Connect your cloud account

Whatever cloud you prefer is fine by us

Encore Cloud lets you deploy your application to any of the major cloud providers, using your own cloud account. This lets you use Encore to improve your experience and productivity, while keeping the reliability of a major cloud provider.

Each environment can be configured to use a different cloud provider, and you can have as many environments as you wish. This also lets you easily deploy a hybrid or multi-cloud application, as you see fit.

Please note

Encore Cloud will provision infrastructure in your cloud account, but for safety reasons Encore Cloud does not automatically destroy infrastructure once it's no longer required. To do this, you need to manually approve the deletion of the infrastructure in your Encore Cloud dashboard.

This means if you disconnect your app from your cloud provider, or delete the environment within Encore, you need to explicitly approve the deletion of the infrastructure in your Encore Cloud dashboard.

Google Cloud Platform (GCP)

Encore Cloud provides a GCP Service Account for each Encore Cloud application, letting you grant Encore Cloud access to provision all the necessary infrastructure directly in your own GCP account.

Permissions scoping

GCP's permissions system is well-suited for scoping down Encore Cloud's access. While the simplest setup grants access at the organization level, permissions can also be scoped down to a single GCP project. This is useful when you want to isolate Encore Cloud's access to a specific project within your organization, for example a sandboxed prototyping environment. Contact us to discuss the best setup for your needs.

Required permissions

When connecting a specific GCP project (instead of granting access at the organization level), the simplest approach is to grant the Encore Cloud service account the roles/owner (Owner) role on the project. This gives Encore Cloud full access to provision and manage all the infrastructure it needs.

If you'd prefer to grant more narrowly scoped permissions, only grant the roles for the features your application actually uses. The following project-level roles are grouped by the feature they enable:

IAM (always required)

  • roles/resourcemanager.projectIamAdmin — read/set project IAM policy
  • roles/iam.serviceAccountAdmin — create/update/delete service accounts
  • roles/iam.roleAdmin — create/patch/undelete the encore_bucket_* custom roles
  • roles/iam.serviceAccountTokenCreator — needed for Pub/Sub push-OIDC + workload identity flows
  • roles/iam.serviceAccountUser — needed to deploy Cloud Run services with a custom service account

Service usage (always required)

  • roles/serviceusage.serviceUsageAdmin — enables the required .googleapis.com APIs

Cloud Run (required if deploying to Cloud Run)

  • roles/run.admin — create/replace/delete Cloud Run services and their IAM policy
  • roles/vpcaccess.admin — manage serverless VPC connectors

GKE (required if deploying to GKE)

  • roles/container.admin — clusters, node pools, labels

Networking (required for ingress, custom domains, and private connectivity)

  • roles/compute.networkAdmin — VPC, subnets, firewalls, peering, reserved IPs, PSC forwarding rules
  • roles/compute.loadBalancerAdmin (or the broader roles/compute.admin) — URL maps, target proxies, forwarding rules, backend buckets/services
  • roles/servicenetworking.networksAdmin — private services access for Cloud SQL / Redis
  • roles/certificatemanager.editor — certificates, cert maps and entries, DNS authorizations

Databases (required if using SQL databases or caches)

  • roles/cloudsql.admin — instances, users, SSL certs
  • roles/redis.admin — Memorystore instances

Storage (required if using Object Storage)

  • roles/storage.admin — buckets, CORS, lifecycle, IAM

Storage / Registry (always required)

  • roles/artifactregistry.admin — repositories for container images

Messaging (required if using Pub/Sub topics)

  • roles/pubsub.admin — topics, subscriptions, and their IAM bindings

Secrets (always required)

  • roles/secretmanager.admin — create/version/delete secrets and grant accessor

Observability (always required)

  • roles/monitoring.editor — create/manage custom metric descriptors

Setup

To find your app's Service Account email and configure GCP deployments, head over to the Connect Cloud page by going to the Encore Cloud dashboard > (Select your app) > App Settings > Integrations > Connect Cloud.

Connect GCP account

Troubleshooting

I can't access/edit the Policy for Domain restricted sharing page

To edit Organization policies, you need to have the Organization Policy Administrator role. If you don't have this role, you can ask your GCP Organization Administrator to grant you the necessary permissions. If you're a GCP Organization Administrator, you can grant yourself the necessary permissions by following the steps below:

  1. Go to the IAM & Admin page in the GCP Console.
  2. Find your user account in the list of members.
  3. Click the pencil icon to edit your user account.
  4. Add the Organization Policy Administrator role to your user account.
  5. Click Save.

I can't grant access to the Encore Cloud service account

If you're unable to grant access to the Encore Cloud service account, you may have failed to add Encore Cloud to your Domain restricted sharing policy. Make sure you've followed all the steps in the Connect Cloud page to add Encore Cloud to the policy. If you're using several GCP accounts, make sure you're logged in with the correct account and that the correct organization is selected in the GCP Console.

Encore Cloud returns "Could not find Organization ID"

If you see this error message, it means that Encore Cloud was unable to connect to your GCP Organization. Make sure you've followed all the steps in the Connect Cloud page to grant Encore Cloud access to your GCP Organization. If you're using several GCP accounts, make sure you're logged in with the correct account and that the correct organization is selected in the GCP Console.

Still having issues? Drop us an email at [email protected] or chat with us in the [Encore Discord](https://encore.dev/discord.

Amazon Web Services (AWS)

Permissions scoping

For a seamless experience, the default setup uses an IAM Role that gives Encore Cloud the permissions needed to provision and manage infrastructure in your AWS account. The simplest way to scope this is to use a dedicated AWS sub-organization for Encore Cloud, which provides clear isolation.

It's also possible to configure a more narrowly scoped IAM policy. The required permissions depend dynamically on the structure of your applications and the infrastructure resources they use. We're actively working on providing more solutions for scoping down permissions further. Contact us to discuss the best setup for your needs.

Setup

To configure your Encore Cloud app to deploy to your AWS account, head over to the Connect Cloud page by going to the Encore Cloud dashboard > (Select your app) > App Settings > Integrations > Connect Cloud.

Follow the instructions to create an IAM Role, and then connect the role with Encore Cloud. Learn more in the AWS docs.

Connect AWS account

Look out!

For your security, make sure to check Require external ID and specify the external ID provided in the instructions.

After connecting your app to AWS, you will be asked to choose which region you want Encore Cloud to provision resources in. Learn more about AWS regions here.

Edit this file on GitHub