Guides
Connect your cloud
Polnor runs on infrastructure you own. You register two things: a compute provider (OVH or Scaleway) and a storage provider (an S3-compatible bucket). Both are encrypted at rest with AES-256-GCM.
Supported providers
| Provider | Compute | Storage endpoint |
|---|---|---|
| OVHcloud | Public Cloud instances | s3.<region>.perf.cloud.ovh.net |
| Scaleway | Instances | s3.<region>.scw.cloud |
Register a compute provider
OVH uses an application key / secret / consumer key and a project id:
polnor providers add ovh --name prod \
--application-key "$OVH_APP_KEY" \
--application-secret "$OVH_APP_SECRET" \
--consumer-key "$OVH_CONSUMER_KEY" \
--project-id "$OVH_PROJECT_ID"Scaleway uses access key / secret key and an organisation + project:
polnor providers add scaleway --name prod \
--access-key "$SCW_ACCESS_KEY" \
--secret-key "$SCW_SECRET_KEY" \
--project-id "$SCW_PROJECT_ID" --zone fr-par-1Register storage
Point Polnor at the bucket that will hold your Iceberg tables, run logs and artifacts.
polnor storage add --type s3 \
--endpoint https://s3.gra.perf.cloud.ovh.net \
--bucket acme-lakehouse --region gra \
--access-key "$S3_KEY" --secret-key "$S3_SECRET"Sovereignty. Credentials live in your workspace, encrypted with AES-256-GCM (PBKDF2, 100k iterations). The control plane decrypts them only to provision resources in your account. Your data never leaves your region.
What Polnor provisions
With those credentials Polnor can, on demand: launch compute instances, start SQL-warehouse VMs (with DuckDB + Spark sidecars), open snapshots and volumes, and read/write your bucket. Everything is tagged and visible under Compute and Billing in the console, and you can stop it any time.