The Control Plane platform enables your workloads, regardless of the cloud provider and location it is running at, to consume native services from different cloud providers in a least-privilege manner, without requiring developers to embed credentials to consume those services (e.g., S3, Dynamo, Big Query, etc.).This capability is optional.This feature alleviates various aspects of credential management. By leveraging this capability, running workloads becomes more straightforward. Cloud providers refer to this as “temporary session credentials.” For more information, see how AWS uses temporary credentials in this link.Customers choosing to define fine-grained access that allows a workload to access cloud resources must perform the following:
Register with Control Plane a cloud account for each cloud provider (AWS, Azure, or GCP) that hosts the resources your workload requires.
Assign the identity to a workload. Only one identity can be assigned to a particular workload. Identities can be re-used by multiple workloads and have the same set of permissions.
For Control Plane to provision and de-provision the identity’s access to consume native cloud services, Control Plane must be able to:
Create Roles in AWS
Create App registrations in Azure
Create Service Accounts in GCP
For additional details on this process, refer to the cloud account reference page for each cloud provider: