Appearance
Connect Tempest with your cloud providers
Tempest Link provides a secure and efficient way to connect your cloud service providers to Tempest. With just a few clicks, you can authenticate and integrate your cloud resources.
Once you've linked Tempest with your providers, you can:
- Create recipes to manage your cloud services and infrastructure
- Import your cloud resources into Tempest for tracking, management, and auditing
Security
Tempest Link is built with security as a first principle. For all of our first-party integrations, we:
- Encrypt customer credentials with a per-customer encryption key backed by Google Secret Manager,
- Store secrets in an encrypted format that cannot be retrieved through the API,
- Limit the use of credentials exclusively to Tempest Apps for authenticating remote providers.
Methods of Authentication
Tempest Link supports multiple authentication methods for each provider, giving you flexibility in how you connect. For example, when authenticating to GitHub, you can choose from several authentication options to best suit your use case:
You’ll be required to authenticate in order to fully configure resources in your recipe.
Method 1: Authenticating via App
Some first-party providers, like GitHub, support the App authentication experience. By authenticating via the App experience, users can connect their resource accounts without sharing credentials, allowing for streamlined permissions management and automated workflows within their familiar platforms.
In general, the App experience is preferred over OAuth and API Key authentication methods, as it ensures the best possible experience within Tempest and supports more built-in security measures like fine-grained permissions and short-lived tokens.
To authenticate via App:
- Select the resource in your recipe
- If App authentication is available, you’ll see “[Provider Name] App” in the options to authenticate. Select that option.
- Follow the steps as you’re routed through the resource provider’s App flow.
- Once completed, you’ll be authenticated and your name will populate in the credentials drop down.
Method 2: Authenticating with OAuth
Tempest leverages OAuth to securely delegate access via token-based authentication. After user authorization, an access token—often a JWT—is issued, allowing third-party apps to interact with Tempest's APIs without exposing credentials. This ensures scoped, time-limited access with token expiration and refresh support.
To authenticate with OAuth:
- Select the resource in your recipe.
- Click “Show more.”
- If OAuth authentication is available, you’ll see “OAuth” in the options to authenticate. Select that option.
- Follow the steps as you’re routed through the resource provider’s OAuth flow.
- Once completed, you’ll be authenticated and your name will populate in the credentials drop down.
Method 3: API Keys
Tempest supports API key-based authentication, such as service account keys or personal access tokens (PATs), for secure, programmatic access to your cloud providers’ APIs. These keys allow automated systems to interact directly with external services, bypassing OAuth, while ensuring restricted and controlled access based on the provider's key permissions and expiration settings.
To authenticate via API key:
- Select the resource in your recipe.
- Click “Show more.”
- Choose the option to authenticate with an API key. Depending on the resource provider, this option might be labeled differently, such as "Service Account" or "Access Key.”
- Follow the prompts to add a name and the API key from your resource provider.
- Once completed, you’ll be authenticated and the name of your key will populate in the credentials drop down.
When to use which method of authentication
| Authentication method | Preferred use cases |
|---|---|
| App Authentication |
|
| OAuth 2.0 |
|
| API Keys |
|