Providers
Connect and manage providers - GCP, AWS, Azure, Cloudflare, DigitalOcean.
Overview
Providers are cloud accounts and services that Relight can deploy to. Each provider supports one or more layers:
Full-stack providers
These can host your entire app end-to-end:
| Provider | Type | Layers |
|---|---|---|
| GCP | gcp | app, db, dns, registry |
| AWS | aws | app, db, dns, registry |
| Azure | azure | app, db, dns, registry |
Additional providers
| Provider | Type | Layers | Best for |
|---|---|---|---|
| Cloudflare | cf | dns, registry | Free DNS and global edge routing. Great as a CDN and DNS layer. |
| DigitalOcean | do | db, dns | Affordable managed Postgres databases. |
| GitHub | ghcr | registry | Free container registry (GHCR). |
List providers
relight providersShows all configured providers with their type, layers, and which layers they’re the default for.
Add a provider
relight providers add # interactive - prompts for type
relight providers add gcp # add GCP directly
relight providers add aws # add AWS directly
relight providers add azure # add Azure directly
relight providers add cf # add Cloudflare directly
relight providers add do # add DigitalOcean directly
relight providers add ghcr # add GitHub Container Registry directlyEach provider asks for different credentials:
GCP
- Service account key - JSON key file for a service account with Cloud Run Admin, Artifact Registry Admin, Cloud SQL Admin, DNS Administrator, Firebase Admin, Firebase Hosting Admin, Logs Viewer, and Monitoring Viewer roles.
AWS
- Access Key ID and Secret Access Key - for an IAM user with App Runner, ECR, RDS, Route 53, EC2 (read), CloudWatch Logs, and IAM permissions.
Azure
- Tenant ID, Client ID, Client Secret, Subscription ID - for a registered app with Contributor and AcrPush roles.
Cloudflare
- API Token - create at dash.cloudflare.com/profile/api-tokens. Needs DNS permissions.
- Account ID - found on the Workers & Pages overview page.
DigitalOcean
- API Token - from the DigitalOcean control panel. Needs read/write access for Managed Databases and Domains.
GitHub (GHCR)
- Personal access token - a classic PAT or fine-grained token with
write:packagesscope. Images are stored atghcr.io/<owner>/<app>.
Remove a provider
relight providers remove cfRemoves stored credentials. Does not destroy any deployed apps.
Set defaults
Each layer (app, db, dns, registry) has a default provider. When you add the first provider that supports a layer, it becomes the default automatically.
To change the default:
relight providers default app gcp
relight providers default db do
relight providers default dns cfNamed instances
You can register multiple instances of the same type. The first gets the type as its name (e.g. gcp), subsequent ones get a suffix (e.g. gcp-2), or you can name them during setup:
relight providers add gcp # named "gcp"
relight providers add gcp # named "gcp-2" (or pick your own name)This is useful for staging/production accounts, or multiple regions.
Storage
All credentials are stored in ~/.relight/config.json on your machine. They are never sent to any server.