Integrations

DigitalOcean

Configuring DigitalOcean integration

Tidal Control's DigitalOcean integration monitors your cloud infrastructure's security configuration for compliance purposes. It reads your account through the DigitalOcean v2 REST API using a single Personal Access Token.

What this integration monitors:

  • Droplets: Public exposure, VPC placement, backups and monitoring coverage
  • Volumes: Block storage inventory and orphaned (unattached) volumes
  • Firewalls: Inbound and outbound rules, including open 0.0.0.0/0 sources
  • VPCs: Network isolation and default-VPC placement
  • Load balancers: TLS cipher policy and TLS passthrough configuration
  • Managed databases: SSL enforcement and private network placement
  • Database firewall rules: Which sources may connect to each database cluster
  • Kubernetes clusters: Version currency, auto-upgrade, high availability, control-plane firewall and SSO enforcement
  • Certificates: TLS certificate inventory and expiry dates
  • SSH keys: Account-level SSH credential inventory
  • Spaces keys: Object storage credentials and per-bucket grants
  • Container Registry: Registry configuration and storage usage

Requirements:

  • Super User role in Tidal Control
  • DigitalOcean account with access to API → Personal access tokens

Configuration step-by-step plan

What we're going to do: We'll create a read-only Personal Access Token in the DigitalOcean control panel, then add the connection in Tidal Control.

Configuration steps:

  1. Create a Personal Access Token
  2. Configure the integration in Tidal Control

Step 1: Create a Personal Access Token

  • Log in to the DigitalOcean control panel
  • Navigate to API → Personal access tokens
  • Click Generate New Token
  • Give it a name, e.g. Tidal Control
  • Select Read scope only — no write permissions are needed for compliance scanning
  • Click Generate Token
  • Copy the token — it is shown only once
Warning

Save the token immediately. DigitalOcean only shows the full token value once at creation. If you close the page without copying it, you will need to generate a new token.

Info

Read access is enough. A token with the Read scope can see everything Tidal Control monitors: Droplets, Firewalls, VPCs, Databases, Kubernetes, Load Balancers, Volumes, Certificates, SSH Keys, Spaces Keys and Container Registry. Granting write scopes is unnecessary and not recommended.

Step 2: Configure the integration in Tidal Control

  • Go to Settings → Integrations in Tidal Control
  • Click the plus icon next to DigitalOcean
  • Fill in the configuration:
    • Name: A descriptive name, e.g. DigitalOcean
    • API Token: The Personal Access Token from step 1
  • Click "Create" to save the integration

Configuration fields explained

Name:

  • A descriptive name for this connection
  • For example: DigitalOcean, DigitalOcean Production

API Token:

  • The DigitalOcean Personal Access Token created in step 1
  • Only the Read scope is required
  • Keep this value secure

What cannot be checked automatically

Some DigitalOcean security settings are not exposed by the v2 API and must be verified manually in the control panel:

  • Two-factor authentication (2FA) status of individual users cannot be queried.
  • "Require Secure Sign-In" (team-level 2FA enforcement, under Settings → Security in the control panel) is not exposed by the API. Verify it manually — see the DigitalOcean documentation.
  • Team members and roles are only visible in the control panel.
  • Active Personal Access Tokens cannot be listed via the API.
  • Account activity / audit history (who did what, from which IP) is only available in the control panel UI.

Verification

Check integration status:

  • Settings → Integrations shows "Connected" status for DigitalOcean
  • DigitalOcean tests are available in the Tests section
  • Test refresh delivers results without authentication errors

Frequently asked questions

Does the token need write access? No. Compliance scanning only reads configuration, so a token with the Read scope is sufficient.

Why are there no results for MFA or team members? The DigitalOcean v2 API does not expose two-factor authentication status, team rosters, or "Require Secure Sign-In" enforcement. These must be checked manually in the control panel.

My Container Registry shows no data — is something wrong? No. DigitalOcean allows at most one registry per account, and the integration returns nothing if no registry is configured.

Common problems

"API Token is required"

  • Make sure you pasted the Personal Access Token
  • The token is only shown once — if you did not copy it, generate a new one

Authentication errors after refreshing tests

  • The token may have been revoked or regenerated in the DigitalOcean control panel
  • Generate a new Read token and update the integration

Tests show no data for certain resource types

  • Confirm those resource types are actually deployed in your DigitalOcean account
  • A token limited to specific scopes may not see all resources — use a token with the Read scope

Still can't figure it out?

Send an email to support@tidalcontrol.com, and we'll get back to you as soon as possible.

Info

Gather support info: Note which browser you're using, exact error messages, and which steps you've already tried. This speeds up the solution considerably.

Previous
Vercel
Next
Neon