Connect a source

A source is any cloud account, identity system, or SaaS platform VinTekh reads from. Every source is read-only — VinTekh never writes back to a connected account.

The generic flow

1. Open Sources.
2. Choose the source kind from the gallery.
3. The per-kind wizard tells you the exact credential type and minimum role required. Where possible we prefer:
   • Device-code or browser flows over long-lived secrets
   • Workload identity federation over passwords
   • Scoped read-only API tokens over admin tokens
4. Provide the credentials and save. They are stored encrypted at rest in our database (and additionally referenced through Azure Key Vault when running in a customer-managed deployment).
5. The discovery worker runs immediately. Watch the source row transition pending → running → success.
6. Click into the source after first sync — every kind has a per-source dashboard showing what was pulled, when, and whether anything was rejected.

Verifying it worked

Three signals to check:

1. On Sources the source shows status Healthy and "Last sync" within the last hour.
2. On Resources the filter by cloud shows non-zero entries for the connected cloud.
3. On Service coverage the "Services modeled" tile reflects what you connected.

What if the sync fails?

Common causes (in order of likelihood):

• 401 / 403 — credential doesn't have the documented role. Re-check role assignment scope. For Azure SPs, Reader must be at subscription or management-group level for resources to appear.
• Conditional Access blocks the SP — common in regulated tenants. Ask your identity admin to exclude the SP from the relevant CA policy.
• Sync queued but never runs — worker pod is down. Check /api/health for worker status.
• Cloud-side throttling — rare; retry after 10 minutes. Sustained throttling is logged and surfaces on the source row.

For per-kind details see the connector guides under the sidebar. Start with Azure Reader SP.