Providers
AWS Lightsail vs Hetzner Cloud — defaults, instance sizing, regions, and credentials for each.
PullPreview provisions each preview environment on a cloud provider you choose with the provider input. Two providers are supported: AWS Lightsail (the default) and Hetzner Cloud. Both run the same deployment targets — Docker Compose or Helm — so the choice comes down to defaults, sizing, regions, and which credentials you supply.
At a glance
| Lightsail | Hetzner | |
|---|---|---|
provider input | lightsail (default when unset) | hetzner |
| Deployment targets | compose, helm | compose, helm |
Default instance_type | small | cpx22 |
| Default region/location | us-east-1 | nbg1 |
| Default image | Amazon Linux 2023 (image input ignored) | ubuntu-24.04 (image input applies) |
| Default SSH username | ec2-user | root |
| Required secrets | AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY | HCLOUD_TOKEN, HETZNER_CA_KEY |
The region input is a free-form passthrough — PullPreview does not enforce an allowlist, so check your provider’s documentation for valid values.
Lightsail
AWS Lightsail is the default provider and is used whenever provider is unset. It is a good fit if you already operate on AWS, want predictable flat-rate pricing, or prefer to manage access through IAM.
Lightsail always boots Amazon Linux 2023, so the image input is ignored. SSH access uses the ec2-user username. The default region is us-east-1 and the default instance_type is small.
Instance sizing uses Lightsail bundle aliases rather than raw machine names. The following sizes are supported:
| Alias |
|---|
nano |
micro |
small |
medium |
large |
xlarge |
2xlarge |
Each alias resolves to the corresponding Lightsail bundle.
For credentials, set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY on the step. See AWS setup for the recommended OIDC and least-privilege configuration.
Hetzner
Hetzner Cloud is a good fit if you want lower-cost compute, European regions, or to keep workloads off AWS. Hetzner boots ubuntu-24.04 by default, and the image input applies if you want a different image. SSH access uses the root username. The default location is nbg1 and the default instance_type is cpx22.
Server types
On Hetzner, instance_type takes a real Hetzner server type, such as cpx11, cpx21, cpx22, or cx22. Any value other than the ones normalized below is passed verbatim to Hetzner, so an invalid server type fails at the provider.
The Lightsail size aliases do not apply to Hetzner. The only normalization is for convenience: an empty value, small, or micro all resolve to cpx22. Everything else is forwarded as-is.
HETZNER_CA_KEY
Every Hetzner run requires two secrets: HCLOUD_TOKEN (your Hetzner Cloud API token) and HETZNER_CA_KEY.
HETZNER_CA_KEY is a PEM-encoded SSH certificate authority private key — not a TLS key. PullPreview uses it to sign short-lived SSH access certificates for each preview environment. Generate it once and store the result as a secret:
ssh-keygen -t rsa -b 3072 -m PEM -N "" -f hetzner_ca_keyUse the contents of the generated hetzner_ca_key file as the HETZNER_CA_KEY secret value.
Choosing a provider
Pick Lightsail if you already live on AWS, want IAM-based access control, or prefer the simplest setup with predictable pricing — it is the default and requires no provider input. Pick Hetzner if you want cheaper compute, European regions, or to avoid AWS entirely; just be ready to supply HCLOUD_TOKEN and HETZNER_CA_KEY.
Whichever you choose, configure the provider via the configuration reference, see end-to-end setups in workflow examples, or start from scratch with getting started.