Cloud Integrations

Trace's cloud integrations connect your cloud accounts so the platform can inventory what you've deployed, map relationships between resources, and surface security exposures that don't show up in source-code scans — public buckets, internet-exposed services, and other misconfigurations.

Today, Trace supports AWS and Vercel integrations. Support for GCP and Azure is on the roadmap.

AWS

Trace connects to AWS using a cross-account IAM role with read-only permissions. Nothing in your AWS account changes; Trace only reads.

How it works

1. From Settings → Integrations → AWS in the dashboard, generate the onboarding artifacts. Trace produces an external ID unique to your organization and a CloudFormation template that creates a read-only role.
2. Deploy the CloudFormation stack in your AWS account. The template creates an IAM role scoped to the external ID, so only Trace can assume it.
3. Paste the role ARN back into the dashboard. Trace verifies access through AWS STS and starts the initial sync.
4. Trace inventories your account on a recurring basis: accounts, regions, key resource types, and the relationships between them. Public-facing resources are tagged so you can spot them at a glance.

What Trace sees

Trace's IAM role grants read-only access. We can list and describe your cloud resources; we cannot create, modify, or delete anything. The CloudFormation template is published with your onboarding artifacts so you can audit every permission before deploying.

When you disconnect, Trace retains your inventory for a fixed grace period (visible on the integration page) so you don't lose context if you reconnect, then deletes it.

Vercel

Trace connects to Vercel through Vercel's native integration framework. You install Trace from your Vercel team and grant the integration read access to your account.

How it works

1. From Settings → Integrations → Vercel in the dashboard, click Connect Vercel. You'll be redirected to Vercel's install flow.
2. Choose the Vercel team / account you want to connect and approve the requested scopes (read-only to integration configuration, projects, domains, and deployments).
3. After redirect, Trace verifies the install and begins syncing inventory: active projects, domains, and deployments.
4. The integration page shows current inventory counts and the last sync time. You can connect multiple Vercel installations to a single Trace organization.

What Trace sees

Trace requests read-only scopes from Vercel:

• read:integration-configuration — confirms the integration is installed
• read:project — lists your Vercel projects
• read:domain — lists domains attached to those projects
• read:deployment — lists deployments per project

We do not request write scopes for project, domain, or deployment data. Disconnecting from Trace or uninstalling from Vercel revokes access immediately.

Why this matters

A modern application isn't just its source code — it's the cloud resources that host it, the buckets that store its data, and the network paths that reach it. The same vulnerability class can look very different depending on context: a SQL injection on a service behind a VPN is not the same as a SQL injection on a service with a public load balancer.

Cloud integrations let Trace surface a class of issues — misconfigurations and exposed resources — that pure source-code analysis can't reach.

What's coming

• GCP — workload identity federation, similar read-only model to AWS.
• Azure — service principal with reader-scoped role.
• Kubernetes — cluster inventory and workload analysis.

Reach out to the Trace team if you'd like early access to any of these.