docs/platform/deploy/own-cloud.md
Encore Cloud lets you deploy your application to any of the major cloud providers, using your own cloud account. This lets you use Encore to improve your experience and productivity, while keeping the reliability of a major cloud provider.
Each environment can be configured to use a different cloud provider, and you can have as many environments as you wish. This also lets you easily deploy a hybrid or multi-cloud application, as you see fit.
<Callout type="info">Encore Cloud will provision infrastructure in your cloud account, but for safety reasons Encore Cloud does not automatically destroy infrastructure once it's no longer required. To do this, you need to manually approve the deletion of the infrastructure in your Encore Cloud dashboard.
This means if you disconnect your app from your cloud provider, or delete the environment within Encore, you need to explicitly approve the deletion of the infrastructure in your Encore Cloud dashboard.
</Callout>Encore Cloud provides a GCP Service Account for each Encore Cloud application, letting you grant Encore Cloud access to provision all the necessary infrastructure directly in your own GCP account.
GCP's permissions system is well-suited for scoping down Encore Cloud's access. While the simplest setup grants access at the organization level, permissions can also be scoped down to a single GCP project. This is useful when you want to isolate Encore Cloud's access to a specific project within your organization, for example a sandboxed prototyping environment. Contact us to discuss the best setup for your needs.
To find your app's Service Account email and configure GCP deployments, head over to the Connect Cloud page by going to the Encore Cloud dashboard > (Select your app) > App Settings > Integrations > Connect Cloud.
I can't access/edit the Policy for Domain restricted sharing page
To edit Organization policies, you need to have the Organization Policy Administrator role. If you don't have this role, you can ask your GCP Organization Administrator to grant you the necessary permissions.
If you're a GCP Organization Administrator, you can grant yourself the necessary permissions by following the steps below:
Organization Policy Administrator role to your user account.I can't grant access to the Encore Cloud service account
If you're unable to grant access to the Encore Cloud service account, you may have failed to add Encore Cloud to your Domain restricted sharing policy.
Make sure you've followed all the steps in the Connect Cloud page to add Encore Cloud to the policy.
If you're using several GCP accounts, make sure you're logged in with the correct account and that the correct organization is selected in the GCP Console.
Encore Cloud returns "Could not find Organization ID"
If you see this error message, it means that Encore Cloud was unable to connect to your GCP Organization. Make sure you've followed all the steps in the Connect Cloud page to grant Encore Cloud access to your GCP Organization. If you're using several GCP accounts, make sure you're logged in with the correct account and that the correct organization is selected in the GCP Console.
Still having issues? Drop us an email at [email protected] or chat with us in the [Encore Discord](https://encore.dev/discord.
For a seamless experience, the default setup uses an IAM Role that gives Encore Cloud the permissions needed to provision and manage infrastructure in your AWS account. The simplest way to scope this is to use a dedicated AWS sub-organization for Encore Cloud, which provides clear isolation.
It's also possible to configure a more narrowly scoped IAM policy. The required permissions depend dynamically on the structure of your applications and the infrastructure resources they use. We're actively working on providing more solutions for scoping down permissions further. Contact us to discuss the best setup for your needs.
To configure your Encore Cloud app to deploy to your AWS account, head over to the Connect Cloud page by going to the Encore Cloud dashboard > (Select your app) > App Settings > Integrations > Connect Cloud.
Follow the instructions to create an IAM Role, and then connect the role with Encore Cloud. Learn more in the AWS docs.
<Callout type="warning">For your security, make sure to check Require external ID and specify the
external ID provided in the instructions.
After connecting your app to AWS, you will be asked to choose which region you want Encore Cloud to provision resources in. Learn more about AWS regions here.