Thanks for this. Another tool in the box is always welcome. We desperately need more competitors in this arena.
Please take this as loving feedback. We need more of this! This use case is very dear to my heart. I have tracked over a dozen products that claim to do what Atlasphere is offering to do, and they all seem to fall short.The most common issues are:
- They rely on https://github.com/mingrammer/diagrams which has simply not gotten any attention for a long time. It's too out-of-date to be useful, and any issue with rendering gets a response to "go use graphviz instead"
- When pointing these tools to anything moderately complicated, they implode or create non-nonsensical diagrams. Think: VPC Peering, VPC Security Groups, multi-account resources.
- They get the cloud resources OK, but neglect primitives like routing and policies that are just as important.
Just looking at the examples on the website: Claude Code can do this natively. Just a consideration.
I will also echo what others have said: allowing another account access to ours is a non-starter, even if Read-Only. It needs to use a security principal we have complete control over.
I can't tell from the project page what IAM permissions are in your "Read-only IAM role". That's something I would also need to know, regardless of how it is deployed.
I can tell from this post and the site that this is a labor of love, and I hope you keep up the good work. Like I said, this is an area where we need more, better tools. I want projects like this to succeed.
PS: Awesome name
6/11/2026
at
1:01:24 AM
Thanks for your extremely useful feedback.> I will also echo what others have said: allowing another account access to ours is a non-starter, even if Read-Only. It needs to use a security principal we have complete control over.
You own and control the IAM role, not us. You allow Atlasphere to assume that role, and then Atlasphere's discovery service uses it to discover your resources.
Technically, Atlasphere doesn't need a ton of permissions. If you create a role that can only list, say, Lambda functions, then Atlasphere will only find Lambda functions.
IAM provides a default ReadOnly policy that can be attached to any role. This was the simplest way for me to get things going. But ReadOnly is indeed way too broad. I could generate an IAM policy based on the AWS services that Atlasphere can work with.
> I can tell from this post and the site that this is a labor of love, and I hope you keep up the good work. Like I said, this is an area where we need more, better tools. I want projects like this to succeed.
Thanks a ton! There are mind-blowing features in the roadmap. I want Atlasphere to succeed.
by andreygrehov
6/11/2026
at
1:10:06 AM
Yes I realized after reading the response that we would control the permissions. What may not be obvious is many organizations have gatekeepers that don't understand IAM and would just not permit this at all.On the technical side, you are probably underestimating the access you need to accurately gather the information the tool needs. For example, last time I reviewed the AWS-Managed ReadOnly role it does not allow you to read some important things like Managed Prefix Lists.
I completely understand you need a starting point and you picked a good one. Anxious to see how this proceeds. Best of luck.
by washbasin