# Digitalocean
Connecting DigitalOcean gives SureCloud read access to your DigitalOcean account's Droplets, managed databases, Kubernetes clusters, firewall rules, team membership, and audit log events. SureCloud checks firewall configurations for rules that permit unrestricted inbound access, inventories Droplets and managed resources for security-relevant configuration, reviews team member roles to detect over-privileged access, and collects audit log events to provide evidence of administrative activity. This provides continuous visibility into the security posture of your DigitalOcean infrastructure.
{% hint style="info" %}
SureCloud connects to DigitalOcean using a Personal Access Token generated from a dedicated service account. DigitalOcean supports OAuth 2.0 for third-party applications but Personal Access Tokens are the supported method for system-level integrations with scoped read-only access.
{% endhint %}
## Authentication and setup
{% stepper %}
{% step %}
#### Create a dedicated team member account
In DigitalOcean, navigate to **Settings → Team → Invite Members** and invite a dedicated service account (e.g. `surecloud-ccm@yourcompany.com`). Assign the **Member** role — this provides read access to all resources in the team without administrative write permissions.
{% hint style="info" %}
DigitalOcean Personal Access Tokens are scoped to the account that generates them. Using a dedicated Member account ensures the token does not carry admin-level permissions.
{% endhint %}
{% endstep %}
{% step %}
#### Generate a Personal Access Token
Log in to DigitalOcean as the `surecloud-ccm` account. Navigate to **API → Tokens → Generate New Token**.
* **Token name**: `SureCloud CCM`
* **Expiration**: 90 days (recommended) or custom
* **Scopes**: select **Read** for all available resource scopes
Copy the token value immediately — it is only shown once.
{% hint style="warning" %}
Set a calendar reminder to rotate this token before its expiry date. Update the new token value in **SureCloud → Integrations → DigitalOcean → Edit Connection** before the old one expires.
{% endhint %}
{% endstep %}
{% step %}
#### Enter credentials in SureCloud
In SureCloud, navigate to **Integrations → DigitalOcean → Connect** and provide:
* **Personal Access Token**
Click **Test Connection**, then **Save**.
{% endstep %}
{% endstepper %}
## Endpoints
| API Call | Use Case |
| ----------------------------- | -------------------------------------------------------------------------------------- |
| `GET /v2/droplets` | Enumerate all Droplets with region, size, status, and network configuration |
| `GET /v2/droplets/{id}` | Read full Droplet record including kernel, backup status, and attached volumes |
| `GET /v2/firewalls` | List all cloud firewalls and their inbound and outbound rules |
| `GET /v2/firewalls/{id}` | Read full firewall rule set; detect rules permitting all sources (`0.0.0.0/0`) |
| `GET /v2/databases` | Enumerate managed database clusters with engine, version, and connection configuration |
| `GET /v2/databases/{id}` | Read database cluster configuration including trusted source restrictions |
| `GET /v2/kubernetes/clusters` | List Kubernetes clusters and their version and node pool configuration |
| `GET /v2/vpcs` | Enumerate VPCs and their CIDR ranges |
| `GET /v2/account/keys` | List SSH keys registered to the account |
| `GET /v2/teams/members` | Enumerate team members and their roles |
## Pagination
The DigitalOcean API uses page-based pagination via `page` and `per_page` query parameters. The response `links.pages.next` field contains the URL for the next page when further results are available. SureCloud follows the `next` URL until it is absent.
```json
{
"droplets": [
{ "id": 123456789, "name": "web-prod-01", "status": "active", "region": { "slug": "lon1" } }
],
"links": {
"pages": {
"next": "https://api.digitalocean.com/v2/droplets?page=2&per_page=200",
"last": "https://api.digitalocean.com/v2/droplets?page=6&per_page=200"
}
},
"meta": { "total": 1083 }
}
```
SureCloud requests up to 200 records per page using `per_page=200`.
## Required permissions
The Personal Access Token must be generated with **Read** scope across all resource types. DigitalOcean's scoped token system allows read-only access to be granted at the token level — write operations are not possible with a read-only token regardless of the account's team role.
## Polling frequency
| Data type | Collection interval |
| ----------------------------------- | ------------------- |
| Droplet inventory and configuration | 24 hours |
| Firewall rules | 24 hours |
| Managed database configuration | 24 hours |
| Kubernetes cluster configuration | 24 hours |
| Team membership and roles | 24 hours |
## Troubleshooting
Firewall rules are appearing but the associated Droplets are not shown
Firewalls in DigitalOcean can be associated with Droplets by Droplet ID or by tag. SureCloud reads both the firewall rule set and the `droplet_ids` and `tags` fields on the firewall object to map rules to resources.
If Droplet associations are missing, confirm the firewall has at least one Droplet ID or tag assigned in **DigitalOcean → Networking → Firewalls → \[Firewall] → Droplets**.
Managed database trusted source restrictions are not appearing
Database trusted sources are returned in the `rules` array within the database cluster detail response. If the `rules` array is empty, the database has no trusted source restrictions configured — meaning all sources can attempt to connect (subject to credentials). SureCloud flags databases with no trusted source rules as a finding.
To restrict database access, navigate to **DigitalOcean → Databases → \[Cluster] → Trusted Sources** and add the IP addresses or VPC ranges permitted to connect.
Token is returning a 401 after regeneration
DigitalOcean Personal Access Tokens are invalidated immediately when regenerated or deleted. If a new token was generated in DigitalOcean but not yet updated in SureCloud, all API calls will return 401.
Update the token value in **SureCloud → Integrations → DigitalOcean → Edit Connection → Personal Access Token** immediately after generating the new token.
Kubernetes cluster node pool configuration is not appearing
Node pool data is returned in the Kubernetes cluster list response under the `node_pools` array. If node pool data is missing, the token may not have the Kubernetes read scope enabled.
Regenerate the token with all read scopes selected in **DigitalOcean → API → Tokens → \[SureCloud CCM] → Edit**, ensuring the Kubernetes scope is included.
DigitalOcean API reference DigitalOcean Personal Access Token documentation
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/digitalocean.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.