Skip to content

docs: document cloud permission errors on env group create #294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mintlify wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: document cloud permission errors on env group create #294

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions applications/configure/environment-groups.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,24 @@ Environment groups can be deleted from the **Settings** tab on the environment g
You cannot delete an environment group that is synced to an application. Unsync the environment group from all applications before deleting it.
</Warning>

## Troubleshooting

### Cloud permission errors on create

Because environment group secrets are written to your cloud account's secret manager, the Porter role on the connected cloud account needs permission to manage secrets in the selected region. If those permissions are missing, creating an environment group fails with:

```
403 the connected cloud account is missing permissions to manage secrets. Check that the Porter role has secrets manager access in the selected region, then try again.
```

To resolve this, confirm that the Porter role has the following access on the cloud account you are creating the environment group in:

- **AWS** — `secretsmanager:CreateSecret`, `secretsmanager:PutSecretValue`, `secretsmanager:GetSecretValue`, `secretsmanager:UpdateSecret`, and `sts:AssumeRole` for the Porter role.
- **GCP** — `secretmanager.secrets.create`, `secretmanager.versions.add`, and `secretmanager.versions.access` on the project.
- **Azure** — `Key Vault Secrets Officer` (or equivalent get/set permissions) on the Key Vault used by the connected cloud account.
Copy link
Copy Markdown
Contributor

@GKestenberg GKestenberg May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should use <Tabs>

<Tabs>
  <Tab title="AWS">
    - `secretsmanager:CreateSecret`
    - `secretsmanager:PutSecretValue`
    - `secretsmanager:GetSecretValue`
    - `secretsmanager:UpdateSecret`
    - `sts:AssumeRole` for the Porter role
  </Tab>
  <Tab title="GCP">
    - `secretmanager.secrets.create`
    - `secretmanager.versions.add`
    - `secretmanager.versions.access`

    Granted on the project.
  </Tab>
  <Tab title="Azure">
    - `Key Vault Secrets Officer` (or equivalent get/set permissions)

    Granted on the Key Vault used by the connected cloud account.
  </Tab>
</Tabs>


After updating the role, retry the create. The same permissions are required for any later updates to the environment group.

## CLI Reference

For the full list of flags and options, see the [porter env](/standard/cli/command-reference/porter-env) CLI reference.