Cloud Storage

The cloud storage connectors read architecturally relevant files from a bucket or container you own. In the connector picker they appear as three cards (Amazon S3, Azure Blob Storage, and Google Cloud Storage) that share the same configuration. See Connectors for the general workflow.

Cloud storage is a document source: the files describe your architecture rather than being the deployed architecture, so a run produces Reference Library registry items and Enterprise Glossary terms, not architecture objects. Use the Analysis Mode field to choose between recording only formally defined governance (default) or cataloguing every document.

Only file types that inform an architecture mapping are downloaded:

  • Documents: PDF, Word, PowerPoint, Excel (text is extracted automatically), Markdown, plain text, reStructuredText, CSV, SQL
  • IaC and configuration: Terraform, Bicep, CloudFormation templates, YAML, JSON, TOML, XML, INI, .env, Dockerfiles, docker-compose files
  • Source and build files: common languages plus manifests such as package.json, requirements.txt, pom.xml, go.mod

Hidden files and dot-directories are skipped. A run is capped at 500 files / 100 MB total / 25 MB per file by default.

FieldValue
Storage URLThe bucket/container URI. An optional path acts as a prefix filter.
RegionS3 only, required: the bucket’s region, e.g. ap-southeast-2
Endpoint URLS3 only, optional: set only for an S3-compatible store (MinIO, Wasabi, etc.)
Access MethodDelegated, stored credential, or public (see below)

Storage URL formats:

s3://my-bucket/optional/prefix
gs://my-bucket/optional/prefix
https://myaccount.blob.core.windows.net/mycontainer/optional/prefix

Use the bucket URI, not a console URL or an ARN.

Every provider supports three access methods. Delegated access is recommended. It uses short-lived credentials and stores no secret in ArchNGN.

Delegated access (recommended). You create a read-only IAM role in your account that trusts ArchNGN, and ArchNGN assumes it at run time:

  1. Create the connector with access method Delegated access and save it, then re-open it. The dialog shows two values generated for this connector: the Trusted principal (ArchNGN’s AWS identity) and the External ID.

  2. In the AWS console, go to IAM → Roles → Create role → Custom trust policy and paste:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": { "AWS": "<Trusted principal from the connector dialog>" },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": { "sts:ExternalId": "<External ID from the connector dialog>" }
          }
        }
      ]
    }

    The External ID condition ensures only your connector can use the role.

  3. Attach a read-only permissions policy scoped to the bucket:

    {
      "Version": "2012-10-17",
      "Statement": [
        { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::my-bucket" },
        { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*" }
      ]
    }
  4. Name the role (e.g. ArchNGNReadOnly), create it, and copy its ARN.

  5. Back in the connector, enter the ARN in the Role ARN field and save.

Stored credential. Create an IAM user with programmatic access and the same read-only bucket policy as above, create an access key, and enter the Access Key ID and Secret Access Key. Use a key scoped to this one bucket.

Public bucket. No credentials are sent or stored; the bucket must allow anonymous read and list.

Delegated access (recommended). Grant ArchNGN’s service account read access to your bucket:

  1. Create the connector with access method Delegated access. The dialog shows the ArchNGN service account to grant.
  2. In the GCP console, open Cloud Storage → Buckets → your bucket → Permissions → Grant access.
  3. Add the ArchNGN service account as principal with the role Storage Object Viewer (roles/storage.objectViewer).
  4. Save the connector. No secret is stored.

Stored credential. Create a service account in your project, grant it roles/storage.objectViewer on the bucket, create a JSON key (IAM & Admin → Service Accounts → Keys → Add key → JSON), and paste the whole key file into the Service Account Key (JSON) field.

Public bucket. The bucket must allow allUsers read access.

Delegated access. Assign the ArchNGN application (shown in the connector dialog) the Storage Blob Data Reader role on your container: Storage account → your container → Access Control (IAM) → Add role assignment.

Stored credential (default for Azure). Pick one credential type:

Credential TypeWhere to Find It
Connection stringStorage account → Access keys → Connection string
Account keyStorage account → Access keys → Key. The account name is taken from the Storage URL.
SAS tokenStorage account → Shared access signature. Generate a token with Read and List permissions on the Blob service, scoped and time-limited as you prefer

Public container. The container must have public read access enabled.

Whatever you enter (keys, connection strings, SAS tokens, service-account JSON) is moved to an encrypted secrets store on save and never shown again. Delegated access stores no secret at all. For S3 delegated access, the External ID is generated once and stays stable for the life of the connector.