Overview

The Control Plane platform enables your workloads, regardless of the cloud provider and location it is running at, to consume native services from different cloud providers in a least-privilege manner, without requiring developers to embed credentials to consume those services (e.g., S3, Dynamo, Big Query, etc.).

This capability is optional.

This feature alleviates various aspects of credential management. By leveraging this capability, running workloads becomes more straightforward. Cloud providers refer to this as “temporary session credentials.” For more information, see how AWS uses temporary credentials in this link.

Customers choosing to define fine-grained access that allows a workload to access cloud resources must perform the following:

  • Register with Control Plane a cloud account for each cloud provider (AWS, Azure, or GCP) that hosts the resources your workload requires.
  • Create an identity and assign the desired cloud access to resources within each registered cloud account.
  • Assign the identity to a workload. Only one identity can be assigned to a particular workload. Identities can be re-used by multiple workloads and have the same set of permissions.

For Control Plane to provision and de-provision the identity’s access to consume native cloud services, Control Plane must be able to:

  • Create Roles in AWS
  • Create App registrations in Azure
  • Create Service Accounts in GCP

For additional details on this process, refer to the cloud account reference page for each cloud provider:

Principal TypesSecurity