About UsProwler authenticates with StackIT using a service account key file. The StackIT SDK signs the RSA challenge in the key file and mints/refreshes access tokens internally for the life of the scan, so no manual token rotation is needed.Documentation Index
Fetch the complete documentation index at: https://docs.prowler.com/llms.txt
Use this file to discover all available pages before exploring further.
Service Account Key
StackIT uses RSA key-pair based service account keys. They are issued once, must be stored securely, and are read by the SDK on every scan to mint short-lived access tokens transparently.Option 1: Create the Key via the StackIT Portal
- Open the StackIT Portal and select your project.
- In the left sidebar, click Service Accounts.
- Create a service account if you do not have one already. Assign:
iaas.viewerfor the IaaS security group checks currently shipped, orproject.ownerif you want to cover any future service Prowler adds.
- Open the service account and go to Service Account Keys.
- Click Create key and choose STACKIT-generated key pair (recommended). Download the resulting JSON file and store it securely (for example,
~/.stackit/sa-key.json). The private material is only shown once.
Option 2: Create the Key via the StackIT CLI
Project ID
Your StackIT project ID is a UUID. You can find it in:- The portal URL when viewing the project:
https://portal.stackit.cloud/projects/{PROJECT_ID}/... - The project settings page
stackit project list
Passing Credentials to Prowler
You can give Prowler either the path to the key file on disk or the inline JSON content of the key. Both go through the same StackIT SDK flow and refresh access tokens internally.Option A: Key File Path (workstation, persistent agents)
Recommended when the key is stored on disk.Keep the key file outside of source control and lock it down with
chmod 600 ~/.stackit/sa-key.json. Anyone with the JSON can mint access tokens for the service account.Option B: Inline Key Content (CI/CD, secret managers)
Recommended when the key is fetched at run time from a secret manager (GitHub Actions secret, AWS Secrets Manager, HashiCorp Vault, etc.) and you do not want to write it to disk.Prefer the
STACKIT_SERVICE_ACCOUNT_KEY environment variable over the matching CLI flag (--stackit-service-account-key); passing the secret on the command line leaks it through process listings and shell history.Credential Lookup Order
Prowler resolves credentials in this order:- CLI arguments:
--stackit-service-account-key,--stackit-service-account-key-path,--stackit-project-id - Environment variables:
STACKIT_SERVICE_ACCOUNT_KEY,STACKIT_SERVICE_ACCOUNT_KEY_PATH,STACKIT_PROJECT_ID
Token Lifetime
Access tokens are minted on demand by the SDK from the key file and refreshed before they expire. There is nothing to rotate while Prowler is running.Troubleshooting
| Symptom | Likely Cause | Fix |
|---|---|---|
401 Unauthorized during scan | Key file is missing fields, the public key is no longer registered, or the key was revoked | Re-issue the service account key in the StackIT portal and update STACKIT_SERVICE_ACCOUNT_KEY_PATH |
403 Forbidden during scan | Service account lacks role on the project | Re-check role assignment in the StackIT portal; iaas.viewer is the minimum for the shipped IaaS checks |
StackIT project ID must be a valid UUID | The project ID is not in UUID format | Copy the UUID from the portal URL or stackit project list |
StackIT service account credentials are required | None of the four credential inputs is set | Export STACKIT_SERVICE_ACCOUNT_KEY_PATH or STACKIT_SERVICE_ACCOUNT_KEY (or use their CLI counterparts) before running Prowler |